Greetings from Brussels!
The WP29 has recently released additional guidance on the application of Article 49, Derogations for specific situations, of the GDPR. The document itself builds on the working party guidance previously undertaken, regarding the question of derogations in the context of cross-border transfers of personal data to third countries. Notably, the document reiterates that when applying the provisions of Article 49, one must bear in mind the "general principles for transfer" foreseen under Article 44 of the GDPR, which denote that any transfer of personal data to third countries or international organizations must also meet the conditions of all relevant provisions of the GDPR. The full transcript of the guidance can be found here.
I was interested to read the section on consent, and while the consent principle is extensively covered in other areas of the GDPR and WP29 guidance documentation, this particular document focuses on other specific
additional elements required for consent to be considered as a "valid and legal" basis for international data transfers to third countries and international organizations.
For example, in the case of the absence of an adequacy decision, or appropriate safeguards — such as BCRs — the transfer of personal data can be made on the condition that "the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and/or appropriate safeguards." The important word here is "explicit": The GDPR requires explicit consent in situations where particular data protection risks may emerge, and therefore, a high individual level of user control over personal data is protected and required. In a given scenario of international transfer and in the absence of "adequate measures," the risks are deemed sufficiently high to require explicit data subject consent.
Another interesting mention in the document is in relation to consent being "specific" for any given international data transfer or set of transfers in question. In general, while there is an emphasis on the terms of "specific" and "informed" consent, notably the guidance document acknowledges that specific consent for transfer may not always be obtained at the time of data collection and in advance of an international transfer to a third country. However, it mandates that any given data exporter must put in place the measures to obtain the relevant consent even if it is "after the fact."
This is integrally tied to the compliance requirement that "consent being informed" is adhered to and in line with GDPR provisions (Article 6.1) where consent is relied upon as a lawful basis for a data transfer, as such the data subject is properly informed — in advance — of the specific circumstances of the transfer. In the case of an international transfer and in the absence of adequate measure, the data subject will be informed that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for their data are being implemented. This, in turn, allows for informed data subject consent — without which the derogation will not apply.
Clearly, the GDPR sets a high threshold for the use of the consent derogation for international cross-border transfers. This, combined with the fact that the data subject consent can be withdrawn at any time, questions whether that consent is a feasible long-term solution for transfers to third countries.
The guidance goes on to treat additional Article 49 provisions for transfer that include "important reasons of public interest" recognized by EU or member state law, as well as transfers necessary for the purposes of compelling legitimate interests pursued by the controller that are not overridden by the interests of rights and freedoms of the data subject. These too require a level of scrutiny. The guidance is worth the read, and if you feel compelled to comment on any of the substance, you may do so by sending your comments to the WP29 Secretariat by March 26.
If you want to comment on this post, you need to login.