On June 21, 2021, the EU Data Protection Board (“EDPB”) finally released the much-anticipated “Final Recommendations on Complementary Measures for Cross-Border Transfers of Data” (“Final Recommendations”). Why do you say “finally” released? First a quick review of the timeline.
On July 16, 2020, the judgment of the Court of Justice of the European Union in the Schrmes II case found that the EU Standard Contractual Clauses (“SCC”) continue to be in force, but both the data exporter and the importer are obliged to: (1) evaluate whether the law of the receiving country can ensure the receipt of the data. and (2) the recipient takes “supplementary measures” to achieve the EU’s “substantially equivalent” level of protection. Otherwise, cross-border transfer of data is prohibited.[See: Data Cross-Border Flow | The logic behind the invalidation of the US-EU Privacy Shield Agreement][See: Data Cross-Border Flow | EU EDPB’s Q&A on the invalidation of the EU Privacy Shield Agreement (full text translation)]
When the verdict came out, everyone was stunned. First, enterprises, especially small enterprises, may not have a corporate legal counsel. How to evaluate the laws of a country? If the European Commission has not already identified the 13 countries that are “sightly” (that is, “adequacy”), it should be presumed that other countries do not meet the requirements of the EU. Why do companies need to evaluate themselves multiple times? In addition, what if the EU regulator does not agree with the conclusion of the company’s own assessment? After all, the European Court of Justice has twice overturned the European Commission’s determination of US law. Second, what are “supplementary measures”?[See: Cross-border flow of data | Irish DPA is about to ban Facebook’s cross-border data transfer, as well as cross-border data flow | Irish High Court temporarily allows Facebook to continue trans-Atlantic transfer of personal data][See: Data cross-border flow | Germany Pakistan Fuzhou DPA took the lead in explaining the “additional safeguards” supporting SCC, as well as the cross-border flow of data | Chinese companies’ basic strategy for cross-border data flow based on SCCs].
On November 10, 2020, the EDPB issued guidelines on the above two issues and publicly solicited comments. The most vocal opposition to the “Proposal for Supplementary Measures”, especially its cases 6 and 7, which means that the EU may not allow EU personal data to be transferred to countries such as the US, Russia, India, etc., because the EU may think that the government data of these countries Access may result in a level of privacy that falls short of EU requirements and cannot be mitigated by any technological, organizational, or contractual measure employed by the business. As a result, internal corporate data (eg HR, business customer contacts) cannot flow across borders; cloud service providers cannot process data outside the EU. 【Data flow across borders | EDPB’s guidance on “supplementary measures” beyond standard contractual clauses is finally available】
The public comment window on the “Suggestions for Supplementary Measures” has been repeatedly extended, during which hundreds of companies/industry associations, including the Ministry of Justice of the Netherlands and Denmark, have also publicly criticized.
On June 21, 2021, the “Final Recommendations for Supplementary Measures” was finally published.
The “Final Recommendation” clarifies the main line of the “six-step method”, as shown in the following figure:
As mentioned above, cases 6 and 7 that the legal affairs of multinational companies are most concerned about have finally loosened, that is to say, if the company can prove that the law in question does not apply to the cross-border scenario, then the supplementary measures are still valid, and the data is still Cross-border transfers are possible. See the picture below:
Students who are familiar with the “Draft for Comments on Supplementary Measures” may find that the EDPB has added back the “subjective factors” that it flatly denied before[the US Department of Justice and the Intelligence Department jointly issued a white paper in September last year, claiming that most of the people transferred to the US were sent to the United States. EU data has no intelligence value and is not of interest. EDPB also sent a message back, do you say that it is worthless without value? Enterprises cannot rely on this to conclude that there is no potential risk. ]Obviously, the EDPB made a compromise to the United States on this – even if the law may not meet the EU standards, as long as the exporter can prove that the legal provisions or practice do not apply to cross-border data, then even “supplementary measures” may not be taken. Compared with the previous EDPB’s insistence that all supplementary measures are useless in the face of public power, this is undoubtedly an escape route for US companies by the EU, and even gave a hands-on example of the much-maligned FISA 702 in the US.
However, enterprises need to prove that “the law in question is not suitable for this data cross-border scenario”, the EDPB stipulates very onerous substantive and formal obligations, which I sort out as follows:
The enterprise is obliged to prove, and the entire evaluation should have a detailed report, explaining (1) the legal and practical evaluation related to the cross-border data; (2) the enterprise evaluation process, which roles are involved, such as law firms, consultants, DPO, etc.; (3) Date of assessment and date of follow-up periodic inspection. for future EU regulatory requirements.
The enterprise needs to prove from the legal interpretation that the law in question is not suitable for the scene;
Enterprises need to prove from their own practice that the law in question does not apply to this scenario, such as whether they have received government data access requests, and whether they are prohibited from disclosing received requests;
Enterprises need to assess from the industry as a whole that the law in question does not apply to this scenario. In short, if you say that you have not received a government visit request, but your peers have received it, then your assessment is also problematic.
In terms of evaluation criteria, for the evaluation of legal interpretation and practice, the EDPB proposed “relevant, objective, credible, verified, and open” to emphasize that it can be verified and inspected by EU regulatory agencies; and the sources of information are listed in Annex 3, Roughly several categories: (1) determinations, judgments, and resolutions from the EU; (2) case law, judicial decisions, parliamentary reports of importing countries; (3) reports from NGOs, chambers of commerce, and civil rights organizations; (4) transparency of enterprises The report must clearly state that no government data access request has been received: (5) The importer’s internal statement and records clearly state that no government access request has been received for a sufficiently long period of time, and issue an internal audit or DPO’s prove.
Finally, to summarize the list of corporate compliance actions, in order to facilitate the transfer of data from the EU to China, the data importer located in China can cooperate with the exporter to do several things:
Do an overall assessment of China’s legal framework in advance. A series of laws involving government data access, such as the Personal Information Protection Law, the Civil Code, and Criminal Prosecutions, should be included. It is recommended to also include several laws that the European Parliament often pays attention to. Just to take this professionally to clarify;
The exporter is required to provide data flow scenarios, such as: purpose of transfer and processing (marketing, HR, storage, IT support, medical diagnosis); entity processed (public, private); field in which transfer occurs (telecom, advertising, finance); transfer type of data (children’s data); physical transfer or remote access; format of data transfer (cleartext, anonymized, encrypted), whether further transfers are possible.
Based on specific scenarios, complete the practical evaluation, including both itself and the industry. The source of the evaluation information must be indicated to ensure that it is “relevant, objective, credible, verified, and open”, and can be verified and inspected by EU regulatory agencies in the future;
The matching data flow is archived after the report is formed, and the person responsible for subsequent re-evaluation is assigned.
Last but not least, no matter what the conclusion of the legal assessment is, companies should simultaneously take “supplementary measures”, such as data encryption, back-to-back commitments in contracts, etc. (Finish)