In the most recent blog post we attempted to capture the context of some of the channels of transfers of data outside the EU/EEA. The Schrems case provided some of this, by its scrutiny of the Standard Contractual Clause mechanism. Since the introduction of the GDPR the channels of transfer of personal data to a third country or international organisation have undergone changes.
Transfers of personal data to third countries or international organisations.
Following the inception of the GDPR the law on transfers of personal data to third countries or international organisations (‘transfers’) is more settled. A caveat is that the exact interpretation of express terms in the GDPR that relate to transfers may come before the Court of Justice for ultimate clarification.
Art. 44 GDPR provides that transfers may only take place if subject to the other provisions in the regulation, and the conditions laid down in Chapter V are complied with by the controller and processor. A plethora of conditions is laid out in Chapter V. These conditions can be grouped as transfers subject to:
Appropriate safeguards; or
Art.45 allows transfers where the European Commission has decided that the third country or international organisation ensures an adequate level of protection. Under this scenario, no specific authorisation is required. In practice, this confers a broad discretion on the European Commission in assessing adequacy. This has the potential to be viewed subjectively and politically influenced. It was the discretion in declaring an adequate level of protection existed that led to Schrems ( Case C-362/14, 6 Oct. 2015) ending up before the CJEU. As a means to counter balance the discretion of the Commission, Art.45(2) sets out three elements that the Commission must ‘in particular’ take into account when assessing the adequacy of the data protection in the third country. A list of countries with an adequacy decision is found here.
Elements to be taken into account to assess Adequacy
- ‘the rule of law, respect for human rights and fundamental freedoms…’ Legislation, both general and sectoral, is examined. Are there adequate protections available when assessed in the light of legislation concerning public security, defence, national security and criminal law? How about access of public authorities to personal data and the implementation of legislation above? What about data protection rules, professional rules, security measures and rules for onward transfer of personal data to another third country? Can data subjects gain effective administrative and judicial redress where they have complaints about how their data are being transferred?
- ‘the existence and effective functioning of one or more independent supervisory authorities in the third country…’ The Commission should expect to see a supervisory authority with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers. It is not enough to have responsibility for enforcement, but it must have the powers to deliver on enforcement. Toothless tigers are not wanted.
- ‘the international commitments the third country or international organisation has entered into..’ Something like this can act as an accurate gauge as to the value placed on international norms and rules. Part of this element of assessment can include scrutiny of international obligations the third country may have, as a result of some legally binding convention or instrument. Does the third country or international organisation participate in multilateral or regional systems, especially in the data protection sphere?
In essence, the goal is to have similar, if not identical, means of protection of personal data operating in the third country as is available to data subjects in the EU/EEA. As noted in the Schrems case, there must be an appropriate balance struck between the powers assigned to authorities in a third country and the protections provided for the persons whose personal data is being transferred. If the Commission is satisfied with the integrity and substance of data protection in the third country, it may then issue an Adequacy Decision. Any Adequacy Decision must be monitored and reviewed over time (Art.45 (4)) and can also be repealed, amended or suspended (Art. 45(5)).
Transfers Subject to Appropriate Safeguards
In the absence of an Adequacy Decision a controller or processor may transfer personal data to a third country or international organisation only where;
- the controller or processor has provided appropriate safeguards; and
- on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
These appropriate safeguards can be provided in a number of ways and some need no specific authorisation from the Supervisory Authority (SA). Art. 46 (2) sets down the list of those not needing SA authorisation:
- a legally binding and enforceable agreement between public authorities or bodies;
- binding corporate rules in accordance with Art.47 ( more below);
- standard data clauses adopted by the Commission ( in accordance with an examination procedure laid out in Art. 92(3));
- standard data protection clauses adopted by the SA and approved by the Commission;
- an approved code of conduct pursuant to Art. 40 together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards;
- an approved certification mechanism pursuant to Art.42 together with the same binding and enforceable commitments as above.
Of those listed above the most common mechanisms are Binding Corporate Rules (BCRs) and Standard Data Clauses. BCRs are “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (Art.4 (19)).
Recital 101 advises that a group of undertakings engaged in joint economic activity should be able to make use of BCRs for international transfers from the Union to organisations within the same group, provided the BCRs contain all essential principles and enforceable rights to ensure appropriate safeguards for the transfers of personal data. Competent SAs may adopt BCRs, but the Commission itself may specify the exact format and procedures for the exchange of information between the controllers, processors and SAs for those BCRs. Otherwise it is a matter for the SA to approve the BCRs.
Art.47 (2) sets some pre-conditions on any approval of the BCRs. First, they must be legally binding, and apply to and be enforced by every member of the group of undertakings engaged in the joint economic activity. Second, they must expressly confer enforceable rights on data subjects with regard to the processing of their personal data. Third, they must fulfil the requirements set out in GDPR Art. 47(2).
The Content of the Binding Corporate Rules
This same Art.47(2) lays down a comprehensive list of specific requirements for the content of the BCRs. It is not within the scope of this blog to enumerate all these requirements but they should be examined carefully in the text of Art.47(2). There is no hierarchy of requirements but some on their face seem more important than others. A detailed analysis of the requirements for Binding Corporate Rules is laid out in this Ar. 29 Working Party document . It is a very comprehensive examination of the requirements and an excellent reference to satisfy any query.
Some of the Requirements
To be valid and acceptable the BCR must contain the structure and contact details of the group of undertakings/enterprises engaged in the joint economic activity and its members. All data transfers or sets of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects and the identification of any third countries, must be clearly enumerated as part of the contents of the BCR. Data protection principles are applicable and the rights of data subjects are to be expressly recognised including a right to obtain redress and, where appropriate, compensation for a breach of the BCR. Controllers or processors must accept liability for any beaches of the BCR by any member not established in the Union. Other requirements are laid out in Art. 47(2).
Standard Data Protection Clauses
For many organisations these clauses are the most usual mechanism to transfer personal data to a third country or international organisation. These are more common than adequacy decisions but they represent a minimum standard for data protection and for this reason it is envisaged (See Recital 109) that controllers and processors will add additional safeguards. The clauses must contain the contractual obligations of the ‘Data Importer’ and the ‘Data Exporter’ and confirm the data protection rights of the individuals whose data are being transferred. Individuals can directly enforce those rights against either of the parties.
Standard clauses have been issued under the old Directive and these remain valid. However, the European Commission has advised the European Data Protection Board (EDPB) that it is planning to update the Clauses for the new GDPR. The Commission has made available the sets of Standard Contractual Clauses issued up to now.
Safeguard Mechanisms Requiring Specific Authorisation.
Other mechanisms allow for the transfer of personal data to a third country or international organisation but these need prior specific authorisation from the SA. Safeguards in these cases may be provided by a) contractual clauses between the controller or processor and the controller, processor or recipient of the personal data in the third country and b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. The consistency mechanism referred to in Art.63 is to apply to such authorisations. For example, where the SA aims to authorise contractual clauses it shall communicate that draft decision to the Board (i.e., the EDPB).
Where there is neither an adequacy decision available under Art.45, nor appropriate safeguards pursuant to Art. 46, a transfer of personal data can still take place if one of the conditions set out in Art. 49 is fulfilled. These conditions include: explicit consent of the data subject to the data transfer, having been informed of the possible risks; the transfer is necessary for performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken at the data subject’s request ; transfer is necessary for the performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person ( the foregoing do not apply to activities carried out by public authorities in the exercise of their public powers) ;
Specific Derogations contd.
… the transfer is necessary for important reasons of public interest ;the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; the transfer is necessary for the establishment, exercise or defence of legal claims; the transfer is made from a register which in accordance with Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. Apart only from explicit consent, in all other cases the transfer is dependent on the transfer being deemed ‘necessary’. In practice the conditions are strictly applied and strictly interpreted with the result that it is preferable to use some other mechanisms to transfer data to third countries or international organisations. There is one final option if all other mechanisms or conditions are not present or available.
‘Last Resort’ Transfers of Personal Data
Where a transfer cannot be based on an adequacy decision or appropriate safeguards, including binding corporate rules, and none of the derogations for specific situations apply, a transfer of personal data may still take place only if:
- the transfer is not repetitive;
- the transfer concerns only a limited number of data subjects;
- the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller, provided they are not overridden by the interests or rights and freedoms of the data subject; and
- the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment put in place suitable safeguards for the protection of personal data. In addition, the controller must inform the SA and the data subject of the transfer. Any compelling legitimate interest pursued must be communicated to the data subject, together with all the information requirements of Arts. 13 and 14.
The Recitals regard the last basis as one to be relied on, ‘in residual cases where none of the other grounds for transfer are applicable…’( Recital 113).
In most cases personal data transfers to third countries or international organisations are routine and uncomplicated. A complicated part is knowing whether those transfers are legally sound or not. The prudent route is to follow the text of Arts. 45-49 and be aware of changes, such as CJEU decisions. Should the UK leave the EU without an agreed deal then the UK will become a ‘third country’ for the purposes of the GDPR and data transfers. If there is a ‘no deal Brexit’, data transfers to the UK will have to follow one of the routes described in this blog.
Patrick Rowland, GDPRXpert.ie