EDPB issues draft guidance on supplemental measures for data transfers following Schrems II

By PrivSec Report2020-11-13T11:21:00+00:00

No comments

The European Data Protection Board (EDPB) has recommended measures to supplement personal data transfer tools to ensure compliance with EU standards when transferring data to non-EU “third countries”.

Following the Schrems II ruling, which struck down the Privacy Shield between the US and EU in July, many controllers have been relying on Standard Contractual Clauses (SCCs) as a tool for data transfers outside the EU.

Where SCC safeguards alone are not sufficient, supplementary measures are allowed in order to guarantee those equivalent personal data protections. But until now, data exporters have been waiting for clarity as to what these may look like.

The recommendations, released by the EDPB on November 10 and now set for public consultation, set out a “roadmap” for data exporters to establish whether supplementary measures are necessary and identify effective measures (see steps below)

The guidance contains a selection of use-case scenarios of supplementary measures and required conditions. Ultimate responsibility, however, still lies with the data exporters themselves, and such measures may not always be possible.

On the same day, the EDPB also provided recommendations, styled the “European Essential Guarantees”, for determining whether third country laws allowing access to data for the purposes of surveillance constitute a “justifiable interference” with privacy and personal data protections, and would therefore be GDPR-compliant.

Since July’s decision, controllers using SCCs must establish whether the law of the third country in question ensures equivalent personal data protection to that of the European Economic Area.

Verification must be done on a case-by-case basis, in collaboration with the third country recipient, if appropriate.

EDPB roadmap steps

Step one advises exporters to map and know their transfers, and ensure data transferred is “adequate, relevant and limited to what is necessary” for the purposes for which it is being transferred.
Step two is to verify the transfer tool the transfer relies on. If an adequacy decision with the intended data destination is not in place, the exporter must rely on one of the transfer tools listed under GDPR Article 46 for regular and repetitive transfers.
Step three is to identify any laws or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on on, in the context of the specific transfer.
If the assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool relied upon for the transfer, step four is to identify and adopt supplementary measures to bring the level of data protection up to the EU standard of essential equivalence.
Step five is to take necessary formal procedural steps that the adoption of the chosen supplementary measure may require, depending on the Article 46 GDPR transfer tool relied upon.
Step six is to re-evaluate the protected of the transferred data at appropriate intervals and any developments that may affect it.

Topics

No comments

Article
US utilities struggling to meet demand of energy-thirsty AI

2024-04-19T11:53:00Z

In the US, demands for power are outstripping availability as energy-thirsty technologies such as generative AI pile pressure on national electrical systems.
Article
Banks poised for increased risk due to AI

2024-04-19T09:06:00Z

A leading banking regulator has issued a stern warning over the risks that financial institutions face as they move to integrate artificial intelligence (AI) and machine learning (ML) into governance operations.
News
Chicago Gears Up for GRC Connect: Sharpen Skills, Network, and Navigate the Future of GRC

2024-04-15T11:39:00Z By Jonathan Sumner, Chief Digital & Marketing Officer, GRC World Forums.

Get ready, Chicago! GRC Connect kicks off tomorrow, bringing together the brightest minds in governance, risk management, and compliance (GRC) for two days of insightful learning, valuable networking opportunities, and expert guidance on navigating the ever-evolving GRC landscape.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Legal & Regulation

Article
New bill proposes US federal data privacy framework

2024-04-12T12:58:00Z

Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers have unveiled the American Privacy Rights Act.
Article
US citizens want stronger AI laws

2024-04-12T09:32:00Z

Concerns over personal privacy are intensifying among US citizens in the face of rapid AI tech development, a new study shows.
Article
Bloomberg seeks dismissal of copyright AI training lawsuit

2024-03-28T10:35:00Z

A New York federal judge has been asked by Bloomberg LP to throw out of court a lawsuit brought by the governor of Arkansas and other writers, in a dispute that highlights the delicate evolution of AI regulation.