EDPB guidance on ‘supplemental measures’ for data export

On 10 November, the European Data Protection Board adopted a recommendation on supplemental measures which might be used to ensure compliance with the EU level of protection of personal data when exported to third countries with an insufficient level of protection. The recommendation both sets out a process to be followed by data exporters and, in the Annex, describes potential supplemental measures that can be adopted.

The recommendation provides a ‘non-exhaustive’ list of measures but notes that it is not simply a case of selecting options from a menu to ensure equivalent protection – instead the measures used must ‘guarantee’ essential equivalent protection for exported data – and it may be that some transfers cannot be guaranteed, whatever supplemental measures are put in place.

The measures in the recommendation are summarised below:

Technical Measures

The recommendation notes that these measures may be required where contractual safeguards are not sufficient to stop access to personal data by public authorities in the country to which data is exported. The recommendation runs through some scenarios in which technical measures may be effective:

Use Case 1: Data storage for back-up and other purposes that do not require access in the clear

Properly implemented strong encryption under the control of the data exporter may provide sufficient additional protection in this scenario.

Use Case 2: Transfer of pseudonymised data

In this scenario, if the pseudonymsiation is properly implemented under the control of the data exporter and the pseudonymsiation cannot be ‘unscrambled’ through cross-referencing or mosaicing,it may provide sufficient additional protection.

Use Case 3: Encrypted data merely transiting third countries

If the technical measures ensure that the data cannot be accessed in transit, then this may provide sufficient additional protection. The technical measures adopted need careful scrutiny and analysis.

Use Case 4: Protected recipient

If the recipient of the data has additional protections (e.g. legal privilege) from the public authorities accessing personal data held by them, then encryption may provide sufficient additional protection.

Use Case 5: Split or Multi-party processing

If the data is split between two processors, so that neither of them receives personal data, this may provide sufficient additional protection.

Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear

The EDPB is not aware of any current technological measures that could provide sufficient additional protection for this use case in circumstances where the public authorities in the importing country have access beyond necessary and proportionate access.

Use Case 7: Remote access to data for business purposes

The EDPB is not aware of any current technological measures that could provide sufficient additional protection for this use case n circumstances where the public authorities in the importing country have access beyond necessary and proportionate access.

Additional Contractual measures

The EDPB highlights that private contracts will not be able to address deficiencies in an importing country’s legislation. However, in some circumstances, they can be helpful in combination with other measures, and the recommendation lists the following potential measures and the Annex to the recommendation explains the circumstances in which they may be considered and the conditions for effectiveness.

A: Providing for the contractual obligation to use specific technical measures

A1: Implementation of technical measures in use-cases 1-5 identified above.

B: Transparency

B1: Provide information on access to data by public authorities

B2: ‘No back-door’ assurances

B3: Enhanced audit rights

B4: Enhanced notification of potential breaches

B5: ‘Warrant Canary’ notification obligation

C: Obligation to take specific actions

C1: Obligation to resist and challenge data access requests

C2: Notification to requesting authority and supervisory authority

D: Empowering data subjects

D1: Empowering data subjects to enforce their rights

D2: Enhanced notification of data subjects of infringement of their rights

D3: Enhanced data subject assistance including legal support

Organisational Measures

As with contractual protections, the EDPB notes that the measures identified may not necessarily provide adequate additional protection, but notes that they may be used with other measures.

I: Internal governance policies

II:Transparency and accountability

II.i: Document requests for access from public authorities

II.ii: Publish regular transparency reports

III: Organisation methods and data minimisation measures

III.i: Enhanced data management and minimisation measures

III.ii: Enhanced DPO role, reporting and audit

IV: Adoption of standards and best practices

V: Others:

V.i Review and improve internal policies

V.ii Commitments for no onwards transfer

Comments are closed.