Transfers of Personal Data to Third Countries after the Shrems II CJEU Decision

The operation of having personal data transferred from a Member State to a third country constitutes, in itself, processing of personal data (C-311/18 (Schrems II), paragraph 83).

Articles 44-50 of the GDPR provide the conditions for the transfer of data to third countries, with the aim to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (recital 101 and article 44 of the GDPR).

In specific, a level of protection of natural persons essentially equivalent to that guaranteed within the European Union by the GDPR, read in the light of the Charter, must be guaranteed (C-311/18 (Schrems II), paragraphs 92 and 93).

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country, including for onward transfers of personal data from the third country to another third country, shall take place only if:

  • the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection (article 45 § 1 of the GDPR).

Definitions

“Binding corporate rules” means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity (article 4 § 20 of the GDPR).

“EEA” means the European Economic Area and it includes the Member States of the European Union and Iceland, Norway and Liechtenstein. The GDPR applies to the latter by virtue of the EEA Agreement, in particular its Annex XI and Protocol 37.

“The Charter” refers to the Charter of Fundamental Rights of the European Union, OJ C 326, 26.10.2012, p. 391–407

Third country” means any country that is not a Member State of the EEA.

Third Countries with EC Adequacy Decisions

The European Commission has the power to determine, on the basis of article 45 of the GDPR whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • A proposal from the European Commission;
  • An opinion of the European Data Protection Board;
  • An approval from representatives of EU countries;
  • The adoption of the decision by the European Commission.

The European Commission has so far recognised the following countries as providing adequate protection[1]:

  • Andorra;
  • Argentina;
  • Canada (commercial organisations);
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey;
  • New Zealand;
  • Switzerland;
  • Uruguay;
  • United Kingdom;
  • South Korea (forthcoming).

Transfers Subject to Appropriate Safeguards

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided the following appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (article 46 of the GDPR):

  • Binding corporate rules;
  • EC or Supervisory Authority standard data protection clauses (“SCCs”);
  • Codes of conduct; or
  • Certification mechanisms.

These safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default (recital 108 of the GDPR).

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses (recital 109 of the GDPR).

When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information (recital 116 of the GDPR). The controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards (recital 114 of the GDPR).

Third Country Data Transfers’ Derogations

In the absence of an adequacy decision or of appropriate safeguards data transfers to third countries shall take place only on one of the following conditions (article 49 § 1 of the GDPR):

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Even if a derogation is not applicable, a transfer to a third country or an international organisation may take place only if the following conditions are fulfilled (article 49 § 1 of the GDPR):

  • the transfer is not repetitive,
  • concerns only a limited number of data subjects,
  • is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
  • The controller shall inform the supervisory authority of the transfer.
  • The controller shall inform the data subject of the transfer and on the compelling legitimate interests pursued.

Accountability in Data Transfers

It is the responsibility of the data exporter to verify, on a case-by-case basis and, where appropriate, in collaboration with the importer of the data, whether the law of the third country of destination ensures an essentially equivalent level of protection, under EU law, of personal data transferred pursuant to SCCs, by providing, where necessary, supplementary measures to those offered by those clauses (C-311/18 (Schrems II), paragraph 134).

Data exporters are expected to appropriately document this assessment and the supplementary measures they select and implement and make such documentation available to the competent supervisory authority upon request (articles 5 § 2 and 28 § 3 h’ of the GDPR).

Exporters of data are required to manage and assess transfers to third countries according to the following steps (EDPB, Rec. 01/2020):

  1. Mapping of Data Transfers: Mapping needs to be conducted before transfer takes place. When mapping transfers, do not forget to also take into account onward transfers. In line with the GDPR principle of “data minimisation”, verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Remote access or storage in a cloud is also considered a transfer.
  2. Identification of Transfer Tools: Any transfer to a third country is required to be based on (a) an adequacy decision or (b) appropriate safeguards or (c) derogations.
  3. Data Transfer Impact Assessment: If there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied upon, the exporter is required to assess whether the protection afforded to the transferred personal data in the third country is essentially equivalent to that guaranteed in the EEA by the GDPR, read in light of the Charter of Fundamental Rights of the EU (See C-311/18 (Schrems II), paragraph 183 in conjunction with paragraph 184).
  4. Identification & Adoption of Supplementary Measures: If the DTIA reveals that the respective article 46 GDPR transfer tool is not effective, then the exporter will need to consider, where appropriate in collaboration with the importer, if supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.
  5. Execution of Formal Procedural Steps: Depending on the transfer tool put in place, procedural steps may have to be taken to implement the chosen supplementary measures.
  6. Re-Evaluation of Transfer: Monitoring, on an ongoing basis, and where appropriate in collaboration with data importers, the developments in the legislation and practices in the third country is essential to ensure that the importer has not breached or is able to honour the commitments it has taken in the respective transfer tool or the supplementary measures are still effective in that third country.

Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned (C-311/18 (Schrems II), paragraph 135).

Data Transfer Impact Assessments

In its Schrems II decision, the CJEU stresses that before transferring  personal data to a third  country,  it  is  the data exporters’ and data importers’ responsibility to assess whether the  legislation   of the third  country  of  destination  enables  the  data  importer  to comply  with  the  guarantees provided  through  the transfer tools  in  place. If  this  is  not  the case, it  is  also the  exporter  and the  importer’s duty to  assess whether they can implement supplementary measures to ensure an essentially  equivalent  level  of protection  as provide d by  EU  law. The accountability mechanism to conduct such assessment is the Data Transfer Impact Assessment (“DTIA”).

The main elements of a DTIA may be laid down as follows:

  • Characteristics of the data transfer (exporters, importers, countries, categories of data, categories of data subjects, purposes of transfer, onward transfers, TOMs applied);
  • Legal basis of data transfer;
  • Third country legislation and public bodies’ access practices;
  • Compliance of third country legislation and practices with European Essential Guarantees;
  • Assessment of the necessity to take supplementary measures and determination of such measures.

The DTIA must take into account elements concerning access to data by public authorities of the third country of the importer such as (C-311/18 (Schrems II), paragraphs 174 and 187):

  • Elements on whether public authorities of the third country may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedents;
  • Elements on whether public authorities of the third country may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.

The obligations or powers resulting from such laws and practices will be considered to impinge on/be incompatible with the commitments of the Article 46 GDPR transfer tool if they (EDPB, Rec. 2/2020, p. 17):

  • Do not respect the essence of the fundamental rights and freedoms of the EU Charter of Fundamental Rights, or
  • Exceed what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in Union or member state law such as those listed in Article 23 (1) GDPR.

In particular, limitations to the data protection and privacy rights recognised by the Charter imposed by legislation or practices of third countries may be deemed justifiable if they comply with the four European Essential Guarantees set out below (EDPB, Rec. 02/2020, p. 8):

  1. Processing should be based on clear, precise and accessible rules.
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  3. An independent oversight mechanism should exist.
  4. Effective remedies need to be available to the individual.

Regarding the principle of proportionality, the Court held, in relation to Member State laws, that the question as to whether a limitation on the rights to privacy and to data protection may be justified must be assessed, on the one hand, by measuring the seriousness of the interference entailed by such a  limitation (La Quadrature du Net and others, § 187) and  by  verifying  that  the importance  of  the  public  interest  objective pursued  by  that limitation is proportionate to that seriousness, on the other hand (La Quadrature du Net and others, § 131).

Regarding the principle of necessity, the CJEU has made clear that legislations “authorising, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union (…) without any differentiation, limitation or exception being  made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to the data  and  its use entail”, do not comply with that principle (Schrems I, § 93). In  particular,  laws  permitting  public authorities to have access on a generalised basis to the content of electronic communications must be regarded  as  compromising  the  essence  of  the  fundamental  right  to  respect  for  private  life,  as guaranteed by Article 7 of the Charter (Schrems I, § 94).

In light of uncertainties surrounding the potential application of problematic legislation to the transfer, the exporter may then decide to (EDPB, Rec. 2/2020, p. 17-18):

  • Suspend the transfer;
  • Implement supplementary measures to prevent the risk of laws and/or practices of the third country, which are capable of impinging on the transfer tool’s contractual guarantees of an essentially equivalent level of protection to that guaranteed in the EEA; or
  • Proceed with the transfer without being required to implement supplementary measures, if there is no reason to believe that relevant and problematic legislation will be applied, in practice, to transferred data and/or importer.

Supplementary Measures

Article 46 GDPR appropriate safeguards are mainly of a contractual nature that may be applied to transfers to all third countries. The situation in the third country may, therefore, still require that appropriate safeguards are supplemented with additional measures (“supplementary measures”) to ensure an essentially equivalent level of protection (EDPB, Rec. 01/2020, p. 13).

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses (recital 109 of the GDPR).

Data exporters may need to supplement the guarantees contained in EC Standard Data Protection Clauses with supplementary measures to ensure compliance with the level of protection required under EU law in a particular third country (C-311/18 (Schrems II), paragraphs 132 and 133).

The following non-exhaustive list of factors is useful to identify which supplementary measures would be most effective in protecting the data transferred (EDPB, Rec. 2/2020, p. 22):

  • Format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted);
  • Nature of the data (e.g. a higher level of protection is afforded in the EEA to categories of data covered by articles 9 and 10 GDPR);
  • Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them (e.g. do the transfers involve multiple controllers or both controllers and processors, or involvement of processors which will transfer the data from the exporter to the importer considering the relevant provisions applicable to them under the legislation of the third country of destination);
  • Technique or parameters of practical application of the third country law;
  • Possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g. involvement of sub-processors of the data importer).

An indicative list of supplementary measures is as follows (EDPB, Rec. 2/2020, Annex 2):

  • Technical Measures: (i) Data storage for backup and other purposes that do not require access to data in the clear; (ii) Transfer of pseudonymised Data; (iii) Encryption of data in transit; (iv) Protected recipient; (v) Split or multi-party processing.
  • Contractual Measures: (i) Providing for the contractual obligation to use specific technical measures; (ii) Transparency obligations; (iii) Obligations to take specific actions; (iv) Empowering data subjects to exercise their rights.
  • Organisational Measures: (i) Internal policies for governance of transfers especially with groups of enterprises; (ii) Transparency and accountability measures; (iii) Organisation methods and data minimisation measures; (iv) Adoption of standards and best practices.

Transparency / Accountability Requirements and Data Subjects’ Rights

Where personal data relating to a data subject are collected from the data subject or not, the controller shall, at the time when personal data are obtained, provide the data subject, among others, with information about the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available (articles 13 § 1 f’ and 14 § 1 f’ of the GDPR).

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information, among others, on the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (article 15 § 1 c’ of the GDPR). Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer (article 15 § 2 of the GDPR).

Each controller or processor and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain, among others, information regarding transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards (article 30 § 1 e’ and 2 c’ of the GDPR).

Resources

Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, available: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

CJEU, Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18 (Schrems II), available: https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3690837.

EDPB, Recommendation 01/2020 on measures that supplement transfer tools to confirm compliance with EU standards for protection of personal data, 18 June 2021, available: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.

EDPB, Recommendation 02/2020 on the European Essential Guarantees for surveillance measures, 10 November 2020, available: https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.

EDPS, Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ Ruling, 29 October 2020, available: https://edps.europa.eu/data-protection/our-work/publications/papers/strategy-union-institutions-offices-bodies-and_en.

[1] Further information available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.