Can we talk for a minute about international data transfers? (It’s Friday: humour me.) 

There’s been plenty of ink already spilled on the European Data Protection Board’s long-awaited recommendations regarding the supplemental measures to be used when transferring data to non-adequate countries – particularly around the six-step roadmap used to assess whether measures are needed, and if so, which measures are appropriate.

These documents are like catnip for privacy lawyers, and perhaps rightly so.

But what about the SMEs in Manchester, Milan and Mainz? Those who don’t spend their days living in the weeds. The folks that actually use and rely on these transfer mechanisms to, y’know, run their businesses. What’s in the recommendations that would leave their commercial folks (or in-house lawyers) confused or concerned?

Para 42 – The exporting party’s assessment of foreign laws should be based on objective factors, avoiding a reliance on “subjective ones such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards”. 

This is interesting for two reasons:

  • Firstly, the GDPR is a risk-based law: that’s its whole shtick. But, here, organisations are being told not to think like that. Instead, a toymaker sharing data with a foreign distributor is equal to a giant social media platform, which doesn’t seem reasonable or right.
  • Secondly, it looks like a specific clapback to a recent U.S. Department of Commerce paper, which sought to reassure organisations (and regulators?) in the EU that American spies had no interest in the vast majority of their data.

Para 84 – An exporting party can route data through a non-adequate third country if, amongst other things, “the existence of backdoors (in hardware or software) has been ruled out”. That’s a pretty difficult, and in some cases impossible, thing to do. Does the reference in para. 103 to seeking contractual assurances on backdoors meet the “ruled out” test? The EDPB doesn’t say.

Para 88 – Technical measures aren’t sufficient to protect a cloud provider’s use of non-encrypted data in a country whose surveillance laws go beyond what is needed in a democratic society.

Our SMEs rely on a whole range of US-based SaaS providers, and those providers are in most cases subject to s702 of FISA – so this is quite the pickle. Although the EDPB elsewhere in the recommendations cites contractual and organisational measures as potentially offering sufficient protection for personal data, para. 48 is key: “[c]ontractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country” if this access undercuts adequate protection for the data.

So, although the EDPB doesn’t explicitly say, it’s not unreasonable to assume that where technical measures don’t apply, we have a problem.

Para 90 – The same situation and outcome as para. 88, but in this case the transfers are made between entities in the same group. So, between paras. 88 and 90 we’ve got a sizable chunk of global data flows that even encryption in transit and at-rest – the security measures that are often cited as helping to meet the standards required by CJEU in Schrems 2 – can’t adequately protect.

The recommendations are out for consultation under 30 November, but it’s reasonable to assume – based on previous EDPB rodeos – that the document won’t change hugely in that time.  So, if you're an SME (or, indeed, any business) it's worth taking with a pinch of salt the claims you might read that the EDPB guidance has provided a clear path to solving the global data transfer puzzle.

Pragmatic? Yes. Practical? Also, yes. But problem-free? That'll be a no.