Third-country transfers have become the backbone of nearly all businesses, regardless of how restrictive transfer of data will be understood. Already, Chapter IV Directive 95/46/EC stipulated that personal data must not be transferred without adequate safeguards. Consequently, the principle ideas and concepts are not surprisingly new. But since Safe Harbor was declared void by the European Court of Justice in 2015, the data protection community and, ultimately, businesses became keenly aware that one should not rely on just one mechanism to safeguard data transfers.
The recent "Schrems II" ruling of the Court of Justice of the European Union turned well-established procedures and mechanisms inside out. Privacy Shield was struck down, and many organizations are now facing legal uncertainties related to third-country transfers of personal data. This is especially true as the "Schrems II" ruling also casts doubts on the validity of standard contract clauses and imposes obligations on companies to assess the level of data protection in the recipient country, not only limited to EU-US transfers, but also to all international data transfers based on SCCs.
Besides the impractical tool of "consent," it is yet unclear whether there is, as of now, any existing mechanism to safely transfer personal data into a third country provided there is no corporate relationship to the recipient. SCCs have not been updated since the GDPR came into force, nor have such clauses been developed addressing urgent needs in processor chains, i.e., in the processor-to-processor environment. In light of this uncertainty around SCCs, organizations around the world are eager to find new stable mechanisms for international data transfers.
One tool to safeguard transfers of personal data to third countries that has been newly introduced by the EU General Data Protection Regulation is a dedicated, approved code of conduct, pursuant to Article 46(2)e. There are currently no codes of conduct for third-country transfers on the EU market, but privacy experts have pushed for their implementation as an alternative in the wake of the "Schrems II" ruling. And not just industry is looking at codes of conduct; also the European Data Protection Board plans to publish guidance on third-country transfer codes later this year.
But what are the specific benefits of codes of conduct for third-country transfers? What are the main differences to other transfer mechanisms, such as SCCs or binding corporate rules, for instance? And what must be considered by industry and practitioners when developing such a code?
A main benefit of codes of conduct: They can be developed by the organizations and businesses that are constantly implementing measures ensuring GDPR compliance into their products and procedures. This provides the opportunity that solutions can be developed that combine innovation-friendly approaches, state-of-the-art practices and a robust data protection implementation. Therefore, codes of conduct follow a bottom-to-top logic, gathering effective and practical solutions and thus are likely to face broad market adoption, providing significant added value for the market and GDPR implementation.
Codes of conduct are often wrongfully thought of as "just another self-regulatory approach," which is, especially in the context of the GDPR, not the case. From a material perspective, codes of conduct must pass the scrutiny of data protection supervisory authorities as part of a robust approval procedure. Once approved, it is not enough to self-declare compliance. Instead, compliance codes of conduct will be enforced by an independent monitoring body, as foreseen in Article 41 of the GDPR. Also, monitoring bodies must be accredited by supervisory authorities, guaranteeing independence, expertise and adequate, rigorous enforcement of each monitoring body. From a perspective of effective and trusted implementation of the GDPR, this puts codes of conduct far ahead of SCCs and Privacy Shield, which rely on the idea of (assisted) self-assessments. There has been criticism by the Court of Justice of the European Union and many privacy advocates as enforcement and independent oversight of those mechanisms was labeled as too weak. In this regard, that's a criticism that does not apply to codes of conduct.
Referring to the bottom-to-top approach, another key differentiator is the legal requirement to reflect “the specific needs of micro, small and medium-sized enterprises” (Article 40 of the GDPR), making codes of conduct particularly interesting for startups and smaller players that often cannot rely on tools such as BCRs due to limitations in staff and budget.
Reflecting on the "Schrems II" decision, it is not yet clear what will be considered adequate supplementary measures. There is a huge discussion taking place on what level of detail and rigor will be required after "Schrems II." What will be proper due diligence and third-country transfer management? Whether the actual performance of individual due diligence can be outsourced is not clear either.
Codes of conduct, as completed by an independent monitoring body, anyway, could fill this gap of practicability and even feasibility by providing relevant support for data exporters and importers alike. The many benefits of codes of conduct for third-country transfer tools are promising for the future adoption of this mechanism, and a first initiative already has been announced to develop such a code of conduct for third-country transfers.
The EDPB’s guidance on third-country transfer codes is awaited with great anticipation by privacy professionals around the globe, as the aftermath of Schrems II reverberates.
Photo by SpaceX on Unsplash