On June 21, 2021, EDPB adopted the final version of the recommendations on supplementary measures following the earlier recommendations of November 2020 after the Schrems II ruling of the EUCJ.
The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.
One of the modification suggested is
-the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment
-to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool;
-the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.
This means that the Data Exporter has the responsibility to appraise himself about the laws of the destination country and not depend entirely on the existence of a written contract. Some due diligence is required to be exercised.
It was in this context that FDPPI came out with a note on the “Surveillance laws” in India to assist the Data Importers in India who had to keep their vendors informed about the laws in India.
India is a sovereign country and therefore does not submit to arbitrary contractual obligations that prevent a Data Importer to challenge the local Government when a need for surveillance arises under due process of law.
The full text of the Recommendations is available here:
The principles stated in the guidelines are that
- Controllers should know their transfers
- Controllers should verify the transfer tool relied upon
- Assess if there is anything in the law of the destination country that impinges on the effectiveness of the safeguards
- Identify and adopt supplementary measures that are necessary
- Take such formal procedural steps as may be required under Article 46
- Re-evaluate at appropriate intervals the level of protection afforded to the transfer
It may be recalled that Article 46 of GDPR provides that the appropriate safeguards in the absence of “Adequacy” the following measures are available for transfer
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
We must also remember that apart from Adequacy under Article 45(3) and safeguards under Article 46, there are derogations available for specific situations under Article 49 which include the following measures which allows transfers to third countries.
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case
In addition to the above measures, the Controller has the right to mitigate the risk by using pseudonymization at his end which is a fundamental suggestion under Article 32.
In view of the above it is suggested that all Data Importers suggest that the Data Exporters adopt the suggested alternate measures and not insist on the signing of contracts which are un enforceable at the end of the Data Importer.
We will be happy to provide any further clarification required under this provision as required.