Nevertheless, there is still a great deal of uncertainty in the business community as to what is meant by an “essentialy equivalent level of protection” and how this can be achieved in practice. Therefore, it is important for companies to know how the competent supervisory authorities understand the term " essentially equivalent level of protection" and whether a risk-based approach meets their requirements.
Nothing to risk – data transfers to third countries under the GDPR
Following the Schrems II-ruling, the European Data Protection Board (EDPB) adopted recommendations regarding supplementary measures when transferring data to countries outside of the EU/EEA, so-called third countries. The Danish Data Protection Agency has also updated its guidelines on transfers to third countries, which now takes these recommendations from the EDPB into account.
The adopted recommendation contains several steps, that should be taken, in order to ensure a level of protection which is “essentially equivalent” to that which the GDPR offers, when data is transferred to a third country. The data controller must assess whether there is anything in the third country’s legislation or practice which prevents the data processor from complying with their obligations under the GDPR and the chosen transfer mechanism. If the data controller finds that the legislation or practice of the third country means that the data processor cannot comply with their obligations, and therefore cannot ensure “essentially equivalent” protection, supplementary measures must be adopted.
A risk-based approach?
The recommendations from the EDPB has left many with the impression that transfers to third countries are now to be based on risk/impact assessment. However, the Danish Data Protection Agency are of the opinion that the recommendations do not support a risk-based approach to transferring data to third countries. The Danish Data Protection Agency, rejects risk-based approach to transfer, based on the fact that EDPB received a high number of consultation responses requesting a risk-based approach, and still the EDPB did not state this, which would have been natural and straight forward, if the EDPB meant that a risk-based approach should be used.
Therefore in the opinion of the Danish Data Protection Agency, all transfers must be based on “objective” and “quantifiable“ criteria. There is – in their opinion no basis to for flexibility when it comes to the “essentially equivalent” protection. In the words of the Danish Data Protection Agency, the protection of personal data being transferred to third countries, must “not only be essentially equivalent in every single instance, but in each and every single instance - 95% of the instances is not enough.”
Very narrow scope for transfer
Even though the EDBP recommendations concern all third countries, the European Court of Justice has already ruled on what they think of US legislation in relation to data protection, and the recommendations leave this scenario unchanged. In the light of their opinion regarding the risk-based approach, the Danish Data Protection Agency have stated, that the ruling of ECJ and EDPB recommendations only leave a very narrow scope for using services which transfers data to the US – and therefore also other third countries with similar legal setups, which would be a very high number of third countries
Article provided by: Claas Thöle (NJORD, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)