International personal data transfer is an integral part of most organizations’ everyday business activities. For example, your company could store your customers’ personal data in a cloud service hosted in another country. Or you could hold an employee’s personal data in a subsidiary based in another country.
With the rise of data protection laws, data trade has become more complex for companies in the EU.
This blog post aims to make data transfer easy to understand and collect all relevant information in one place. We start with a short introduction to the EU’s data protection initiatives and how data transfers have been handled throughout the years. Then, you can learn about the newest recommendations that you should follow when sending data to other countries. These recommendations will make it easier to ensure that all your transfers are GDPR compliant.
What is Schrems II, and what does it have to do with cookies?
The story of Schrems II starts on May 25th, 2018, when the GDPR was put into effect. The main goal of GDPR is to protect Europeans’ personal data by controlling the processing of it and letting them define and have a say in what happens to their data. The consent part of GDPR is specifically essential for achieving this goal. It implies that it’s the companies’ responsibility to communicate to their website visitors what cookies they have on the website, what data is being collected, and for what purpose.
But what about doing business with companies outside the EU? If the authorities decided to protect people’s data, this shouldn’t stop at the European frontiers. Every company and country must respect and protect the data regardless if it’s in the EU or not. For example, many European companies send data to the US. For this reason, in GDPR, it’s written that:
"international agreements involving the transfer of personal data to third countries or an international organization" need to "comply with Union law"
In short, companies or countries must write and sign an agreement with the EU to receive data and treat it under the data protection law.
On July 8th , 2016, EU member states’ representatives approved the final version of the agreement on data transfers between EU and US – Privacy Shield Framework. 4,646 American organizations signed a document stating that when they receive data from the EU, they will treat it under the GDPR. However, every European company must be aware of where the personal data goes to ensure that it’s given an essentially equivalent level of protection wherever it is processed.
The leading player in this decision was the consent section in the GDPR.Now, website visitors can decide how their data is collected and processed, meaning that users that reject cookies will generate anonymized data, on which neither European nor American companies can act.
Max Schrems – an Austrian activist and lawyer, read the Privacy Shield Framework and analyzed how data transfers are performed under the agreement. Something was wrong. The National Security Agency in the US could request and receive any data available on the American territory. Therefore, the essential equivalent level of data protection was not guaranteed.
Since July 16th, 2020, the Privacy Shield Framework is not valid anymore. The ECJ (European Court of Justice) decided that US regulations’ limitations on personal data protection didn’t meet the requirements of “essential equivalence” with EU law. This judgment is famously known as Schrems II. As a result of the ruling, companies like Facebook and Google started to invest in building data centers in the EU.
GDPR has a section explaining what should happen in the case of the absence of an agreement such as Privacy Shield:
"In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject."
Today, it’s companies’ responsibility to ensure that the data transfer follows the SCCs (Standard Contractual Clauses). The new version of the SCCs reflects new requirements under the GDPR and takes into account the Schrems II judgment of the ECJ, ensuring a high level of data protection for citizens.
Why is it important for you to know about the new EDPB (European Data Protection Board) recommendations?
As mentioned before, data controllers and processors are responsible for assuring that the transfer tools of the third country correspond with the GDPR requirements. Their task is to assess the third countries and identify appropriate supplementary measures where needed. The EDPB (European Data Protection Board) put together these recommendations to help exporters (be they controllers or processors, private entities, or public bodies, processing personal data within the scope of the GDPR) with this complex task. These recommendations include a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
What are EDPB’s recommendations?
- Know your transfers
- Identify the transfer tools you’re relying on
- Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
- Adopt supplementary measure
- Procedural steps if you have identified effective supplementary measures
- Re-evaluate at appropriate intervals
Step 1: Know your transfers
If you want to transfer data outside of the EU, you must keep an eye on each transfer. This step is essential because the exporter must apply supplementary measures if the level of data protection of the receiving country doesn’t correspond with the GDPR requirements.
Mapping out all your transfers can require effort, and it’s time-consuming. Our Compliance Dashboard can do this for you. Try it for free!
Step 2: Identify the transfer tools you are relying on
After mapping the transfers of data you are involved in, the next step is to identify the transfer tools you rely on. If you find out in the first step that you’re sending data to countries without an EU adequacy agreement, you need to ensure that you use the proper transfer tools. They may include:
- Reliance on an adequacy decision;
- Article 46 GDPR transfer tools; (for example a legally binding and enforceable instrument between public authorities or bodies);
- Derogations;
There is no need for any further actions for the transfers made to countries with an EU adequacy agreement.
Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
In the third step, you must assess if there is anything in the law or practices of the third country that may affect the effectiveness of the transfer tools in the specific transfer.
Examining these practices will be especially relevant for your assessment where:
- The legislation in the third country is not applied in practice;
- The third country lacks relevant legislation compatible with the transfer tool;
- Your importer falls or might fall within the scope of problematic legislation (a legislation that goes against GDPR requirements);
In the first two situations, you will need to stop the data transfer or implement supplementary measures. In the third situation, you can also decide to proceed with the transfer without implementing supplementary measures.
In this case, you must demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice.
You can find possible sources of information to assess third countries in the official EDPB document in Annex 3.
Step 4: Adopt supplementary measures
The fourth step is to identify and adopt supplementary measures that are necessary to bring the level of data protection transferred up to the EU standard of essential equivalence.
This step is required only if your transfer falls into one of the three situations mentioned before.
You can find examples of supplementary measures in the official EDPB document in Annex 2.
If you can’t find any supplementary measures for your transfer, you must avoid, suspend or terminate the data transfer.
Step 5: Take procedural steps if you have identified effective supplementary measures
The fifth step is to take any procedural actions to adopt the supplementary measures depending on the transfer tool. You may need to consult your competent supervisory authorities for this.
Step 6: Re-evaluate at appropriate intervals
The sixth and final step is to re-evaluate the level of protection of personal data involved in your transfer at appropriate intervals. You must assess if there are any changes or developments that might affect it.
How can our Compliance Dashboard help you?
Identifying your transfers is the first and most important step mentioned in EDPB’s recommendations. You may be using third-party services from the US, China, or other unsafe third countries which set cookies on your websites. As an exporter, it’s your duty to know about these transfers. If you have a proper tool to identify them, you can avoid lawsuits and fines.
An essential feature of the Compliance Dashboard is “Privacy Risks EU/EEA” which can help you visualize where your websites send cookies and data to. This way you can continuously monitor your transfers and ensure your business’ GDPR compliance.
The Compliance Dashboard is also for those who want a complete overview of their compliance level, consent rates, and cookies.
Cookie Information’s Compliance Dashboard, Privacy Risks overview