On 12 July 2022, the European Data Protection Board (EDPB) adopted Statement 02/2022 on Personal Data Transfers to the Russian Federation, in which it confirmed that data transfers to Russia require a data transfer impact assessment (DTIA). A DTIA is a case-by-case evaluation that determines whether a specific data transfer arrangement guarantees sufficient protection of personal data being transferred to a third country, such as Russia, the United States or Singapore.
The EDPB advised following the procedures set out in the Court of Justice of the European Union’s judgment in Schrems II, as well as its Recommendations 01/2020 on Measures That Supplement Transfer Tools to Ensure Compliance With the EU Level of Protection of Personal Data.
In its statement, the EDPB highlighted the following points:
- Russia does not benefit from an adequacy decision of the European Commission pursuant to Article 45 of the General Data Protection Regulation (GDPR), so transfers of personal data to Russia must be carried out using one of the other transfer instruments listed in Chapter V of the GDPR.
- To ensure the application of appropriate safeguards when personal data is transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided in Chapter V (e.g., standard contractual clauses).
- Data exporters should perform a DTIA to assess if, in the context of the transfer at stake, there is anything in the law and/or practices in force in Russia – in particular with respect to access to personal data by the Russian public authorities, especially for criminal law enforcement and national security purposes – that may impinge on the effectiveness of the appropriate safeguards provided by the identified transfer instruments.
- If this is the case, data exporters should identify and adopt supplementary measures as necessary to ensure that data subjects are afforded a level of protection essentially equivalent to that which is guaranteed within the EU or European Economic Area.
- Where such assessment leads to the conclusion that compliance is not or is no longer ensured, and no supplementary measures could be identified, data exporters must suspend data transfers.
- European supervisory authorities will continue to monitor legislative changes and other developments in Russia that could have an impact on data transfers.
To perform a DTIA and simplify the documentation requirements for data transfers to Russia and any other jurisdiction, such as the United States or Singapore, we have developed Cooley Transfer – our firm’s methodology for helping clients carry out DTIAs and identify supplementary measures. Cooley Transfer streamlines all existing rules and criteria to create an objective, holistic and consistent approach on how to assess a client’s data transfer.
Cooley Transfer is executed via an interactive program that automatically generates a DTIA report to help clients save time and resources, which instead can be spent on making the necessary adjustments to the actual transfer.