The European Protection Board Issues Guidance On Supplementary Measures For The Cross-Border Transfer Of Personal Data

Written by: Richard Sheinis, Esq.

Most of you know that on June 4, 2021, the European Commission (“EC”) adopted two (2) new sets of Standard Contractual Clauses (“SCC”) for the cross-border transfer of personal data from the EU.  The new SCC are due to a general need for updating the existing SCC, as well as a reaction to the Schrems II decision, in which the adequacy of the SCC was called into question.

The European Data Protection Board (“EDPB”) has now issued recommendations for supplementary measures for the cross-border transfer of personal data to ensure compliance with the EU level of protection of personal data.  Just relying on the new SCC might not be sufficient to comply with cross-border transfer rules, which seek to protect personal data transferred out of the EU.   The EDPB recommends that each transfer be reviewed on a case by case basis to determine if there is any law or practice in the third country to which the data is being transferred, which impinges on the effectiveness of the appropriate safeguards contained in the transfer tool such as the SCC, being utilized.

The EDPB guidance recommends a six (6) step analysis, but for this short article we will focus on step four (4), which is identifying and adopting supplementary measures for use with the transfer mechanism, in this case the SCC.  Annex II of the recommendations has numerous examples of supplementary measures for various scenarios in which the SCC may not be sufficient to ensure an EU level of protection of personal data in the receiving country.  Supplementary measures may include technical safeguards, such as encryption to protect data from access by public authorities, and contractual measures to ensure adherence to technical safeguards.  The guidance also addresses organizational safeguards and adoption of these practices.  The guidance provides sources of information to assess the adequacy of a third country’s data protection.

The biggest takeaway from the guidance is that just filling in the blanks and signing the SCC will no longer be sufficient.  Each case, and each country to which the personal data is being transferred, must be examined to determine what, if any, supplementary measures are appropriate.  I highly recommend that this analysis be documented to address any inquiry from a supervisory authority.

Leave a comment