In the wake of the significant ‘Schrems II’ decision by the Court of Justice of the European Union (CJEU) in July – which invalidated the EU-US Privacy Shield after four years – European data protection authorities have released 38 pages of guidance today to assist organizations navigating the complexities of legally transferring personal data outside of the European Union.

The recommendations issued by the European Data Protection Board (EDPB) concentrate on potential actions data controllers can implement to enhance the use of an alternative transfer mechanism: Standard Contractual Clauses (SCCs). This is intended to ensure adherence to the bloc’s General Data Protection Regulation (GDPR).

While SCCs were not invalidated by the court’s ruling, their application remains subject to legal ambiguity. The court clarified that SCCs can only be considered reliable for international data transfers if the security of EU citizens’ data is assured. Furthermore, EU regulators are obligated to intervene if they suspect data is being transferred to a location where it may not be adequately protected – consequently, the options for data transfers from the EU have become fewer and more intricate.

Facebook is one company that has stated it is awaiting the EDPB’s guidance. The company has already received a preliminary order to halt the transfer of EU user data to the US and has appealed to the Irish courts for a stay while seeking a judicial review of its data protection regulator’s procedures. It has also engaged prominent lobbying efforts – utilizing former UK deputy PM and ex-MEP Nick Clegg – to influence EU lawmakers on this matter.

The technology company likely anticipates the development of a new ‘Privacy Shield 2.0’ agreement to address the conflict between EU fundamental rights and US surveillance legislation.

However, the Commission has cautioned that a swift resolution is unlikely.

Amendments to US surveillance laws are considered essential – meaning no progress is anticipated before the Biden administration begins its term next year. Therefore, the legal uncertainty surrounding EU-US data transfers is expected to persist well into the following year. (Politico suggests a new data agreement is improbable in the first six months of 2021.)

Simultaneously, legal challenges to existing EU-US transfers are increasing, while EU regulators recognize their legal responsibility to intervene when data is at risk.

“Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in isolation,” the EDPB emphasizes in its executive summary. “The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impacts the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.

“In such instances, the Court still allows for the possibility of exporters implementing supplementary measures to address these gaps in protection and elevate it to the level required by EU law. The Court does not specify what these measures might be. However, the Court stresses that exporters must identify them individually. This aligns with the principle of accountability outlined in Article 5.2 GDPR, which requires controllers to be responsible for and demonstrate compliance with the GDPR principles concerning personal data processing.”

The EDPB’s recommendations detail a series of steps for data exporters to undertake as they assess whether their specific transfers align with EU data protection regulations.

Six steps, but no standardized solution

The fundamental process being outlined involves: Step 1) cataloging all planned international data transfers; step 2) confirming the suitability of the transfer mechanisms being utilized; step 3) evaluating whether any laws or practices in the destination country could undermine the effectiveness of the safeguards associated with the chosen transfer mechanisms, considering the specifics of each transfer; step 4) identifying and implementing supplementary measures to elevate the level of protection to be substantially equivalent to that guaranteed by EU law; step 5) completing any necessary formal procedures to enact these supplementary measures; and step 6) regularly reassessing the data protection level and monitoring relevant developments.

Essentially, this will necessitate considerable effort – and continuous ongoing effort. In brief, the responsibility to safeguard the data of European users is perpetual.

Furthermore, the EDPB clarifies that suitable supplementary measures may not always be available for a given transfer.

“You may ultimately determine that no supplementary measure can guarantee an essentially equivalent level of protection for your particular transfer,” it cautions. “In such instances where no supplementary measure is appropriate, you must refrain from, suspend, or terminate the transfer to prevent compromising the protection of personal data. This assessment of supplementary measures should also be conducted with due diligence and thoroughly documented.”

When supplementary measures are potentially applicable, the EDPB indicates they can be of a “contractual, technical, or organizational nature” – or a combination of these.

“Integrating various measures in a manner that reinforces and complements each other can strengthen the level of protection and contribute to meeting EU standards,” it proposes.

However, it also explicitly states that technical measures are likely to be the most effective defense against the risk of foreign government surveillance. This inherently limits the viability of business models that require decrypting and processing data within the US, for example.

The guidance further includes illustrative scenarios where supplementary measures might be sufficient to legitimize an international data transfer.

Examples include storing data in a third country where decrypted data is inaccessible and encryption keys are held by the data exporter (or a trusted entity within the EEA or a country with adequate data protection); transferring pseudonymized data, ensuring individuals can no longer be identified (and preventing re-identification); or utilizing end-to-end encrypted data during transit through third countries (with the caveat that decryption must not be possible in jurisdictions lacking adequate protection; the EDPB also emphasizes the need to rule out any ‘backdoors’ in hardware or software, though the method for doing so remains unclear).

Another section addresses scenarios where no effective supplementary measures can be identified – such as transfers to cloud service providers (or similar) requiring access to unencrypted data, particularly when “the powers granted to public authorities in the recipient country to access transferred data extend beyond what is necessary and proportionate in a democratic society”.

This aspect of the document is particularly unfavorable for Facebook.

“The EDPB, based on the current state of technology, cannot foresee an effective technical measure to prevent such access from infringing on data subject rights,” it states, adding that it “does not preclude the possibility that future technological advancements may offer measures that achieve the intended business objectives without requiring access to data in an unencrypted format.”

“In the given scenarios, where unencrypted personal data is technically essential for the service provided by the processor, transport encryption and data-at-rest encryption, even when combined, do not constitute a supplementary measure ensuring an essentially equivalent level of protection if the data importer possesses the cryptographic keys,” the EDPB further clarifies.

It also emphasizes that supplementary contractual clauses are insufficient to address this issue – meaning Facebook cannot simply include a clause in its Standard Contractual Clauses (SCCs) to neutralize the impact of FISA 702, with the EDPB stating: “Contractual measures will not be able to override the application of the legislation of a third country that does not meet the EDPB European Essential Guarantees standard in cases where the legislation compels importers to comply with data disclosure orders from public authorities.”

The EDPB does discuss potential clauses data exporters could incorporate into SCCs to supplement them, depending on the specifics of their data flows – alongside specifying “conditions for effectiveness” (or ineffectiveness, in many cases). Once again, there is limited reassurance for those seeking to process personal data in the US (or another third country) while it remains vulnerable to government surveillance.

“The exporter could add annexes to the contract containing information that the importer would provide, to the best of their ability, regarding access to data by public authorities, including intelligence agencies, provided the legislation in the destination country complies with the EDPB European Essential Guarantees. This could assist the data exporter in fulfilling their obligation to document their assessment of the level of protection in the third country,” the EDPB suggests as one example from a section discussing transparency obligations.

However, the purpose of such a clause would be to enable the data exporter to proactively avoid entering into risky contracts or to facilitate the suspension/termination of a contract if a risk is identified – rather than providing a legal solution for widespread surveillance. As the EDPB warns: “This obligation, however, cannot justify the importer’s disclosure of personal data nor create an expectation that there will be no further access requests.”

Another example discussed in the document is the feasibility of adding clauses requiring the importer to certify the absence of backdoors in their systems that could compromise data security.

However, the EDPB cautions that this may be ineffective, stating: “The existence of legislation or government policies preventing importers from disclosing this information may render this clause ineffective.” This example may be included to counter potentially flawed legal advice suggesting that contract clauses are a universal solution to US surveillance concerns.

The EDPB’s complete guidance can be found here.

We have also contacted Facebook to inquire about their next steps regarding EU-US data transfers in light of the EDPB guidance and will update this report with their response. Update: Facebook has now provided this statement: “The CJEU ruled that Standard Contractual Clauses are a valid legal mechanism for the transfer of data from the EU, including to the US. We note that new guidelines on supplementary measures have been submitted for consultation and, like many other companies, will be reviewing them carefully.”