- Does publicly available information you obtained on U.S. case law and reports from oversight bodies, civil society organisations, and academic institutions60 reveal data importers of the same sector as your importer have received requests for access to data for similar transferred data in the past? The answers to these questions that you obtain through your overall assessment lead you to conclude that: - Section 702 FISA applies in practice to your particular transfer and therefore, impinges on the effectiveness of your Article 46 GDPR transfer tool. Consequently, if you wish to proceed with the transfer, you must consider, where appropriate in collaboration with the importer, if you can adopt supplementary measures that ensure effectively a level of protection of the transferred data essentially equivalent to that guaranteed in the EEA. If you cannot find effective supplementary measures, you must not transfer the personal data. Or - Section 702 FISA does not apply in practice to your particular transfer and therefore, does not impinge on the effectiveness of your Article 46 GDPR transfer tool. You may then proceed with the transfer without any supplementary measures.
Step 4: Adopt supplementary measures 50. If your assessment under Step 3 has revealed that your Article 46 GDPR transfer tool is not effective, then you will need to consider, where appropriate in collaboration with the importer, if supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.61 “Supplementary measures” are by definition supplementary to the safeguards the Article 46 GDPR transfer tool already provides and to any other applicable security requirements (e.g. technical security measures) established in the GDPR.62 51. You must identify on a case-by-case basis which supplementary measures could be effective for a set of transfers to a specific third country when using a specific Article 46 GDPR transfer tool. You do not need to repeat the assessment every time you conduct the same transfer of a specific type of data to the same third country. Some of the data planned for transfer may require supplementary measures whereas other data may not (considering formal and/or practical application of the third country law). You will be able to build on your previous assessments and conclusions under Steps 1, 2 and 3 above and check against their findings the potential effectiveness of the supplementary measures in guaranteeing the required level of protection.
60
e.g. Provisions of Section 702 FISA; Rules of Procedure of the Foreign Intelligence Surveillance Court (FISC), declassified FISC opinions and decisions, case law of U.S. courts; reports and hearing transcripts of the Privacy and Civil Liberties Oversight Board (PCLOB); reports by the Office of the Inspector General - U.S. Department of Justice; reports by the NSA Director of Civil Liberties and Privacy Office; reports prepared by the Congressional Research Service; reports by the American Civil Liberties Union Foundation (ACLU). 61 C-311/18 (Schrems II), paragraph 96. 62 Recital 109 of the GDPR and C-311/18 (Schrems II), paragraph 133.
Adopted
21
