Schrems II experience for Taking Actionable Steps to make a Data Transfer Roadmap

The European Data Protection Board (EDPB) identified five legal use cases and Two Schrems II Unlawful Use Cases, in the recently released Schrems II Guidance 01/2020. Organisations have been eagerly awaiting this guidance, particularly concerning what kinds of additional safeguards could be applied to data to allow cloud processing and global data transfers to continue lawfully.

Use cases Schrems II as Analysis, Fundamental Principles and Key Building Blocks to make a Roadmap for Taking Actionable Steps. In the five use cases set out by the EDPB, specific additional measures can make ongoing processing of EU personal data compliant with the Schrems II ruling. Besides, the EDPB guidance covers two – highly prevalent but now unlawful use cases – in which data processing is no longer GDPR-compliant.

The guidance clarifies that encryption, GDPR-compliant Pseudonymisation, and split or multi-party processing are viewed as sufficient technical measures to support particular types of processing in non-EEA countries, showing organisations a way forward. However, it is now also unlawful to use a non-EEA cloud service provider or another processor to process precise text EU personal data. No technical safeguards are viewed as sufficient by the EDPB. A large community of Schrems II “followers” has sprung up around this issue, as global organisations have been faced with the potential for their data transfers to be stopped if found to be non-compliant. EDPB guidance now leads towards a new path, in which clear additional safeguards for set use cases have been defined.

Five Schrems II Lawful Use Cases. The five legal use cases outlined by the EDBP are as follows. These set out how technical measures can be applied to continue certain non-EU/EEA countries’ processing activities.

1. Data Storage For Backup And Other Purposes That Do Not Require Access To Data In The Clear – where data is stored for backup purposes only (and not for other processing) and the keys necessary for processing are retained under the control of the data exporter in the EEA or third country with an equivalency level of protection.
2. Transfer Of Pseudonymised Data – where the personal data transferred is “Pseudonymised” in compliance with heightened GDPR Article 4(5) requirements that the processing of the data cannot be attributed to a specific data subject without the use of additional information which is kept separately by the data controller in the EEA or a third country with an equivalency level of protection. This data must also be subject to technical and organisational measures that ensure that the data cannot be attributed to identified or identifiable natural persons without access to the additional information.

3. Encrypted Data Merely Transiting Third Countries – where a data exporter routes personal data via a third country to a destination in the EEA or a third country with an equivalency level of protection, but no further processing occurs in the third country.
4. Protected Recipient – where a data exporter transfers personal data to a data importer to jointly provide medical treatment for a patient, legal services to a client, etc. protected explicitly by that country’s law.
5. Split or Multi-Party Processing – where an EU data exporter splits the data so that no individual data importer processor receives sufficient information to reconstruct the personal data in whole or in part. The data exporter gets the result of the processing from each of the processors independently and merges the pieces received to arrive at the final product, which may constitute personal or aggregated data. [pg. 25]

Two Schrems II Unlawful Use Cases. The EDPB also included two use cases in which data processing would be unlawful.

Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear – the EDPB does not currently envision that technical measures (other than standards enumerated in Use Cases 1-5) could enable a data exporter to lawfully use a non-EEA cloud service provider or another processor to process exact text EU personal data according to the data controller’s instructions in a third country. However, the EDPB does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear.

2. Remote Access to Data for Business Purposes – the EDPB does not currently envision that technical measures (other than standards enumerated in Use Cases 1-5) could enable a data exporter to lawfully make personal data available to entities in a third country to be used for shared business purposes.

Source: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

 

Also, see guidance on Standard Contractual Clauses. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-edpsjointopinion01_2021_sccs_c_p_en.pdf