The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US. As an alternative for companies wishing to transfer personal information to the US from the EU, the EU pointed to standard contractual clauses. At the time, though, they caveated that controllers relying on the SCCs may have to use supplementary measures to protect outbound personal data. There was confusion, however, around what such additional measures should be. In this recent guidance, the EDPB recommends that companies exporting data out of the EU in reliance on SCCs take six steps. These are useful for review by exporting companies in the EU, as well as entities in the US. The latter can expect to be asked questions by their EU counterparties that relate to these steps:

  1. Map out all transfers out of the EU. While difficult, the EDPB noted, it stated in the guidance that knowing the destination of data is an important step to understanding the levels of data it is provided. A related step is limiting the amount of information transferred to that which is actually needed.
  2. Understand the basis for the transfer (SCCs, etc.). This, too, is an important fundamental step according to the EDPB.
  3. Determine if the recipient’s country has laws that would negatively impact safeguard measures. These might include “the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” When thinking about the legal context in the recipient country, the EDPB recommends that companies look to the context of the transfer, such as the reason for the transfer, industry sector, and format of the data being transferred (is it encrypted, for example?).
  4. Put additional security measures in place that will ensure the same level of protection as afforded in the EU. This is relevant to the extent that the exporter concludes that the recipient’s country’s laws would negatively impact security measures. An example of supplementary measures is using encryption and keeping the keys under the EU exporter’s control. Or, adding provisions to the contract like transparency obligations, restrictions on onward sharing, requirements for internal policies, or data minimization requirements. The EDPB points out, though, that there may be times when there are no appropriate supplementary measures.
  5. Take appropriate formal steps, if needed, depending on the basis of the transfer. For example, if a company decides to modify the SCCs in a way that “contradicts” (i.e., substantively modifies the provisions of) the clauses, then supervisory authority authorization would be needed.
  6. Regularly evaluate and monitor the security afforded to the data that is exported. This includes staying current on the legal developments in the recipients’ countries for things that might negatively impact the security of the data being exported.

The guidance is open to public comment until November 30, 2020. Companies interested in comment may want to consider this EDPB document in conjunction with the proposed modification to the Standard Contractual Clauses, issued by the European Commission and open for comment until December 10, 2020.

Putting it into practice: Businesses relying on Standard Contractual Clauses for exporting data from the EU (including import into the US) may find these steps useful to better understand what the EDPB views as appropriate supplementary measures. US companies can expect more questions from their EU partners about the status of US laws, and may find EU companies asking for additional provisions above the SCCs.