EDPB data transfer toolbox to facilitate effective enforcement of DP laws internationally

On 14 March 2022, the European Data Protection Board (EDPB) adopted a toolbox on essential data protection safeguards for enforcement cooperation between European Economic Area (EEA) data protection authorities and third country data protection authorities (DPAs).

The stated aim of the toolbox is to facilitate the engagement of EEA DPAs and third country DPAs, which post-Brexit now includes the Information Commissioner’s Office (ICO) in the United Kingdom. The toolbox covers key topics, such as enforceable rights of data subjects, compliance with data protection principles and judicial redress.

The mission of the EDPB is to ensure the consistent application of European data protection rules and to promote effective cooperation among DPAs throughout the EEA and internationally. Indeed, Article 70(1)(u) of the GDPR requires the EDPB to “promote the cooperation and effective bilateral and multilateral exchange of information and best practices between the supervisory authorities”.

This toolbox is therefore not entirely unexpected and indeed is very welcome. It forms part of the EDPB’s 2021-2023 Strategy and Work Programme, specifically Pillar 4, which seeks to engage with the international community and ensure effective protection of personal data beyond European Union borders. 

Purpose

The purpose of the toolbox – as the name suggests – is to provide the necessary tools to enable the exchange of personal data between EDPB member DPAs and third country DPAs, ensuring that appropriate safeguards are implemented to govern those data transfers. Whilst there has been an unprecedented amount of attention in the last two years on international data transfers generally, prior to now there has – perhaps surprisingly – been very little focus on international data transfers specifically between the DPAs whose jobs it is to regulate such matters. The publication of the toolbox is therefore timely. 

Article 50 of the GDPR states that “the Commission and supervisory authorities shall take appropriate steps to: (a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data; (and) (b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange”.

Article 50 recognises that when personal data transfers outside the European Union, there is an increased risk that individuals will be unable to exercise data protection rights to protect themselves from the unlawful use or disclosure of that information. This is because DPAs may be unable to pursue complaints or conduct investigations in regards to data protection rights outside of their borders. It additionally recognises the need for cross-border efforts among DPAs to help them exchange information and carry out investigations with their international counterparts, in order to facilitate effective enforcement of data protection laws internationally. 

This toolbox is therefore, on the face of it, a step towards developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of data protection legislation.  

Drafting 

At its simplest, the toolbox is essentially a library of EDPB-approved template provisions which can be selected, edited where necessary and adopted by DPAs when entering into cooperation agreements with other DPAs around the world. The foreword to the toolbox notes that the safeguards can be adopted in addition to, or alternatively inserted within, an existing enforcement cooperation agreement between the EEA DPA(s) and third country DPA(s).

The toolbox can be used both for administrative arrangements pursuant to Article 46(3)(b) GDPR or international agreements pursuant to Article 46(2)(a) GDPR. Depending on the arrangement in question and the specific circumstances of the transfer, the template wording which is included within the toolbox may need to be adjusted accordingly. The EDPB has, however, helpfully endeavoured to make the toolbox user-friendly by drafting the template text so that the specific parts intended for administrative arrangements are highlighted in grey and the parts relevant to international agreements are highlighted in blue. 

The scope of the drafting included within the toolbox will not be unfamiliar to data protection practitioners. It covers many of the key areas that one would expect to be included in any data cooperation agreement, particularly one with an international dimension. For example, it includes template drafting on the data protection principles, data subject rights, onward transfers of data, and effective redress for data subjects. Whilst these themes are familiar, it is nonetheless helpful to see how the EDPB anticipates these matters being addressed in agreements between international DPAs.  

Some of the drafting (in particular the sections on data protection principles and data subject rights) is also very helpful to bear in mind for other use cases aside from cooperation between DPAs. The themes addressed in these sections of the toolbox are ubiquitous, and so the template text could quite easily (with some critical thought applied) be repurposed for use in other data sharing or cooperation arrangements.  

For example, the section on cooperation between the two parties when it comes to handling data subject access requests is helpful as it demonstrates how the EDPB might expect DPAs to cooperate (and perhaps, by extension, how the EDPB’s members might expect other data controllers and processors to cooperate in analogous circumstances). There is some value in knowing, if seeking to re-use this drafting, that it has been approved by the EDPB, although admittedly only in the context of DPA to DPA cooperation agreements. Whilst we would not, therefore, recommend redrafting your existing template suites of privacy documents to include the toolbox drafting in its entirely, it is nonetheless a useful resource to consider when drafting new agreements.

The drafting style and tone of the toolbox is generally pragmatic, clear and concise. It is not overly legalistic and should be accessible to a wide range of users.  Its ambition is however perhaps slightly limited. Whilst useful, the template provisions within the toolbox are not exhaustive and nor is the toolbox drafted as a template agreement which could be taken “off the shelf” and simply implemented between two DPAs.  

Perhaps understandably, given the nature of the arrangements to which the toolbox will apply, the drafting anticipates that some tailoring and augmenting will be required before the text can be implemented between two parties. Those hoping to find a fully-formed template agreement will therefore be a little disappointed.  However, the flexibility afforded by the approach taken to drafting the toolbox is in many respects preferable to the rigidity that a mandated form of agreement would provide.

Schrems Influence

The impact of the Schrems II judgment is immediately obvious when reading the toolbox.  As is now well understood, the Schrems II judgment addressed various significant matters relating to international data transfers. In particular, the judgment confirmed that where (under Article 46 GDPR) a data exporter relies on appropriate safeguards to govern the data transfer, the appropriate safeguards, enforceable rights and effective legal remedies required by Article 46 must ensure that data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the European Union under the GDPR. This should include providing effective redress for data subjects in the third country in the event of a data breach. 

Following the Schrems II judgment, the EDPB also issued Recommendations 01/2020 on measures that supplement Article 46 (Recommendations 01/2020). The Recommendations 01/2020 set out steps which data exporters should take before data transfers are made, such as conducting case-by-case transfer risk assessments and identifying and adopting supplementary measures where required.

Both the requirement for “essential equivalence” and the requirement for data subjects to have access to effective redress in the third country in the event of a data breach are addressed in the toolbox drafting. There are also noticeable similarities between certain points within the toolbox and the Recommendations 01/2020.

Clause 9 of the toolbox, ‘Effective Redress’, requires the third country DPA to provide information to the EEA DPA concerning its applicable law providing for redress to data subjects and likewise vice versa. The information provided is subsequently recorded in Annex III of the toolbox. This exercise encourages DPAs to assess (instead of simply list) the applicable rules to provide the necessary safeguards, to ensure that an appropriate level of protection is provided – an approach which is similar (albeit narrower) to the requirement on other data exporters to complete a transfer risk assessment before transferring personal data overseas. 

Furthermore, Clause 9 of the toolbox explicitly states that the data subject has the right to obtain judicial redress if the safeguards of the toolbox are not complied with. In relation to Recommendations 01/2020, the EDPB suggests that the data exporter should assess the data importer’s rules and regulations to establish the effectiveness of available mechanisms for individuals to obtain (judicial) redress. Both the toolbox and Recommendations 01/2020, therefore, highlight the importance for the data subject to have a clear and defined route to redress. 

In Annex I of the toolbox, both the EEA DPA and third country DPA must describe in specific (not generic) terms, the technical and organisational measures implemented by both parties to ensure an appropriate level of security. Annex I requires each DPA to be specific and to ensure that the technical and organisational measures being detailed are sufficient, and that an appropriate level of security is provided, taking into account the specific nature and risks associated with each particular transfer. This is again analogous to the points considered by the EDPB in the Recommendations 01/2020 – in that case, the EDPB set out the need for a review of supplementary measures, including technical and organisational measures, to ensure they provide an appropriate level of security.  It is reassuring to see that the EDPB expects DPAs to follow a similar process when deciding themselves whether or not to send data overseas. 

Implications for the UK 

The UK is not directly impacted by the EDPB’s toolbox given that, since Brexit, the UK is deemed a third country by the EU. However, that is not say that the toolbox should be disregarded either by the ICO or other controllers and processors based in the UK. On the contrary, the toolbox remains a very helpful resource for data protection practitioners who engage in international data transfers.

The most obvious impact of the toolbox in the UK is that we would expect the ICO to be asked to enter into cooperation agreements with EEA-based DPAs which incorporate the text set out in the toolbox. We would also expect the ICO to either adopt/re-use the toolbox text for its own cooperation agreements with other DPAs around the world (outside the EEA), or else to draft and publish its own template provisions.  At the time of writing this article, the ICO has not released a statement on the toolbox or its use within the UK context.

In cases where the ICO enters into a cooperation agreement with an EEA DPA and then undertakes an onward transfer to a third country DPA, it would be logical for the drafting of the toolbox to be deployed by the ICO to ensure that consistent protections are provided in each agreement.  Indeed, the toolbox states at clause 8 that onward transfers of data may only take place “where the level of protection of personal data will not be undermined, e.g. the third party provides a commitment to respect the same data protection principles and safeguards as in [the toolbox] or a relevant adequacy decision is in place”. 

As is noted above, the toolbox is also a useful resource for controllers and processors based in the UK which engage in international data transfers.  As with much of the EDPB guidance, it helps to bring to life the core GDPR obligations. It also helps to demonstrate some of the key considerations that a DPA may have in mind when reviewing any international data transfer model.

Above all else, the toolbox is a step towards a more consistent and aligned international approach on personal data transfers.  It should drive greater standardisation and so improve efficiency in governing international data transfers between DPAs. It also helps to articulate the rights and remedies available to data subjects when their data is being transferred overseas.  

Contributor: Harriette Blake

This article was first published in PL&B UK report, May 2022.