The Article 29 Working Party has released an update to Chapter 1 of its working document on transfers of personal data to third countries. The new document is designed to bring the Working Party’s guidance to the European Commission on “the adequate level of data protection” up-to-date in light of the General Data Protection Regulation and recent case law from the Court of Justice of the European Union.
The working paper is open for comment until Jan. 17, 2018. The final version will reflect the Working Party’s views on how the level of data protection in third countries should be assessed in accordance with Article 45 of the GDPR, which limits transfers of personal data only to third countries and international organizations that the Commission has decided provide an adequate level of protection. While the paper is intended to provide guidance to the Commission, the Working Party also acknowledges it may "guide third countries and international organizations interested in obtaining adequacy."
The paper is divided into four chapters, each of which is briefly summarized below.
Chapter 1: Some broad information in relation to the concept of adequacy
The Working Party notes that the concept of “adequate protection” predates the GDPR, having existed under the Data Protection Directive. The CJEU set the standard for adequacy in Schrems I, where it determined that an “adequate” third country must guarantee privacy protection “essentially equivalent” to that offered within the European Union. The Working Party clarifies that this does not mean third countries must copy and paste the GDPR into their domestic laws to achieve adequacy, but instead should “establish the essential — core requirements” of the regulation.
The Commission must assess the rights afforded data subjects, the obligations imposed on processors and controllers, and the effective enforcement of such rules by independent bodies. The Working Party emphasizes that “[e]fficient enforcement mechanisms are of paramount importance to data protection rules.” The Working Party identifies two basic elements of adequacy: (1) the content of applicable rules, and (2) the means for ensuring their effective application. The Working Party also specifically notes the inadequacy of “general provisions regarding data protection and privacy.”
Chapter 2: Procedural aspects for adequacy findings under GDPR
As part of the Commission’s adequacy adjudication process, European Data Protection Board (the Article 29 Working Party’s successor organization under the GDPR) must be provided with the materials used in the Commission’s decision, as well as “relevant correspondence and the findings made by the European Commission.”
The Working Party repeatedly emphasizes that adequacy is an ongoing status, rather than a one-time determination. The Commission is responsible for the periodic review of countries who have achieved adequacy, and the Working Party notes that under the GDPR reassessment must take place at least once every four years, although circumstances may dictate a shorter review cycle. Additionally, the Working Party notes that the EDPB would “appreciate” being invited to participate in any investigation, review process or review mission the Commission undertakes regarding a third country, and that the EDPB should be involved in any revocation of a country’s adequacy status.
Chapter 3: General Data Protection Principles to ensure that the level of protection in a third country, territory or one or more specified sectors within that third country or international organization is essentially equivalent to the one guaranteed by the EU legislation
The Working Party supplies a list of nine general features that the system of an international organization or third country must contain to support a finding of adequacy:
- Concepts — basic data protection concepts must exist.
- Grounds for lawful and fair processing for legitimate purposes — lawful grounds for processing must be set out in a “sufficiently clear manner.”
- Purpose limitation — processing should be for a specific purpose and subsequent compatible purposes only.
- Data quality and proportionality — data should be accurate and kept up-to-date.
- Data retention — a general rule that data should be “kept no longer than necessary” for the purposes of processing.
- Security and confidentiality — processors must ensure the security of personal data, “considering the state of the art and related costs.”
- Transparency — individuals should be informed of “all the main elements” of processing in a “clear, easily accessible, concise, transparent, and intelligible form,” with some exceptions as permitted by Article 23 of the regulation.
The right of access, rectification, erasure and objection — data subjects should be able to confirm the existence of processing and obtain copies of information relating to them. Data subjects must be able to rectify inaccurate data or have data erased, and be able to object to processing, without the exercise of these rights being “excessively cumbersome.”
Restriction on onward transfers — additional transfers of data are only permitted to recipients also subject to rules providing “adequate” protection.
Additionally, the Working Party specifies three types of “additional content principles” that apply to specific types of processing:
- Special categories of data — adequate countries must reflect the “special categories” enshrined in Articles 9 and 10.
- Direct marketing — data subjects must be able to object without charge to processing for direct marketing purposes at any time.
- Automated decision making and profiling — third countries must establish specific conditions for when automated processing (including profiling) that will produce legal effects (or substantially affect a data subject) can occur. These safeguards must include the right to be informed of a decision’s underlying reasons, a right to correct inaccurate or incomplete information and a right to contest decisions adopted on an incorrect basis.
Finally, the Working Party clarifies its earlier insistence on an effective enforcement structure by identifying four procedure and enforcement mechanisms that an adequate system must evince:
- Competent independent supervisory authority — one or more independent authorities must exist to enforce compliance with data and privacy protection. Adequacy requires independence and impartiality of these entities and mandates that their staff and budget be considered.
- Data protection system must ensure a good level of compliance.
- Accountability — controllers and processors must be obliged to comply with the data protection system and be able to demonstrate compliance to supervisory authorities.
- Support to individual data subjects in the exercise of their rights and appropriate redress mechanisms — data subjects must be able to enforce their rights rapidly and effectively and without prohibitive cost. Availability of judicial and administrative redress via a “system of independent adjudication or arbitration that allows compensation to be paid and sanctions imposed” is a “key element” of adequacy.
Chapter 4: Essential guarantees in third countries for law enforcement and national security access to limit interferences to fundamental rights
The Working Party recognizes that adequacy is a complicated subject in the realm of law enforcement and national security, but states that four guarantees “need to be respected for access to data … by all third countries in order to be considered adequate:"
- Clear, precise and accessible rules for processing.
- Necessity and proportionality with regards to legitimate objectives pursued.
- Processing is subject to independent oversight.
- Effective remedies need to be available to individuals.
This final chapter makes particular note of the CJEU decision in Schrems that invalidated the Safe Harbor agreement with the United States. The Working Party notes that further guidance on adequacy as it pertains to countries that have verified Convention 108 and industry self-regulation will follow on a later date.