Cross-Border Data Transfer to Ukraine (And Other Third Countries)
On July 16th, 2020, European Court of Justice has made its ruling in so-called “Schrems II” case, in which the mechanism for transferring personal data outside the European Economic Area (EEA) has been revised. Previously, the US companies could apply the Privacy Shield Frameworks to their data-related business actions in the EU and the EEA.
After Schrems II, Privacy Shield has become a measure that no longer determined to meet cross-border data transfer requirements of GDPR and violates essential principles of data protection. In other words – the rules of data transfer to the USA from the EEA are never going to be as they were.
Has it affected the rest of the world and, in particular, Ukraine? If yes, then how?
The fact is, that besides invalidating the Privacy Shied, the ruling of the CJEU has implied changes to cross-border transfers in general, bringing up Standard Contractual Clauses (SCC) as the new transfer mechanism. This means that these new SCC are the new requirements to all transfers out of the EEA in general.
There are still some exceptions, though, for data transfers out of the EEA depending on the receiving country. Those countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection, namely Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, are allowed for data transfers under the GDPR with no additional requirements. In other words, EDPB recognizes the national laws on privacy and personal data protection of these countries on the same level as GDPR.
On the other hand, Art. 46 of GDPR points that it is allowed to transfer personal data to the so-called third countries after a controller or processor has implied the appropriate safeguards. Therefore, if a country is not on the adequacy decision list, the obligation to ensure the adequate level of data protection lays on its residents who transfer European residents` personal data (except for special conditions of transfer under Art. 49 of GDPR).
Though Ukraine has signed the Association Agreement with European Union, it is still considered one of these so-called “third countries”. Therefore, to make the data transfer to Ukraine legal, controlling companies have to apply all the measures required.
What are these measures?
On November 10, 2020, the European Data Protection Board (EDPB) has adopted the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations) that sheds light on what has to be done.
It won`t be accurate if EDPB would tell you “build your data flow maps” or “keep the data encrypted”. However, the Recommendations are not a clear guidance. Yes, it would be easier that way for people who are going to read the Recommendations (or this article) to understand what the steps are, and no, it won’t really work as full as you could expect.
What is true about personal data transfer outside the EEA to non-adequate-level-of-protection countries is that it is a long and lovely journey through the ocean of GDPR, where checking your coordinates regularly is a necessity, otherwise you just go the wrong direction and get lost.
So, where do we start from, then?
Standard contractual clauses do not operate in vacuum, points out the Recommendations` text, and it could not be more right. You can sign a perfect, finest data processing agreement ever, but it will never be enough on its own. If you want a full and proper compliance for your company/organization`s data transfers,
EDPB offers moving within a roadmap of 6 main steps towards transfer compliance. These are:
- knowing your transfers;
- identifying your transfer tools;
- assessing whether the chosen transfer tools are effective in practice;
- adopting supplementary measures in addition to the SCC;
- procedural assessing whether the chosen supplementary measures are effective;
- re-evaluating at appropriate intervals.
As for the very 1st step, it is obvious that the controller/processor must:
- be aware of data transfers that are being made within its activity, and
- obtain all the information necessary on how each particular transfer is being made.
These shall include (according to the data minimization principle) awareness of all the kinds of data being transferred and purposes to it, including onward transfers. After the transfers have been identified and analyzed, the appropriate tools are to be chosen (2nd step).
Third countries transfer tools must meet the appropriate safeguards in according to Art. 46. How to know which tools are a good fit to a particular transfer?
The Recommendations don`t give an exact answer, except mentioning that the transferred personal data will have the benefit of an essentially equivalent level of protection, meaning that controllers and processors must decide on the tools on their own.
The 3rd step refers to assessing the effectiveness of the chosen tools and change them if they are not good enough. According to the Recommendations (and Schrems II), effective means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA.
Such assessment shall consider all the particularities of the transfer. In addition to this, the controller/processor has to determine whether the domestic laws and/or practices of the receiving party`s country apply in any way or impinge on such transfer.
If you understand that these measures you have applied within step 2 are not enough for your transfer case, it`s time to consider some supplementary ones (step 4) and apply procedural steps to implement them (step 5). The Recommendations emphasize that these measures are “by definition supplementary to the safeguards” and provide some examples of them.
Accountability is a continuing obligation, so re-evaluating the transfer tools and supplementary measures altogether from time to time is necessary.
According to the Recommendations, you have to take all of these steps before you transfer any personal data and step 6 has to be taken regularly. Also, we have to note that the Recommendations address both contractors and processors, which changes the role of a processor a bit. It is not only an assisting role now; it is a full-fledged player with obligations to apply their own measures for a legitimate transfer.
To sum up, transferring data to the countries not in the “adequacy decision” list is a harsh thing to do. It is vital to follow all the steps under the Regulations before you start which looks alright in theory and seems to be quite impossible in practice.
Although, as the rules of transfers have survived strong changings, we have nothing left but to obey. The main question is, how to transfer data to Ukraine properly?
- You definitely want to know what your transfers are.
Even if you have numerous of these. In fact, any other step you take is useless unless you do not obtain information on your data transfers. Know all your counterparties in Ukraine, all the data you are going to transfer (or already transfer) and all the conditions under which it is transferred. The deeper you dig into the process, the better chance of a good decision to be made.
- When choosing the transfer tools, document the transfer circumstances and your argumentation on your decision.
You can create some inner documents to register your decisions. In the future, if you are asked to report your current tools and safeguards by the authority, you can provide them with detailed information on what you have applied and why you thought it was an appropriate decision.
Circumstances change and people forget, so you better not rely on your luck and put everything on paper.
- Do your assessments in time and document them (truly).
Unless the previous point, this one sounds quite obvious. Don`t forget to do assessments according to your plan (e.g. twice a year, but you can do more often) and every time something changes in your transferring activity (e.g. you have a new counterparty in the third country who will receive data from you).
Don`t be afraid to put on the record your real results. They may not (and probably will not) be brilliant, but the more honest you are with yourself and your coworkers and partners, the better result you achieve in the future.
- Choose your partners carefully, explain your needs and sign your DPAs.
It would be easier if most companies in Ukraine were GDPR-compliant. However, most of them do not obtain information about what GDPR is and why you need them to be in compliance, too. You may prepare a presentation (in any reasonably convenient way) for your abroad potential partners in order to explain them why their participance is crucial for your mutual happy cooperation.
Choose someone who understands the importance of being compliant and sign data protection agreements with them. You should not transfer data to partner with those who do not share your values in regard personal data security.
Make effort to do everything required BEFORE the transfer.
Business realities can be different from what is claimed in the new rules of transfer. However, no one will appreciate you starting a data transfer before you do the steps, so do your best even if it sounds like mission impossible. You can always apply effective security measures even if you lack of time, or hire a qualified DPO if you cannot manage the transfers yourself.