Review of EDPB Public Consultation

26/02/'21 - Late last year, the European Data Protection Board (EDPB) published, for public consultation, its ‘Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’. Considerati reviewed the feedback that was shared with the EDPB during the public consultation phase. Four common denominators can be found throughout the reaction of organizations from various sectors. Learn more in the review of Felicity Bakboord and Jonathan Toornstra.

EDPB recommendations on supplementary measures for data transfers – a review of the public consultation 

The European Data Protection Board (EDPB) in November 2020, published its ‘Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’. These recommendations, published for public consultation, are to a large extent a reaction to the European Court of Justice’s (CJEU) annulment of the EU-US Privacy Shield and call for supplementary measures for data transfers, as ruled in Schrems II in July 2020. 

EDPB Recommendation 01/2020 lays out a six step approach for organizations which is to be followed when personal data is transferred from the EU to countries outside of the bloc. The EDPB also shares a number of examples of supplementary measures, that could be put in place by organizations to further safeguard such transfers.

While the EDPB’s recommendations are a welcome development towards clarifying the overall steps that organizations should follow, the publication of the recommendations led to almost immediate scrutiny from organizations throughout different sectors. 

Considerati has identified four common denominators across the feedback that organizations have publicly shared with the EDPB:

1. Lack of a risk-based approach
2. Unreasonably short timeline for implementation of recommendations
3. Disproportionate demand for resources and knowledge from businesses (especially SMEs) with regard to the performance of third country assessments
4. Ambiguity around ‘supplementary measures’ for common business data transfers (specifically use cases 6 and 7)

These common denominators are further detailed below. Any references are sourced directly from the respective organization’s feedback, as published by the EDPB.

Lack of a risk-based approach

A number of organizations throughout different sectors indicate that the present EDPB recommendations insufficiently correspond with the risk-based approach as envisaged by the General Data Protection Regulation (‘GDPR’). A continuation of the GDPR risk-based approach would require that assessments should be carried out based, in part, on the risk of impact. For example, MedTech Europe explains that ‘[…] the effect of a shift away from a risk-based approach is that […] if a country’s laws do not meet the Essential Elements, then a transfer may not take place even where the risk to the personal data, such as would be the case in relation to medical devices, is exceedingly low.’

Also, with regard to the international data transfer obligations, several organizations are of the opinion that the recommendations follow an exceedingly narrow interpretation of Schrems II, leaving organizations with very little room for leeway. In this respect, international pharmaceutical organization Boehringer Ingelheim refers to Article 24 GDPR explaining that the right to data protection should be interpreted ‘in accordance with the principle of proportionality, and that this includes the recognition of a risk-based approach regarding international data transfers’.

Dutch branch organization, NL Digital, adds to this argument that the EDPB’s recommendations entirely negate and even contradict the CJEU’s views concerning the application of a contextual approach to international data transfers ‘when evaluating their legality’ and thus preventing organizations from adopting a risk-based approach.

Finally, Global Data Alliance (GDA), comments by claiming that the recommendations adopt a narrow view in assessing ‘all circumstances’ of the case and that this goes against the CJEU’s broad interpretation of this requirement. The list of applicable circumstances, as mentioned in the recommendations should be ‘much broader, reflecting other foundational aspects of a data transfer including the nature, scope, context and type of service for which the data is transferred (e.g., consumer-facing or business-to business), the volume of personal data transferred, and the extent to which a customer makes decisions about where the data is transferred and stored […].’

Unreasonably short timeline for implementation of recommendations

Considering that the current recommendations still leave much ambiguity as to their interpretation, organizations across the board argue that the EDPB’s timeline according to which the recommendations should be implemented, is disproportionately short. MedTech Europe, for example, suggests a transition period for the recommendations’ implementation, allowing organizations ‘to consider the laws of the third country where they are currently transferring data to, and have time to negotiate supplementary measures with their data importers.’ The French association of large companies, AFEP, describes the immediate applicability of the recommendations as an ‘unrealistic challenge for businesses of all sizes’. 

The lack of an implementation timeline also poses high risks to sanctions, which could go up as high as 4% of their worldwide annual turnover, or reputation damage for European organizations. Ensuring compliance with the recommendations will require major efforts and resources from organizations, as it may affect how global IT systems and business procedures are currently set up. Most organizations who indicate that they will ensure compliance with the EDPB’s recommendations once final, indicate that they nonetheless require reasonable transition periods proportional to the major task ahead.

Disproportionate demand for resources and knowledge from businesses (especially SMEs) with regard to the performance of third country assessments

The Global Privacy Alliance (GPA) indicates that ‘The need for third country laws to be assessed should not be required. If that in fact becomes a requirement, requiring companies to make their own independent assessment of the general laws of each of the third countries to which they transfer data is an enormous, impractical, and inefficient undertaking’. The GPA, moreover, points out that ‘assessments done at the individual company level are likely to produce widely varying and inconsistent assessments of the legal landscape in those jurisdictions.’

Organizations share the perspective that the recommendations consist of such rigorous and ambiguous measures that it leaves many organizations ill-equipped for implementation. Many claim that the recommendations will, especially for small and medium-sized enterprises (SMEs), result in ‘great expenditures’ and will require organizations to allocate vast amounts of resources to conduct incredibly difficult, time-consuming, legal assessments before being able to transfer data outside of the EU.

The Dutch employers’ confederation, VNO-NCW, also considers assessments of third country legislation to be ‘a laborious and expensive task which requires legal knowledge and/or resources for legal counsels which go far beyond that of most if not all SMEs.’ VNO-NCW, moreover indicates that ‘the risk of assessing the legal requirements in the country of destination should not be borne by businesses alone.’ Many organizations refer to the fact that, instead, the European Commission should take on a more active role in assessing the laws of third countries.

Ambiguity around ‘supplementary measures’ for common business data transfers (use case 6 and 7)

At present, the recommendations set out several Use Cases as a means to illustrate scenarios in which businesses are required to consider and assess third country data transfers. In particular, Use Cases 6 and 7, concerning the transfers to cloud service providers or other processors and remote access to data for business purposes, have sparked debate. The recommendations indicate that for Use Cases 6 and 7 ‘no effective supplementary measures could be found’, what many organizations have understood as effectively rendering such transfer scenario’s impossible. 

Dominant through most feedback is the fact that the EDPB’s findings for Use Cases 6 and 7 are deemed disproportionate and unrealistic, especially for multinational organizations.

According to Boehringer Ingelheim, Use Case 6 does not clearly distinguish between the scenarios in which personal data are ultimately stored in a third country, and the scenario in which the third country, through the transfer of data, only gains access to personal data stored in the EU. In their view, these scenarios differ from both a legal and technical perspective and should be addressed by the EDPB. Boehringer Ingelheim also argues that the "application of the Schrems II considerations to all forms of transfers is inappropriate."

Organisations further indicate that the scope of Use Case 7 requires clarification. Feedback points out that Use Case 7 describes a daily 'routine transfer' for many multinational organisations, for example in the case where a parent company needs to remotely access its employees' data, including those in affiliated subsidiaries. This may be required for various purposes, such as complying with laws and regulations or conducting essential business operations. It is currently unclear to what extent a basis exists for such situations, as the EDPB concludes that it has not been able to find additional measures for Use Case 7.

TechUK, argues that the Use Cases 6 and 7 are too 'prescriptive' and do not always apply to concrete scenarios in practice. The recommendations of the EDPB limit the options available to organisations for passing on data via cloud services, for example. This impedes the use of data for 'any practical purpose' and makes many services unusable. Such feedback seems to further support the need for a risk-based approach, as envisaged by the GDPR.