Search This Blog

Tuesday, 25 July 2023

EU Expands Open Banking to Open Finance

My piece for Ogier Leman on the EU's proposed Open Finance Regulation is here.

As part of its review of the second Payment Services Directive (PSD2), the EU consulted on whether to expand the concept of 'account information services' to other types of online financial services. As a result, the EU is now proposing a financial data access regulation (Open Finance Regulation) that will give a wider range of financial services customers new ways to extract, use and share their account data independently of the service provider who holds their account. For instance, you could get an independent adviser to analyse all your finances - savings, pensions and mortgages/loans - in detail at any time, including creditworthiness data, rather than rely on periodic summaries from the primary service providers. As a regulation, it will apply directly applicable in all Member States to ensure consistency, without needing to be 'transposed' under local law. Firms will have 2 years to prepare, although 'financial data sharing schemes' will have an earlier window in which to notify the local regulator of their activities. The Regulation is summarised below for information purposes, if you require advice on its application please let us know

Barriers to Data Access

Most financial service providers rely on knowing more than you about your use of their services, so they don't give you the same access to your data or convenient ways to share that data with advisers or other service providers.  Without secure ways to share the data, you won't do it or can't figure out how to do it - which is costly and not standardised.

Consistent with other EU legislation

The Open Finance Regulation not only builds on 'open banking' under PSD2, but is consistent with data access and portability rights under GDPR, the Data Governance Act (improving interoperability between data platforms), the Digital Markets Act (tackling the power of gatekeeper platforms), the proposed Data Act to provide data access rights to Internet of Things (IoT) data for users and providers of related services), the EU retail investment strategy (to provide safeguards in the use of retail investor data) and the Digital Operational Resilience Act (rules on cybersecurity and operational resilience in the financial sector).

Preferred Approach

The EU has chosen the following approach from a wide range of options considered by an experts group and other stakeholders. The Open Finance Regulation will:

  • require data holders to provide customers with 'permission dashboards' to grant access to selected customer datasets;
  • set eligibility rules on who can access customer data;
  • empower European authorities to issue guidelines to protect consumers against unfair treatment or exclusion;
  • require common standards for customer data and interfaces (APIs) for access to that data; and
  • require agreement on compensation and contractual liability.

Cost/Benefit

The Regulation is considered to be a necessary transition that will pay off in the medium to long term. Big providers will lose some of their 'hold' over customers, while providing new entrants access to data that will promote more customer activity and help grow the overall financial services market. 

A key example would be enabling you and your finance providers to figure out how to fund a sustainable lifestyle and retirement, make the decisions to meet your goals and obtain the relevant services to achieve them. 

Creating standard ways to efficiently share data will enable less form filling for customers and better productivity for service providers. 

The estimated total annual benefits from Open Finance for the EU economy ranges from €4.6bn to €12.4bn, including a direct impact on the financial data sector of €663m to €2bn. The overall estimated cost could be €2.2bn to €2.4bn initially and ongoing annual costs of €147m to €465m.

Specific Features of the Open Finance Regulation

Scope

In this context 'customer data' means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business, whether provided by a customer or generated as a result of customer interaction with the institution. So it includes access to, and processing of, business-to-business as well as business-to-consumer data, at the customer's request.

Certain categories of customer data may be accessed, shared, and used; with specific rights and obligations of defined data users/holders and authorised 'financial information service providers' (who provide information services as a regular occupation or business activity). 

The specific sets of data relate to mortgages, savings, investments, pensions, credit information and so on; and the types of firms in scope are regulated financial institutions - as well as authorised financial information service providers - when acting as holders or users of those types of data. 

A 'data holder' must make available the specified type of data to customers and their nominated 'data users' at the customer's request, in real time. 

Where personal data is involved, the request must also align with a valid legal basis for that data holder to undertake the requested processing under the General Data Protection Regulation (GDPR). 

Data users receiving data at the request of customers should only access the customer data made available to them, and only for the purposes and the conditions agreed with the customer. 

The customer’s personalised security credentials must not be accessible to other parties, nor can the data be stored longer than necessary.

Responsible data use and security 

The Regulation also guides firms on how they should use data for given use cases, and prohibits any discrimination or restriction in the access to services as a result of the use of the data. 

Customers can't be refused access to financial products just because they refuse to grant permission to use their data. 

Data holders must provide the customer with a 'permission dashboard' that meets certain criteria to monitor, manage and withdraw permissions the customer's gives to data users.

Creation and governance of financial data sharing schemes 

Financial data schemes are those whose aim is to bring together data holders, data users and consumer organisations. A scheme should develop data and interface standards, 'coordination mechanisms' for the operation of permission dashboards and a standardised contractual framework governing access to specific datasets and rules on governance, transparency, compensation, liability, and dispute resolution. 

Such data-sharing schemes must be notified to the local regulator; and benefit from a passport for operations across the EU. 

Data holders must be entitled to compensation for making the data available to data users, according to the terms of the scheme of which they are members. 

Financial information service providers. 

Financial information providers must apply for authorisation and meet various operational requirements, appoint a legal representative and may passport their services throughout the EU/EEA.

The Regulation will apply 24 months after its entry into force, except that 'financial data sharing schemes' will be able to apply 6 months in advance months to be ready for the Regulation to go live.

This note summarises the Regulation for information purposes, if you require advice on its application please let us know

Wednesday, 19 July 2023

FCA Updates Social Media Guidance To Cover Crypto, New Platforms And Influencers

Hard on the heels of the EU adding a chapter on online marketing of financial services (including 'dark patterns' and influencers) to the Consumer Rights Directive, the UK's Financial Conduct Authority is also updating its 2015 guidance on financial promotions in the social media to address influencer marketing. This post summarises the FCA's proposed new social media guidance for information purposes only. If you require legal advice, please get in touch.

In substance, the FCA's guidance remains the same but adds specific guidance on 'new' design features and channels, such as influencers; and explains the impact of the new Consumer Duty.

The core principles of the FCA's view of social media remains, of course, that financial promotions must be fair, clear and not misleading as well as "standalone compliant": each stage of a financial promotion must comply with the financial promotion rules relevant to the type of business being promoted. Certain features of the social media have always raised issues, whether it be character limits, small or scrolling banners: 

When assessing the compliance of a promotion that is viewed via a dynamic medium (such as Instagram stories), we assess the promotion as a whole and take a proportionate view based on the number of frames and where information about risk is displayed within the promotion. To meet our expectations regarding prominence, firms should aim to display the key information about risk upon a consumer’s first interaction with the promotion and the warning should be displayed for a sustained period.

Complex services, like debt counselling may not lend themselves to social media promotion at all.

Use of memes may also be inappropriate or impracticable, given the nature of the invitation or inducement in the meme and/or the need for risk warnings and other information to be prominent and 'balanced'.

The Consumer Duty raises fresh considerations:

Firms advertising using social media must consider how their marketing strategies align with acting to deliver good outcomes for retail customers. All the cross-cutting rules will be relevant to social media promotions, and firms should take into account how promotions that do not support consumer understanding may cause consumers to buy products that are unsuitable for them, leading to foreseeable harm... 
Firms’ communications should support and enable informed decision-making, equipping consumers with the right information in a timely way. Firms must also consider how they tailor communications to account, for example, for the likely audience on social media and the features of different platforms.

Firms remain responsible for any original non-compliance, even if a promotion is forwarded or shared (whether as part of a formal affiliate programme or by random recipients). This can itself trigger a breach of financial promotions rules (e.g. forwarding to the wrong type of investor). For that reason, the social media may not be an appropriate channel at all.

And just because somebody 'likes' an ad or 'follows' the firm in the social media does not mean they are no longer protected from 'cold calling':

...a financial promotion is likely to be non-real time if it is made or directed at more than one recipient in identical terms, creates a record which is available to the recipient at a later time, and is made by way of a system which in the normal course does not enable or require the recipient to respond immediately. This means channels like live-streams or gaming steams are likely to be considered a non-real time promotion and be subject to the full scope of our financial promotion rules.

A specific chapter of the guidance covers influencers, who have also been the target of the Advertising Standards Authority.

This post summarises the FCA's proposed new social media guidance for information purposes only. If you require legal advice, please get in touch.

Thursday, 13 July 2023

EU Payments Regulation: Updating EMD2 and PSD2


My piece for Ogier Leman on the EU's proposal to replace existing directives on e-money and payment services is here.

As reported last July, the EU has been reviewing the way it regulates payment services. That process has now resulted in a proposal for a new legislative approach: a directly applicable Regulation (PSR3) governing how payment services must operate and a Directive (PSD3) governing the licensing and supervision of payment service providers, which will need to be transposed into local law. There is also a proposal to regulate the sharing of financial data, which we'll cover separately. The differences in approach are broadly summarised below for information purposes. It is not yet fully clear when the proposed legislation will be finalised or take effect. If you require legal advice on the potential impact, please let us know.

How does the EU regulated payment services now?

Payment services are currently regulated under a single Payment Services Directive (PSD2) that is applied by local legislation in each Member State. Electronic money issuers are regulated partly under the second Electronic Money Directive (EMD2), also implemented in each Member State, and their services must also comply with PSD2. These are 'maximum harmonisation' directives, meaning that Member States may only deviate when regulating within their scope to the extent they are expressly permitted to do so.

Has PSD2 been successful?

PSD2 has helped with fraud prevention, via the Strong Customer Authentication (SCA); and has improved efficiency, transparency, competition and choice for customers. 

Problems remain, however:

  • an imbalance between bank and non-bank PSPs (e.g. in terms of direct access to key payment systems); 
  • limited uptake of payment initiation and account information services (‘open banking’ or OB); 
  • many services remain national rather than cross-border; 
  • anticipated cost reductions have not fully materialised;
  • consumers are still at risk of fraud and lack confidence;
  • open banking needs work;
  • local regulators have inconsistent powers and obligations;
  • a fragmented internal market for payments results in “forum shopping”.

As a result, the EU has four main objectives in relation to payment services:

1. Strengthen user protection and confidence in payments;

2. Improve the competitiveness of open banking services;

3. Improve enforcement and implementation in Member States;

4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.

The EU plans to meet these objectives through a directly applicable Regulation and a Directive that must be implemented in each Member State.  

Specific proposals - New Regulations (PSR3)

Scope and definitions

PSR3 won't change the list of payment services in PSD2 and leaves the exclusions largely unchanged (although there are potential issues relating to the commercial agent's exclusion, given the addition that the agreement appointing the agent must give the payer or payee "a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services"). There is also an addition to the group company exclusion to also allow for one company to collect funds from others within the group to pay them away to a third party PSP.

There are more definitions and clarifications of certain terms (new definitions of Merchant Initiated Transactions (MITs) and of Mail Orders or Telephone Orders (MOTOs)). 

There's an attempt to differentiate between ‘initiation of a payment transaction’ and ‘remote initiation of a payment transaction’.

PSP Access to Payment Systems/Accounts

Payment system operators must grant access to PSPs on proportionate, objective and non-discriminatory grounds. 

Rules concerning PSP rights to account with a credit institution are reinforced (given the importance for them to have a bank account to obtain their license) for institutions and their agents and distributors. 

Transparency of conditions and information requirements

Member states will no longer be able to flex the limits for exempting low-value payment instruments and e-money from certain information requirements.

Customers must be given notice of Alternative Dispute Resolution procedures in contract terms that apply to single payment transactions.

PSPs must unambiguously identify the payee, including any commercial trade name in payment account statements. 

Where payment services are offered jointly with supporting technical services any termination fees that apply to the technical services must also be in the payment services contract.

There are additional information requirements for domestic ATM withdrawals.

PSPs must provide customers sending money from the EU to non-EU countries with the estimated time funds will be received by payee's PSPs; and the estimated currency conversion charges must be expressed in the same way as for credit transfers within the EU (a percentage mark-up over the latest available euro foreign exchange reference rates issued by the ECB).

Rights and obligations 

The prohibition on surcharging customers for using certain consumer payment methods extended to credit transfers and direct debits in all currencies of the EU (though member states - and the UK - have implemented such bans with differing scope in any event).

The rules for merchant-initiated transactions (MITs) and direct debits will have the same consumer protection, such as refund rights.

Open banking (account information services and payment initiation services)

Key changes here include: 

  • a dedicated interface for open banking data access;
  • removing the requirement on account servicing PSPs (ASPSPs) to maintain a ‘fallback’ interface. 
  • ASPSPs must offer customers a “dashboard” allowing the withdrawal of data access from any given open banking provider.
  • confirmation on the availability of funds has been removed as a stand-alone open banking service, due to lack of demand.

Authorisation of payment transactions and 'push payment' fraud

A payee's PSP must, on request, provide the customer with a service that checks that the unique identifier of the payee matches the name of the payee as provided by the payer, notifying the payer's PSP of any discrepancy, so it can alert the payer. Under SEPA, a similar provision is proposed for discrepancies between the name and unique identifier of a payee for instant credit transfers denominated in euro. 

For consistency, the new provision will also apply to ordinary credit transfers in all currencies of the Union and instant credit transfers in currencies which are not in euro. 

The notification must be given before the payer finalises the payment order and before the PSP executes the credit transfer. The user remains free to decide whether to submit the payment order for a credit transfer in all cases.

PSPs must not unilaterally increase the spending limits on payment instruments.

Where funds are blocked on a payment instrument for payment transactions where the amount isn't known in advance, the amount blocked must be proportionate to the amount reasonably expected at the time of blocking; and the payee must inform the blocking PSP of the exact amount of the payment transaction immediately after delivery of the service or goods to the payer. 

A PSP can only refuse to refund an unauthorised payment transaction for which it is liable where it has reasonable grounds for suspecting fraud by the payer, in which case the PSP must provide the justification and indicate the bodies to which the payer may complain. 

A payer's PSP will be liable for the full amount of a credit transfer where the PSP has failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer. 

A PSP will be liable where a consumer has been manipulated into authorising a payment transaction by a third party pretending to be an employee of the consumer’s PSP using lies or deception. 

An obligation for electronic communications services providers to cooperate with PSPs is introduced, with a view to preventing such fraud. Where the liability is attributable to the payee's PSP, it must refund the financial damage incurred by the payer's PSP. 

Strong Customer Authentication (SCA)

Technical service providers and operators of payment schemes will be liable where they fail to support SCA.

A payer shall not bear any financial losses where either their PSP or the payee's PSP applies any of the exemptions from the need for SCA (e.g. for up to 5 contactless transactions).

PSPs must have transaction monitoring mechanisms for the application of SCA and to improve the prevention and detection of fraudulent transactions. The monitoring must take into account the customer's normal use of the personalised security credentials, including environmental and behavioural characteristics related to the customer's location, time of transaction, device being used, spending habits and the online store where the purchase is carried out.

PSPs may exchange personal data, like unique identifiers of a payee, subject to information sharing arrangements, subject to a data protection impact assessment and, where necessary, prior consultation with the local regulator.

SCA is needed for MITs at set-up of the mandate, but not for subsequent MITs. 

Only the non-digital initiation of a payment transaction can escape the SCA obligations, so some MOTO transactions could be caught. But payment transactions based on paper-based payment orders, mail orders or telephone orders placed by the payer should still be subjected to security standards and checks by the payer's PSP to prevent circumvention of SCA requirements. 

The scope of SCA exemption for direct debits has been narrowed; while a new obligation requires SCA where a mandate is placed through a remote channel with the direct involvement of a PSP.

SCA is only required for account information services on the occasion of the first data access; but must be applied , at least every 180 days where customers access aggregated account data on the AISP’s domain.

Provisions have been added to improve the accessibility of SCA, including for persons with disabilities, older persons, persons with low digital skills and those who don't have access to digital channels or a smartphone.

There is a provision requiring payment service providers and technical service providers to enter into outsourcing agreements in cases where the latter provide and verify the elements of SCA (note that such outsourcing agreements, if regarded as 'critical or important' must include certain provisions under EBA guidelines).

Execution of payment transactions

In cases where a payment initiation service provider (PISP) provides an incorrect unique identifier of a payee, the PISP is liable for the amount of the transaction.

Data protection

A new provision defines the substantial public interest for which processing special categories of personal data could be necessary in this context.

Product intervention powers of the European Banking Authority

The EBA may temporarily ban the sale of certain payment products that present certain risks on the basis of specific criteria.

Transition

Basically, the PSR3 will apply 18 months and 20 days after publication in the Official Journal.

Specific Proposals - New Directive (PSD3)

Scope and definitions

The new Directive repeals EMD2 and integrates E-money institutions (EMIs) as a sub-category of payment institutions (PIs). 

PSD3 contains provisions relating to cash withdrawal services provided by retailers (without a purchase) or by independent ATM deployers will.

PSD3 governs access to the offer of payment services and electronic money services by PIs but not by credit institutions (banks). 

Licensing and supervision of PSPs

The procedures for application for authorisation vs registration and controls on ownership are mostly unchanged but consistent for all types of PI (including ex-EMIs) and a winding-up plan ('living will') must be submitted on application. 

PISPs/AISPs may hold initial capital instead of a professional indemnity insurance (which can be hard to obtain). 

Requirements for initial capital are updated for inflation since 2015 (except for PISPs): €150,000 for most PIs and €400,000 for those issuing e-money. Ongoing capital ('own funds') calculations remain the same (even for ex-EMIs).

Safeguarding rules for PIs are unchanged (and apply to e-money issuers) except for the extra option of safeguarding in an account of a central bank (at the CB's discretion); and PSPs must endeavour to avoid concentration risk (with EBA regulatory technical standards on risk management of safeguarded funds). 

There are more detailed provisions on internal governance, including EBA guidelines.

Provisions regarding agents, branches and outsourcing are unchanged, but with a new definition of e-money 'distributors' and related provisions aligned with those applicable to agents.

Provisions on cross-border provision of services by PIs, and the supervision of such services are broadly unchanged except for specific provisions where three Member States are involved (where the PI is established in one state, has an agent in another which provides services in a third Member State on a cross-border basis).

Cash Withdrawals

There's an exemption from PI licensing for operators of retail stores that offer voluntary cash withdrawal services without a purchase on their premises up to EUR 50 (to avoid unfair competition with ATM deployers).

Distributors of cash via ATMs who do not service payment accounts (“independent ATM deployers”) only need to register rather than be fully licensed as PIs.

Transition arrangements

Existing licenses for PIs and EMIs are “grandfathered” for 30 months after PSD3 enters into force (i.e. one year after the deadline for Member States to transpose the directive into local law on condition that they apply for a license under PSD3 no more than 24 months after entry into force).

PSD3 is a full harmonisation directive. The deadline for Member States to transpose it will be 18 months after entry into force.  A review report must be presented 5 years after the entry into force, looking specifically at the possible extension to 'payment systems' (which are regulated by the UK, for example) and 'technical services', as well as the impact of the safeguarding rules on deposit guarantee schemes.

The differences in approach are broadly summarised for information purposes. If you require legal advice on the potential impact, please let us know.

Tuesday, 11 July 2023

A New Framework For Transferring Personal Data From the EU to the US

My piece for Ogier Leman on this is available here.

From 1 January 2021, any EEA-based organisation wishing to transfer personal data from the EEA to any non-EEA country will need to be able to show that the processing will receive the same protection as under EU's General Data Protection Regulation (GDPR). Many firms might consider this to be impracticable from a cost and administration standpoint, particularly in light of certain new recommendations on which the EU data protection authorities are now consulting. These are briefly explained below. This will affect "thousands" of firms and could prove severely disruptive for cross-border services ranging from payroll and benefits, to e-commerce marketplaces to social media services. If you need assistance in Ireland/EEA please let us know.

Options for transferring personal data from the EEA  

An EEA-based business can only transfer personal data to a non-EEA country, if one of three situations apply: 

  1. the European Commission has ruled that country's personal data protection laws to be ‘adequate’;
  2. there are appropriate safeguards or 'transfer tools' in place to protect the rights of data subjects (including 'Standard Contractual Clauses'); or
  3. certain 'derogations' or exemptions apply to allow the processing as of right.  

No adequacy decision for the UK in the near term

Like the US, the UK as a key example of a non-EEA country without an adequacy finding. For many reasons it is best to assume there will not be an EU adequacy decision relating to the UK’s data protection regime by 1 January 2021, as that process is long and complex, and there are some features of the UK regime which present significant problems, including: 

  • the UK’s use of mass surveillance techniques;
  • intelligence sharing with other countries such as the US;
  • the questionable validity of the UK immigration control exemption;
  • the lack of a ‘fundamental right’ to data protection under UK law; 
  • UK adequacy findings for other countries’ personal data regimes that the EU does not deem adequate; and 
  • the potential for future divergence from EU data protection standards if the UK GDPR is further modified post Brexit. 

The Problem with Standard Contractual Clauses

As a result of the decision of the European Court of Justice in the case against Facebook (‘Schrems II’), a data exporter relying on Standard Contractual Clauses (or other contractual 'transfer tools') must first verify that the law of the third country ensures a level of protection for personal data that is equivalent to GDPR. If that level is considered sub-standard, the data exporter may be able to use certain measures to plug the gaps, but this process would need to be carefully documented and is the subject of the main recommendations from the European data protection authorities, discussed below.  

The extent to which you can usefully rely on the derogations, either before considering the other appropriate safeguards or 'transfer tools', or if those other options are not available, is also somewhat doubtful, as I will explain.

Assessing whether personal data transfers outside the EEA are appropriate 

To help data exporters evaluate whether the use of transfer tools will be appropriate, the forum of all the EEA data protection authorities (the European Data Protection Board or 'EDPB'), is now consulting on recommendations for: 

The EDPB's first set of recommendations contain steps outlined below. The European Essential Guarantees enable data exporters to determine if the rights for public authorities to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data. Basically:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to  be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

The steps involved in assessing the appropriateness of transfer tools must be documented. These involve:

  • mapping the proposed transfers;
  • choosing the basis for transfer (adequacy decision, 'transfer tool' or derogation);
  • unless an adequacy decision has been made by the EU, working with the data importer to assess whether the law or practice of the third country may impinge on  the  effectiveness  of  the  appropriate  safeguards  of the  transfer tools you are relying  on,  in  the context  of  your  specific  transfer (legislation, especially where ambiguous or not  publicly  available; and/or certain reputable third party findings such as those in Annex 3),  and not rely  on  subjective factors such as the perceived likelihood of public authorities’ access to your data in a manner not in line with EU standards;
  • considering whether any supplementary tools might avoid any problems with the third country's laws (various use-cases and suggested tools are explained in the Annex 2 to the recommendations);
  • taking any formal steps to implement the relevant tool;
  • re-evaluate the assessment periodically or on certain triggers, such as changes in the law (which you should also oblige the data importer to keep you informed about).

Data exporters must thoroughly record their assessment process in the context of the transfer, the third country law and the transfer tool on which they propose to rely. But it may not be possible to implement sufficient supplementary measures in every case, meaning the transfer must not proceed. As the Commission points out, there are "no quick fixes, nor a one-size-fits-all solution for all transfers." 
 

The problem with relying on 'derogations' 

The EDPB's first set of recommendations state (at para 27) that "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with... ” assessing whether the proposed transfer tool is effective. However, that order of approach is not consistent with Article 49, which provides that:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

 

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

...

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued. 
 

In addition, the EDPB's own guidance on article 49 itself points out (on pages 3-4) that: 

“Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached…Hence, data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 [adequacy] and 46 [transfer tools] GDPR, and only in their absence use the derogations provided in Article 49 (1)” [but even then the use of the derogations would imply the need for an assessment of the third country’s personal data protection regime by virtue of article 44].

[explore?]

Accordingly, there seems to be no alternative to running through the steps to assess whether the relevant 'transfer tools' will work (with or without supplementary measures) in the context of the transfer and the third country's law. Yet, as we've seen, many firms will likely find that process impracticable from a cost and administration standpoint, so transferring the personal data out of the EEA will not be an option.