Highlights of EDPB Schrems II Guidance on Supplementary Measures

Five lawful use cases were identified by the European Data Protection Board (EDPB) in the recently-released Schrems II Guidance 01/2020. Organisations have been eagerly awaiting this guidance, particularly with regard to what kinds of additional safeguards could be applied to data to allow cloud processing and global data transfers to lawfully continue. In the five use cases set out by the EDPB, specific supplementary measures can make ongoing processing of EU personal data compliant with the Schrems II ruling. In addition, the EDPB guidance covers two – highly prevalent but now unlawful use cases – in which data processing is no longer GDPR-compliant.

The guidance makes clear that encryption, GDPR-compliant Pseudonymisation, and split or multi-party processing are viewed as sufficient technical measures to support particular types of processing in non-EEA countries, showing organisations a way forward. However, it is now also clearly unlawful to use a non-EEA cloud service provider or other processor to process clear text EU personal data, as no technical safeguards are viewed as sufficient by the EDPB. A large community of Schrems II “followers” has sprung up around this issue, as global organisations have been faced with the potential for their data transfers to be stopped if found to be non-compliant. EDPB guidance now leads towards a new path, in which clear additional safeguards for set use cases have been defined.

Five Schrems II Lawful Use Cases

The five lawful use cases outlined by the EDBP are as follows. Each of these sets out the way in which technical measures can be applied to continue certain processing activities in non-EU/EEA countries.

• Data Storage For Backup And Other Purposes That Do Not Require Access To Data In The Clear – where data is stored for backup purposes only (and not for other processing) and the keys necessary for processing are retained under the control of the data exporter in the EEA or third country with an equivalency level of protection. [pg. 22]
• Transfer Of Pseudonymised Data – where the personal data transferred is “Pseudonymised” in compliance with heightened GDPR Article 4(5) requirements that the processing of the data cannot be attributed to a specific data subject without the use of additional information which is kept separately by the data controller in the EEA or a third country with an equivalency level of protection. This data must also be subject to technical and organisational measures that ensure that the data cannot be attributed to identified or identifiable natural persons without access to the additional information. [pg. 23]
• Encrypted Data Merely Transiting Third Countries – where a data exporter routes personal data via a third country to a destination in the EEA or a third country with an equivalency level of protection, but no further processing occurs in the third country. [pg. 24]
• Protected Recipient – where a data exporter transfers personal data to a data importer for the purpose of jointly providing medical treatment for a patient, legal services to a client, etc. specifically protected by that country’s law. [pg. 25]
• Split or Multi-Party Processing – where an EU data exporter splits the data in such a way that no individual data importer processor receives sufficient information to reconstruct the personal data in whole or in part. The data exporter receives the result of the processing from each of the processors independently, and merges the pieces received to arrive at the final result which may constitute personal or aggregated data. [pg. 25]

Two Schrems II Unlawful Use Cases

The EDPB also included two use cases in which data processing would be unlawful.

• Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear – the EDPB does not currently envision that technical measures (other than measures enumerated in Use Cases 1-5) could enable a data exporter to lawfully use a non-EEA cloud service provider or other processor to process clear text EU personal data according to the data controller’s instructions in a third country. However, the EDPB does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear. [pg. 26]
• Remote Access to Data for Business Purposes – the EDPB does not currently envision that technical measures (other than measures enumerated in Use Cases 1-5) could enable a data exporter to lawfully make personal data available to entities in a third country to be used for shared business purposes. [pg. 27]

Schrems II Community

Legal and privacy professionals have been keenly aware of the critical need to balance fundamental personal rights of data subjects and the legitimate data processing objectives of the organisations that they work for. In response to Schrems II uncertainty, a virtual community of over 3,400 General Counsels and senior privacy professionals was created in only three weeks, representing more than 1,700 organisations from over 60 countries as proof of the overwhelming need for further guidance.

This community was created from two webinars held on the 8th and 29th of October, the first of which featured Anna Buchta from the European Data Protection Supervisor (EDPS) and Romain Robert from Max Schrems’ organisation NOYB, during which more than 1,000 questions were posed by participants. As noted in this press release, after the webinar “90% of the participants stated that they are now aware that their organisation must create a defensible business position by using new Additional Safeguards.” Following these webinars, we received hundreds of requests for briefings on how to create a defensible business position using Additional Safeguards.

Now that EDPB guidance has been released, privacy professionals will be able to more clearly understand which specific additional safeguards can help to bring their organisation in line with Schrems II requirements. In addition, clearly-defined use cases as described by the EDPB can reassure organisations as to what not to do, and how to avoid penalties being imposed due to non-compliant data processing.

In response, we set up a SchremsII.com/briefing portal which includes excerpts from the webinars, including highlights from the EDPS and NOYB, plus additional content that expands the education process and makes it more accessible for participants to review at their own pace.

Pre-Register for the Schrems II Virtual Briefing Portal at: SchremsII.com/briefing

Additional Highlights [Excerpted Quotes from EDPB Guidance with page citations]

• The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. [pg. 7]
• Controllers and processors must seek to comply with the right to data protection in an active and continuous manner by implementing legal, technical and organisational measures that ensure its effectiveness. Controllers and processors must also be able to demonstrate these efforts to data subjects, the general public and data protection supervisory authorities. This is the so-called principle of accountability. [pg. 7]
• Keep in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer. More specifically, if you are using an international cloud infrastructure you must assess if your data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries. [pg.9]
• If you are already conducting transfers, you are required to suspend or end the transfer of personal data. Pursuant to the safeguards contained in the Article 46 GDPR transfer tool you are relying on, the data that you have already transferred to that third country and the copies thereof should be returned to you or destroyed in their entirety by the importer. [pg. 16]
• If you decide to continue with the transfer notwithstanding the fact that the importer is unable to comply with the commitments taken in the Article 46 GDPR transfer tool, you should notify the competent supervisory authority in accordance with the specific provisions inserted in the relevant Article 46 GDPR transfer tool. 58 The competent supervisory authority will suspend or prohibit data transfers in those cases where it finds that an essentially equivalent level of protection cannot be ensured. [pg. 17]
• When you intend to put in place supplementary measures in addition to SCCs, there is no need for you to request an authorisation from the competent SA to add these kind of clauses or additional safeguards as long as the identified supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined. [pg. 17]
• Adoption of strict data security and data privacy policies, based on EU certification or codes of conducts or on international standards (e.g. ISO norms) and best practices (e.g. ENISA) with due regard to the state of the art, in accordance with the risk of the categories of data processed and the likelihood of attempts from public authorities to access it. [pg. 37]

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.