The European Data Protection Board (the gathering of all EU Data Protection Regulators) has now published its initial guidance on transfers out of the EEA following the Schrems II case. This recommends that exporting organisations follow a similar roadmap to the earlier one from the European Data Protection Supervisor (who regulates the EU institutions). In particular, it only applies where personal data physically leave the EEA. But the EDPB takes a significantly harder line than the EDPS where the receiving organisation is subject to the US FISA Section 702, or similar, rules. According to footnote 49 that’s: telecoms carriers, providers of electronic communications service, providers of remote computing service, any other communication service provider with access during transmission or storage. Whereas the EDPS suggested a risk-based approach to those – prioritising large-scale, complex processing chains and sensitive data – the EDPB make no such distinction. If “the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society”, then the exporter is responsible for ensuring adequate supplementary measures that protect against that power.
Annex 2 contains example scenarios where the EDPB consider that adequate supplementary measures might be possible, as well as those where they can see no such possibility. The former include (with paragraph numbers in parentheses):
- (79) storage of encrypted backups, where encryption and decryption keys remain within the EU;
- (80-83) transfer of effectively pseudonymised data, where keys are kept in the EU and the transferred data (along with any other information available to the receiving state authorities) cannot be used to identify or single out individuals (a high threshold!);
- (84) transit of encrypted data over the internet to a safe third country (though the requirements for “flawless implementation” and “backdoors … ruled out” will be challenging);
- (85) encrypted transfer to an organisation that is protected by law from disclosure powers. In the main text there is a reference to “children’s data”, which seems likely to be a reference to the US FERPA, so also includes at least some US universities;
- (86) split processing by multiple parties in different jurisdictions, such that neither party nor jurisdiction can access actual content.
However the two scenarios where the EDPB cannot envisage any measures giving adequate protection include the most common uses of Standard Contractual Clauses and Binding Corporate Rules, respectively:
- (88-89) “Transfer to cloud services providers or other processors which require access to data in the clear”; and
- (90-91) “Remote access to data for [shared] business purposes”, for example within a corporate group or joint economic activity.
The EDPB does concede that, although the requirement for data exporters to check foreign law and practice applies to all transfers that are protected by contractual safeguards (including Article 46 Model Clauses and Article 47 Binding Corporate Rules), it does not apply to transfers under Article 45 Adequacy Decisions or Article 49 Specific Derogations. The latter include “necessary for the performance of a contract” (often known as the hotel booking derogation), “compelling legitimate interests” (only for non-repetitive and small-scale transfers) and “explicit consent”, each with specific requirements that must be satisfied. For example “explicit consent” (Article 49(a)) can only be used after the data subject has “been informed of the possible risks” of the transfer, and agreed to them. This might work, for example, where a user requests out-of-hours support from a cloud provider (the EDPB explicitly states that non-EEA support access to data in an EEA-hosted cloud is an “export”), if consent took the form of offering the user a choice between immediate support from a jurisdiction without adequate protection or office hours support from within the EEA.
These Article 49 derogations were designed to be used only for occasional, ad hoc, transfers, with Articles 46 and 47 covering regular and larger scale ones. There seems to be a significant risk that the EDPB’s hard line on the routine provisions may have the counter-productive effect of forcing organisations to push the boundaries of the ad hoc ones, as has previously happened with necessary, consent and legitimate interests.
These are draft guidelines, so it’s possible there may be some relaxation in the final version. We also don’t know how individual national regulators will respond. But with the test for non-EEA legal systems being set so high (higher than several EU member states could attain, according to the European Law Blog) the tendency does seem to be strongly towards “data localisation” where European personal data must remain within Europe.
This raises a particular problem for the UK, post-Brexit. Onward transfers are a particular focus of both the Schrems II judgment and the EDPB guidance. If the UK does not follow EDPB guidance on limiting transfers from the UK out of the EEA, then it increases the likelihood that that guidance will be applied to limit transfers to the UK from the EEA.