When organisations are faced with difficult decisions and don’t themselves know how to tackle the problem then they revert to an age-old tactic they put the onus on you! This is in effect what European Data Protection Board (EDPB) did on November 10th, 2020. Now when transferring data to a third-party country not deemed adequate by the EDPB it is you that will have to put the safeguards into place or risk paying a hefty fine imposed by the CNIL.
So how did this come about? Well as you know there is a good deal of transfer of data to the USA. One European citizen Mr. Schrems was concerned about Facebook Ireland transferring his data to Facebook Inc. located in the USA. Ultimately the case was taken to The Court of Justice of the European Union and on July 20th the court invalidated the co called “Privacy Shield” that the USA had been relying on for transfer of data from the European Union. C-311/18
So where does this leave us?
Make it a condition of the contract that personal data is secure? Sadly, in the case of the USA this cannot happen. The Foreign Intelligence Surveillance Act (FISA) (reinforced in May 2020) trumps the protections available under the standard contractual clauses for the transfer of personal data, in legal terms this is because FISA is not part of the contract. The Court is putting for verifying on a case-by-case basis if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46GDPR transfer tools. All is not quite lost, however, as the Court has left the door open as it were as the Court leaves open the possibility for exporters to implement supplementary measures to fill these gaps and bring it up to the level required by EU law. So, what are these measures? Well the Court does not specify these measures but the EDPB has given some valuable advice about measures that you could put in place to safeguard your customers and yourself.
Perhaps some of the most useful advice that the EDPB has given is listed under their section on “Scenarios for which effective measures could be found” (p.21 Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. Adopted on 10 November 2020). We have taken what they have said and reduced it to the bare bones in order to give an overview. For a more detailed account please consult the full report.
Supplementary measures
- Strong, robust state of the art encryption is performed before transmission, this encryption should be capable of withstanding “attacks” or cryptanalysis in the recipient country.
- The data exporter has to pseudonymise the personal data before transfer. He/she should also have sole control of the algorithm. It should be noted that this is not just a simple case of changing names, locations etc., it also means that the controller is required to do a thorough analysis of any information that the public authorities of the recipient country may possess.
- If the data is being transferred to a country that is deemed to have adequate protection but the data is routed through a third country then state of the art transport encryption should be used and the existence of backdoors whether hardware or software should be ruled out.
- There could be cases whereby personal data is transferred to a third country but that third country has legislation in place to specifically protect that data. For example, to jointly provide medical treatment for a patient or legal services to a client. In such cases the EDPD considers that if transport encryption is performed then this provides an effective supplementary measure.
- If the data processor wishes personal data to be processed jointly by two or more independent processors located in different jurisdictions then s/he should split the data in such a way that no part an individual processor receives suffices to reconstruct the personal data in whole or part. Note that in this instance secure robust algorithms are necessary to be sure the data is secure from active adversaries.
It should also be noted that the EDPB identified two scenarios where no effective measures could be found. The two they cite are :
- a data exporter uses a cloud service provider or other processor to have personal data processed according to its instructions in a third country
- and remote access to data for business purposes.