The European Data Protection Board (EDPB) has adopted updated Recommendations on the European Essential Guarantees for surveillance measures, providing organisations that transfer personal data outside the UK and European Economic Area with much-needed clarification regarding evaluations of third-country surveillance laws.
Since Schrems II, data exporters using Standard Contractual Clauses (SCCs) have been patiently awaiting guidance from the EDPB as to how they can best assess whether the laws of recipient third countries ensure a level of protection that is “essentially equivalent” to that guaranteed by EU law. The recommendations have been adopted to assist with these assessments, and specifically with respect to assessing surveillance measures, like those in the US that resulted in the invalidation of the EU-US Privacy Shield.
According to the EDPB, the recommendations aim to provide data exporters with the minimum “elements” to determine whether third-country legal frameworks governing public authorities’ access to data for surveillance are a “justifiable interference” with individuals’ privacy rights, and thereby permit the lawful use of the SCCs in such circumstances. If the interference is not justifiable, supplementary measures may need to be implemented or, if this is not possible (or if such measures do not mitigate the risks), transfers must be suspended.
The recommendations highlight that there are four “European Essential Guarantees” against which data exporters must analyse the surveillance laws of the third countries to which they intend to transfer (or are already transferring) personal data using the SCCs. According to the EDPB, the guarantees are based on fundamental and universal rights to privacy and data protection, as follows:
- Processing should be based on clear, precise and accessible rules.
- The legitimate objectives pursued must be demonstrably necessary and proportionate.
- There must be an independent oversight mechanism.
- Individuals must have recourse to effective remedies.
For further information on the details of each of the guarantees, as well as our commentary on the recommendations, please click here.
While the Recommendations help in assisting data exporters to understand the types of surveillance issues they need to consider when using SCCs, certain practical issues remain. Firstly, the EDPB acknowledges that the Recommendations and Guarantees are not exhaustive – they are only “elements” or minimum levels to consider when determining whether the surveillance laws of third countries prevent essentially equivalent protections for personal data to those provided in the EU. The Guarantees require interpretation by controllers (which may result in subjective differences of opinion and inconsistent approaches) and it is somewhat frustrating that the EDPB has failed to provide a definitive list of factors which must be satisfied for continued use of the SCCs to be valid (although this failure may reflect the difficulty in making such assessments in practice).