EU publishes guidance for International Transfers

By Philip MatherOpinion

EU publishes guidance for International Transfers

After 11 months out in the wilderness the European Data Protection Board has adopted “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data“

Organisations who have been struggling to work out what Schrems II and the demise of Privacy Shield actually means for international transfers received an early birthday present.

So what does this all mean?

Privacy Shield Is Dead (read our recent post) on the 16th July 2020 the Schrems II ruling by the European Union Court of Justice (CJEU) deemed that the transfer of EU personal data to the US was no longer legal when relying on the Privacy Shield Framework.

Whilst Standard Contractual Clauses and Binding Corporate Rules appeared to have been left in place the clarifications on the judgement left this in no doubt.

“Whether or not you can transfer personal data on the basis of SCCs/BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs/BCRs, following a case by case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”

Many organisations were left wondering what these supplementary measures might be, the ICO and the EDPB remain tight lipped.

No Silver Bullet

Unfortunately for any organisation expecting a silver bullet what we have instead is simply just a dose of common sense.

Don’t be misled, it is long overdue that some supplementary guidance needed to be put in place, but there is nothing in the guidance that any self-respecting data protection professional hasn’t already been advising their employers or clients. 

What is does do is further underline the types of transfers that cannot be done to certain countries, taking away any ambiguity that was there from Schrems II.

Examples of Supplementary Measures

The EDPB in Annex 2 of the guidance sets out some examples of supplementary measures. These are measures which may work for your own particular circumstances. The guidance makes it clear that the list is not exhaustive and that as technology and legislation changes any measures could be both added or removed as being legal.

Technical Measures

In brief the technical measures in the guidance:

Use Case 1 – Where storage of the data is in a 3rd country

  • The data is encrypted before transmission to the 3rd country
  • The encryption mechanism is ‘effective’ against the technology of that 3rd country, including key length and time periods of storage
  • The keys are not available to the importer or any agent able to exert influence over the importer

Use Case 2 – Where pseudonymised data is transferred

  • The data from the exporter cannot be linked back to an individual
  • The additional data required to get back to individual personal data is retained by the exporter and is not available to the importer or any agent able to exert influence over the importer
  • The additional data is appropriately secured 
  • The exporter has completed analysis to ensure that the pseudonymised data cannot be combined with any other data available in the recipient country that would lead to identification of the individual personal data

There are cautions relating to Use Case 2 essentially warning that access to significant amounts of publicly available internet data can render this use case invalid and care must be taken.

Use Case 3 – Where public authorities of a 3rd country are allowed to access data in transit

  • Encrypt the data in transit using suitable strong encryption methods in use between the exporter and imported
  • Only exporter and importer have access to appropriately secured keys to encrypt and decrypt the data
  • Assumes 3rd country does not or will not be able to access data at rest with the importer or be able to exert influence over the importer to give access to the data

Used Case 4 – The data transferred is protected by law in the 3rd country

  • Medical data or legal data would be good examples
  • That the data itself and the mechanisms for accessing the data are protected
  • The data does not leave the protected processor and get transferred to a 3rd part without the protections
  • Data is encrypted before transmission and the key belongs to the exporter and is only reliably decrypted by the importer

Use Case 5 – Personal data is split for multi-party processing 

  • The data is split in such a way that none of the parties are able to reconstruct the personal data
  • Only the exporter receives all the information and is able to reconstruct the personal data
  • The exporter has established through thorough analysis that public authorities in any of recipient countries will not be able to reconstruct the personal data
  • There is no evidence that the authorities in the recipient countries can or will collaborate to reconstruct the data

Use Case 6 – Transfer of data that is required to be in the clear for processing

  • An exporter transfers data to cloud service provider or another processor
  • The processor needs to access data in the clear
  • The authorities access to data in transit and or data at rest goes beyond what is necessary and proportional in a democratic society

Caution – In use case 6 the EDPB makes it clear that this is not an acceptable international transfer and goes on to say.

95. In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.

Use Case 7 – Data is transferred for business purposes including remote access

  • Data is transferred for shared processing or made available remotely
  • Data must be available in the clear for processing to take place
  • Example is a parent company in a 3rd country processing HR data for an exporter
  • The authorities access to data in transit and or data at rest goes beyond what is necessary and proportional in a democratic society

Caution – In use case 7 the EDPB makes it clear that this is not an acceptable international transfer and goes on to say.

97. In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.

Other Measures

The technical measures above in cases of 1-5 do not provide protection in isolation, contracts and agreements must also be in place to enforce the implementation and continued use of the measures as well as maintaining a vigilant watching brief over the practises and legislation in force in the 3rd countries.

Conclusion

If you have got this far then you may already have worked out the common theme. Essentially the supplementary measures amount to preventing 3rd parties accessing the personal data by way of encryption in some form or another, and the key being held by the exporter or another party who is not able to be coerced into giving up the key.

It is very clear that making personal data available in clear text to recipients in countries whose governments and other agencies might seek to obtain that data, is not compliant with the EU or UK GDPR. By not compliant you may also read illegal.

If you need more advice or help with you own international transfers, GDPR Auditing can help contact us.

Contact Us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at info@gdprauditing.com or visit our contacts page.