The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the fourth in a series of articles addressing the top 10 operational impacts of the GDPR.
Cross-border data transfers: Adequacy and beyond
The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances.
Important distinctions between the GDPR and the Directive bear noting, however. In particular, the GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which will be helpful for data transfers involving those member states that do not as yet recognize BCRs. Standard contractual clauses, which prior to the GDPR required prior notice to and approval by data protection authorities, may now be used without such prior approval. Further, a newly introduced scheme in Article 42 allows for transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards.
In addition to facilitating international data transfers through new mechanisms, the GDPR also makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation.
Editor’s Note: This piece was informed in part by a training created by Wilson Sonsini Partner and Brussels Privacy Hub Co-Chair Chrtistopher Kuner for the IAPP’s GDPR Comprehensive.
Transfers with an adequacy decision
Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data. Article 45 states the conditions for transfers with an adequacy decision; Article 46 sets forth the conditions for transfers by way of appropriate safeguards in the absence of an adequacy decision; Article 47 sets the conditions for transfers by way of binding corporate rules; Article 48 addresses situations in which a foreign tribunal or administrative body has ordered transfer not otherwise permitted by the GDPR; and Article 49 states the conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards.
These articles mirror the data controller’s or processor’s menu choices for GDPR-compliant personal data transfers in descending order of preference and likely in ascending order of expense. In other words, only if data is transferred to a country not deemed “adequate” does the controller or processor turn to the other options.
Under the Directive, only approved third countries were appropriate to receive personal data transfers outside the member states. The GDPR allows transfers not only to third countries, but also to a territory or a specified sector within a third country, or to an international organization, provided they have been awarded the Commission’s adequacy designation. Once the Commission confers (or retracts) an adequacy designation, the decision binds all EU member states.
The Schrems case (C-362/14) raised the bar required for an adequacy decision to “essential equivalence.” Recital 104 confirms that a Commission adequacy decision means that the third country or specified entity ensures “an adequate level of protection essentially equivalent to that ensured within the [European] Union.” The Commission considers myriad factors in determining adequacy, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order, and criminal law.
Transfers to an “adequate” entity may take place without further authorization by the Commission or member states. Adequacy decisions are also subject to periodic review to determine whether the entity still ensures an adequate level of data protection (Recital 107). In the periodic review, the Commission consults with the entity, and considers relevant developments in the entity and information from other relevant sources such as the findings of the European Parliament or Council (Recital 106).
Transfers by way of appropriate safeguards
Similar to the Directive, the GDPR provides mechanisms for cross-border data transfers in the absence of an adequacy designation if the controller or processor utilizes certain safeguards. Under Article 49, appropriate safeguards include:
- Legally binding and enforceable instrument between public authorities or bodies.
- Binding corporate rules in accordance with article 47.
- Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).
- Standard data protection contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2).
- An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Standard data protection contractual clauses
Changes to the requirements for standard data protection contractual clauses reduce their administrative burden. Under the GDPR, these clauses do not require prior authorization of supervisory authorities and such clauses can be adopted by the European Commission as well as by national supervisory authorities. Existing standard contract clauses may remain valid, but the GDPR leaves open the possibility of their repeal.
Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus are potentially a less attractive option for controllers.
Codes of conduct and certification mechanisms
In Article 49, the GDPR lists two new appropriate safeguards — codes of conduct and certification mechanisms — that have general application to both controllers and processors.
Codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain information privacy standards. Under the GDPR, such codes may be prepared by associations or other bodies representing controllers or processors, and may be drawn up to address many aspects of the GDPR including international data transfers. Adherence to these codes of conduct by controllers or processors not otherwise subject to the regulation, but involved in the transfer of personal data outside the EU, will help a regulated controller demonstrate adequate safeguards. Draft codes of conducts must be submitted to the appropriate supervisory authority for approval pursuant to Article 38. An accredited and competent body may, under Article 41, monitor compliance with a code of conduct.
Data protection certification, seals, and marks may be developed, ideally at the Union level, to demonstrate a controller’s or processor’s adherence to certain standards. Like the codes of conduct, certification is available to controllers and processors outside the EU provided they demonstrate, by contractual or other legal binding instruments, their willingness to adhere to the mandated data protection safeguards. As further described in Articles 42 and 43, the certification mechanisms, seals, and marks require further action by the European Data Protection Board, which may develop a common European Data Protection Seal and which will also be responsible for publishing information about certification registrants in a common and publicly available directory.
Look for more IAPP examination of these two new mechanisms in future operational examinations.
BCR-specific provisions
The GDPR — unlike the Directive — explicitly lists BCRs as an appropriate safeguard in Article 46 and provides detailed conditions for transfers by way of BCRs in Article 47. Those provisions specify that BCRs require approval from a supervisory authority in accordance with the consistency mechanism in Article 63 and govern what must be included in BCRs at a minimum, such as structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply general data protection principles, complaint procedures, and compliance mechanisms.
BCRs are a favored mechanism in practice because of their flexibility, and their lower administrative burden once implemented. Article 4(20) and Recital 110 also allow a corporate group or group of enterprises engaged in joint economic activity to use the same BCR structure for international data transfers.
Derogations for specific situations
Article 49 sets out the derogations or exceptions from the GDPR prohibition on transferring personal data outside the EU without adequate protections. The derogations generally parallel those in the Directive along with a new derogation for acceptable transfers for the “compelling legitimate interests” of the controller. The derogations apply when:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.
A final derogation allows for the greatest flexibility but also, like the GDPR regime generally, requires careful and consistent internal documentation. It provides that where a transfer could not be based on standard contractual clauses, BCRs, or any of the other derogations, a transfer to a third country or an international organisation may take place only if the transfer is “not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.”
Such language is subject to broad interpretation by the data controller and regulators alike, suggesting data protection officers and supervisory authorities should work together to develop examples that will guide controllers in their documentation and decision-making.
From unambiguous to explicit consent
In these derogations above, the GDPR shifted from the Directive’s “unambiguous consent” to a higher standard of “explicit consent.” Unambiguous consent allows the data subject to express her wishes either by a statement or by a clear affirmative action (Article 4(11)). The standard for explicit consent, which likely carries over the definition applied under the Directive, requires a data subject to “respond actively to the question, orally or in writing” as defined the Article 29 working party.
Notice
Pursuant to Article 13, controllers must provide certain information to data subjects when their information is obtained. This explicitly includes (a) that the controller intends to transfer personal data to a third country or international organization; and (b) that such transfer is pursuant to an adequacy decision by the Commission; or (c) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and as otherwise required by Article 12.
Monetary fines
Perhaps one of the most significant implications of the GDPR is that, unlike under the Directive, failure to comply with the GDPR’s international data transfer provisions may result in hefty fines.
Violations of the data transfer provisions in Articles 44-49 are subject to the steeper of the two administrative fine provisions in the GDPR. Such violations may result in “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” The factors considered for imposing a fine include “the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.”
Photo credit: GWP Virtual Network Meeting 2015 via photopin(license)