On 10 November, the European Data Protection Board adopted a recommendation on supplemental measures which might be used to ensure compliance with the EU level of protection of personal data when exported to third countries with an insufficient level of protection. The recommendation both sets out a process to be followed by data exporters and, in the Annex, describes potential supplemental measures that can be adopted.
The recommendation provides a ‘non-exhaustive’ list of measures but notes that it is not simply a case of selecting options from a menu to ensure equivalent protection – instead the measures used must ‘guarantee’ essential equivalent protection for exported data – and it may be that some transfers cannot be guaranteed, whatever supplemental measures are put in place.
The measures in the recommendation are summarised below:
The recommendation notes that these measures may be required where contractual safeguards are not sufficient to stop access to personal data by public authorities in the country to which data is exported. The recommendation runs through some scenarios in which technical measures may be effective:
Use Case 1: Data storage for back-up and other purposes that do not require access in the clear
Properly implemented strong encryption under the control of the data exporter may provide sufficient additional protection in this scenario.
Use Case 2: Transfer of pseudonymised data
In this scenario, if the pseudonymsiation is properly implemented under the control of the data exporter and the pseudonymsiation cannot be ‘unscrambled’ through cross-referencing or mosaicing,it may provide sufficient additional protection.
Use Case 3: Encrypted data merely transiting third countries
If the technical measures ensure that the data cannot be accessed in transit, then this may provide sufficient additional protection. The technical measures adopted need careful scrutiny and analysis.
Use Case 4: Protected recipient
If the recipient of the data has additional protections (e.g. legal privilege) from the public authorities accessing personal data held by them, then encryption may provide sufficient additional protection.
Use Case 5: Split or Multi-party processing
If the data is split between two processors, so that neither of them receives personal data, this may provide sufficient additional protection.
Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear
The EDPB is not aware of any current technological measures that could provide sufficient additional protection for this use case in circumstances where the public authorities in the importing country have access beyond necessary and proportionate access.
Use Case 7: Remote access to data for business purposes
The EDPB is not aware of any current technological measures that could provide sufficient additional protection for this use case n circumstances where the public authorities in the importing country have access beyond necessary and proportionate access.
Additional Contractual measures
The EDPB highlights that private contracts will not be able to address deficiencies in an importing country’s legislation. However, in some circumstances, they can be helpful in combination with other measures, and the recommendation lists the following potential measures and the Annex to the recommendation explains the circumstances in which they may be considered and the conditions for effectiveness.
A: Providing for the contractual obligation to use specific technical measures
A1: Implementation of technical measures in use-cases 1-5 identified above.
B1: Provide information on access to data by public authorities
B2: ‘No back-door’ assurances
B3: Enhanced audit rights
B4: Enhanced notification of potential breaches
B5: ‘Warrant Canary’ notification obligation
C: Obligation to take specific actions
C1: Obligation to resist and challenge data access requests
C2: Notification to requesting authority and supervisory authority
D: Empowering data subjects
D1: Empowering data subjects to enforce their rights
D2: Enhanced notification of data subjects of infringement of their rights
D3: Enhanced data subject assistance including legal support
As with contractual protections, the EDPB notes that the measures identified may not necessarily provide adequate additional protection, but notes that they may be used with other measures.