The European Data Protection Board (the Board) has recently published practical guidance on how organisations should approach international data transfers of personal data of EU residents. This guidance includes recommendations on supplemental measures that can be adopted to help protect such personal data from access of governmental authorities outside of Europe. The guidance follows the Court of Justice of the European Union’s landmark Schrems II decision (more information here).
The following provides an overview of the recommendations that Israeli companies that regularly process personal data of EU residents and are therefore subject to the GDPR should take to heart when conducting international data transfers.
Six Steps
The Board’s recommendations (the Recommendations) outline six steps that organisations should take to assess whether their global data flows comply with EU law or whether they need to take supplementary measures to ensure sufficient protection of personal data.
Step 1: Know your transfers
The data exporters should record and map all international transfers of personal data.
Step 2: Know your transfer tool
The data exporter must identify the transfer tool on which the data transfer relies. The tools currently practically relevant are: an adequacy decision by the European Commission, standard contractual clauses, binding corporate rules, or one of the limited derogations such as consent.
Since Israel is an “adequate jurisdiction”, can we stop here?
While Israel currently enjoys the status of an “adequate jurisdiction”, it is worthwhile for Israeli companies to be aware of the further recommended steps: Often, Israeli companies work with service providers outside of Israel and the EU and have to rely on another transfer tool to enable data flow. In addition, Israel’s adequacy status is currently under review by the European Commission. Should this review find that Israeli laws do not adequately protect EU residents’ personal data and the adequacy decision be revoked, Israeli organisations will have to rely on alternative transfer tools.
Step 3: Assess the effectiveness of your transfer tool
The Recommendations clarify that simply relying on an “appropriate safeguard” such as the standard contractual clauses may not be enough. Instead, businesses should assess whether the transferred personal data would be subject to a level of protection that is essentially equivalent to that guaranteed in the EU.
This means that the data exporter must assess if there is anything (!) in the law or practice of the third country that may decrease the effective protection of personal data. This is especially the case if public authorities of the recipient country may access the transferred data in a manner which “goes beyond what is necessary and proportionate in a democratic society”.
Step 4: Identify and adopt supplementary measures
If the “appropriate safeguard” adopted is not effective on its own, businesses must consider supplementary measures. The Board provides a list with several practical recommendations of (1) contractual, (2) technical, and (3) organizational measures that can be implemented. These supplementary measures are particularly significant, as they are the only way in which data transfers from the EU to the US or other countries whose privacy laws do not offer an “equivalent” level of protection can continue.
Step 5: Take any procedural steps needed to adopt any required supplementary measures.
Step 6: Re-evaluate at appropriate intervals.
Businesses should monitor, on an ongoing basis, developments in the jurisdiction to which they have transferred personal data that could affect their initial assessment.
Outlook for Israeli Businesses
Israeli companies that are subject to the provisions of the GDPR will have to review and assess their data transfers and transfer tools. Those that currently rely on standard contractual clauses for their transfer to third countries will need to carefully examine whether these are, in fact, an appropriate tool and, if necessary, adopt the required measures to ensure compliance.
As ever we are ready to assist with all your needs. Please don’t hesitate to contact us.