What happened?
On 12 July 2022, the European Data Protection Board (the “EDPB”) published a Statement 02/2022 on personal data transfers to the Russian Federation. As a consequence of the war initiated by the Russian Federation against Ukraine, Russia has been excluded from the Council of Europe and is therefore no longer a contracting party to its respective conventions and protocols. Russia will also cease to be a contracting party to the European Convention on Human Rights as of 16 September 2022. According to the EDPB, these changes will have a significant impact on the level of protection of data subjects with respect to the transfers of personal data from the European Economic Area (the “EEA”) to Russia.
In their statement, the EDPB does not comment on the lawfulness or unlawfulness of such transfers. The EDPB rather concludes that frequent exchanges of personal data still exist due to “close economic and historic ties” and that supervisory authorities continue to monitor legislative changes and other relevant developments in Russia that may have an impact on data transfers.
What are the next steps?
Following the Schrems II ruling and the successive recommendations of the EDPB, data exporters are responsible for assessing whether, in the context of a transfer of personal data, the applicable legislation in the destination jurisdiction is likely to undermine the effectiveness of the appropriate safeguards of the instruments of Chapter V GDPR:
- if this is the case, exporters should identify and adopt the additional measures that are necessary to ensure a level of protection for data subjects that is substantially equivalent to that guaranteed within the EEA;
- if this is not the case and no additional measures can be identified, data exporters should suspend the data transfers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.