Which technical measures should be taken after Schrems II?

The Schrems II decision of the Court of Justice of the European Union (CJEU) earlier this year called into question international data transfers and left both controllers and processors at a deadlock.

On 11 November, the European Data Protection Board (EDPB) published Supplementary Transfer Measures Recommendations and European Essential Guarantees Recommendations. See our previous article regarding the six-step roadmap to help data exporters with the complex task of assessing data transfers to third countries.

If data exporter relies on an Article 46 GDPR transfer tool (i.e. SCCs, BCRs, etc.), it shall be assessed whether the law or practice of the third country may prevent the personal data transferred from being afforded an essentially equivalent level of protection as under the GDPR. If such an assessment revealed that relevant Article 46 GDPR transfer tool is not effective, the data exporter needs to identify and adopt effective « supplementary measures » that will ensure such protection.

What does it mean exactly?

Annex 2 of the Recommendations provides for a non-exhaustive list of supplementary measures which may supplement safeguards found in Article 46 GDPR transfer tools to ensure compliance with the level of protection required under EU law in the context of a transfer of personal data to a third country (i.e. non-EEA countries). The EDPB offers several examples of technical, contractual, and organizational supplementary measures. We will review hereunder technical measures. Another article will be dedicated to contractual and organisational measures.

It also provides for scenarios for which effective measures could not be found.

One size fits all?

The EDPB warns: some supplementary measures may be effective in some countries, but not necessarily in others. In some cases, data exporters must combine several supplementary (technical/contractual/organisational) measures.

Data exporters need to assess supplementary measures in the light of:

• the context of the transfer,
• the third country law,
• the transfer tool used.

Technical measures

Two main technical supplementary measures may – under certain circumstances – guarantee the transferred data a level of protection that is substantially equivalent to those required by EU law, namely: the encryption and the pseudonymisation.

Encryption

Encryption is considered an effective supplementary measure (for example in case of data storage for back up that do not require access to data in the clear by the data importer) as long as:

• strong encryption is used (taking into account (1) the state-of-the-art, (2) resources available to foreign authorities, (3) the period of time during which confidentiality must be preserved),
• before transmission,
• well implemented (certified and properly maintained software),
• and keys are reliably managed inside EU, EEA or in a country which has been the subject of an adequacy decision.

Pseudonymisation

Pseudonymisation is considered an effective supplementary measure as long as:

• a thorough analysis of the data in question demonstrates that it cannot be cross-referenced with any information that the public authorities of the recipient country may possess to be attributed to an identified or identifiable natural person,

… and that additional information needed to reidentify data are:

• kept separately,
• inside EU, EEA or in a country which has been the subject of an adequacy decision,
• by the data exporter,
• protected by appropriate technical and organisational safeguards.

Some things cannot be fixed …

Following EDPB, no supplementary measure can allow transfer of data accessible in the clear if the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society. For example:

• Transfer to cloud services providers or other processors which require access to data in the clear in order to execute the task assigned,
• Data available to entities in a third country for shared business purposes (e.g. in the same group of undertakings).

It is therefore unnecessary to ask whether to encrypt/pseudonymise, but only to choose between encryption or pseudonymisation to transfer data to a country that does not provide an essentially equivalent level of protection to the EU.

What about data transfer to the USA?

What we know for sure: the CJEU held that US laws (i.e. surveillance programmes based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (E.O.) 12333) do not provide a sufficient level of protection as guaranteed by the GDPR and the EU Charter of Fundamental Rights (CFR).

Therefore, the data exporter who intends to transfer data to a U.S. data importer (e.g. a U.S.-based cloud service provider) needs to identify and adopt effective supplementary measures (such as encryption).

The EDPB does not explicitly confirm that only one of those supplementary measure is sufficient to pursue transfer to the USA. One thing is certain: EU data exporters must take greater lengths to demonstrate that they have taken into account the broad means at the disposal of the US authorities to access the data.