Memo on Data Embassy Principles as Post-Schrems II Compliant Supplementary Measures
On July 16th, the Court of Justice of the European Union (CJEU) eliminated the EU-US Privacy Shield for lawful transfers of EU personal data to the US. Companies must now find lawful solutions embodying "supplemental measures" like those exemplified by the Data Embassy Principles described below to enable uninterrupted international data flows for business continuity. Continue reading below to learn more:
Data Embassy Principles enable ongoing, predictable operations by resolving potential disruptive changes to the $7.1 Trillion transatlantic data analytics, AI and ML economy.
Data Embassy Principles maximise lawful and ethical secondary data processing, like analytics, AI and ML using EU personal data, by technically enforcing established EU data protection principles to satisfy new requirements recently established by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), “Schrems II.”
Data Embassy Principles comprise:
GDPR Pseudonymisation: Enforcing GDPR-compliant Pseudonymisation as per ENISA guidelines. This is in accordance with the new standard set by GDPR Article 4(5) requirements that technically enforce WP29 and EDPS recommendations for Functional Separation. Note that the effectiveness of these protections is able to be appealed by data subjects to an EU supervisory authority, ensuring the availability of effective judicial remedy under Article 47 of the EU Charter.
- Data Minimisation: Enabling Data Minimisation compliant with GDPR Article 5(1)(c) by enforcing Article 25(1) and 25(2) Data Protection by Design and by Default techniques using GDPR-compliant Pseudonymisation.
- Secured Personal Data: Restricting processing to a form of personal data that does not enable the identification of data subjects as provided under GDPR Articles 11(2) and 12(2) by keeping the “additional information” needed for relinking in the sole possession of the EU-based data exporter. This activates significant and far-reaching changes in a data controller’s obligations that greatly facilitate “compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR."
- Demonstrability: Proactive technical enforcement enables data controllers to demonstrate compliance with their accountability and demonstrability obligations under GDPR Article 5(2).
- Responsibility: Technical and organisational measures enable data controllers to demonstrate compliance with their accountability and responsibility obligations under GDPR Article 24.
Before 16 July 2020
The EU-US Privacy Shield enabled EU personal data to flow between the EU and the US prior to Schrems II decision by the CJEU on 16 July 2020.
Data Embassy Principles address immediate, potentially highly disruptive obligations imposed by Schrems II for the global data ecosystem. Under Schrems II, without appropriate safeguards to supplement the protection of contractual protections to prevent the misuse of data technically:
- Data controllers and recipients of personal data must verify that the legislation of the destination country enables the recipient to comply with the GDPR before transferring personal data to that third country;
- Data controllers are obligated to terminate contracts with international recipients of personal data and return or destroy any data that has already been transferred, or be in breach of obligations under the GDPR and the EU Charter of Fundamental Rights entitling data subjects to compensation for any damages suffered; and
- Data controllers, processors and supervisory authorities must block the transfer of personal data.
Data Embassy Principles embed risk-based controls into the data, so that risk is managed wherever the data goes, even during data sharing, combining, or transforming. This approach uniquely helps to satisfy global requirements for compliant innovative data use, including the new requirements set out by Schrems II.
For more information, please read:
Situation After 16 July 2020
After the Schrems II decision by the CJEU on 16 July 2020, Standard Contractual Clauses (SCCs) and Binding Corporate Resolutions (BCRs) must be augmented with “supplemental measures” like Data Embassy principles as necessary to ensure that U.S. laws do not impinge on the level of protection provided under EU law.
US Response to Schrems II:
16 July 2020
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.
We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.
As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”
EU Response to Schrems II:
17 July 2020
It is in the best interest of all parties to avoid disrupting global commerce as, in the words of the EDPB in its press release:
- … the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means....
- If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.
23 July 2020
Schrems II requires effective mechanisms to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.
"EDPB FAQ 3: Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer?
Answer: No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S."
EDPB FAQ 10: What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?
Answer: The supplementary measures you could envisage where necessary would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection.
The Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures.
The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.
The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance."