The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the fourth in a series of articles addressing the top 10 operational impacts of the GDPR.
Cross-border data transfers: Adequacy and beyond
The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances.
Important distinctions between the GDPR and the Directive bear noting, however. In particular, the GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which will be helpful for data transfers involving those member states that do not as yet recognize BCRs. Standard contractual clauses, which prior to the GDPR required prior notice to and approval by data protection authorities, may now be used without such prior approval. Further, a newly introduced scheme in Article 42 allows for transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards.
In addition to facilitating international data transfers through new mechanisms, the GDPR also makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation.
Editor’s Note: This piece was informed in part by a training created by Wilson Sonsini Partner and Brussels Privacy Hub Co-Chair Chrtistopher Kuner for the IAPP’s GDPR Comprehensive.
Transfers with an adequacy decision
Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data. Article 45 states the conditions for transfers with an adequacy decision; Article 46 sets forth the conditions for transfers by way of appropriate safeguards in the absence of an adequacy decision; Article 47 sets the conditions for transfers by way of binding corporate rules; Article 48 addresses situations in which a foreign tribunal or administrative body has ordered transfer not otherwise permitted by the GDPR; and Article 49 states the conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards.
These articles mirror the data controller’s or processor’s menu choices for GDPR-compliant personal data transfers in descending order of preference and likely in ascending order of expense. In other words, only if data is transferred to a country not deemed “adequate” does the controller or processor turn to the other options.
Under the Directive, only approved third countries were appropriate to receive personal data transfers outside the member states. The GDPR allows transfers not only to third countries, but also to a territory or a specified sector within a third country, or to an international organization, provided they have been awarded the Commission’s adequacy designation. Once the Commission confers (or retracts) an adequacy designation, the decision binds all EU member states.
The Schrems case (C-362/14) raised the bar required for an adequacy decision to “essential equivalence.” Recital 104 confirms that a Commission adequacy decision means that the third country or specified entity ensures “an adequate level of protection essentially equivalent to that ensured within the [European] Union.” The Commission considers myriad factors in determining adequacy, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order, and criminal law.
Transfers to an “adequate” entity may take place without further authorization by the Commission or member states. Adequacy decisions are also subject to periodic review to determine whether the entity still ensures an adequate level of data protection (Recital 107). In the periodic review, the Commission consults with the entity, and considers relevant developments in the entity and information from other relevant sources such as the findings of the European Parliament or Council (Recital 106).
Transfers by way of appropriate safeguards
Similar to the Directive, the GDPR provides mechanisms for cross-border data transfers in the absence of an adequacy designation if the controller or processor utilizes certain safeguards. Under Article 49, appropriate safeguards include:
- Legally binding and enforceable instrument between public authorities or bodies.
- Binding corporate rules in accordance with article 47.
- Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).
- Standard data protection contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2).
- An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Standard data protection contractual clauses
Changes to the requirements for standard data protection contractual clauses reduce their administrative burden. Under the GDPR, these clauses do not require prior authorization of supervisory authorities and such clauses can be adopted by the European Commission as well as by national supervisory authorities. Existing standard contract clauses may remain valid, but the GDPR leaves open the possibility of their repeal.
Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus are potentially a less attractive option for controllers.
Codes of conduct and certification mechanisms
In Article 49, the GDPR lists two new appropriate safeguards — codes of conduct and certification mechanisms — that have general application to both controllers and processors.
Codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain information privacy standards. Under the GDPR, such codes may be prepared by associations or other bodies representing controllers or processors, and may be drawn up to address many aspects of the GDPR including international data transfers. Adherence to these codes of conduct by controllers or processors not otherwise subject to the regulation, but involved in the transfer of personal data outside the EU, will help a regulated controller demonstrate adequate safeguards. Draft codes of conducts must be submitted to the appropriate supervisory authority for approval pursuant to Article 38. An accredited and competent body may, under Article 41, monitor compliance with a code of conduct.
Data protection certification, seals, and marks may be developed, ideally at the Union level, to demonstrate a controller’s or processor’s adherence to certain standards. Like the codes of conduct, certification is available to controllers and processors outside the EU provided they demonstrate, by contractual or other legal binding instruments, their willingness to adhere to the mandated data protection safeguards. As further described in Articles 42 and 43, the certification mechanisms, seals, and marks require further action by the European Data Protection Board, which may develop a common European Data Protection Seal and which will also be responsible for publishing information about certification registrants in a common and publicly available directory.
Look for more IAPP examination of these two new mechanisms in future operational examinations.
The GDPR — unlike the Directive — explicitly lists BCRs as an appropriate safeguard in Article 46 and provides detailed conditions for transfers by way of BCRs in Article 47. Those provisions specify that BCRs require approval from a supervisory authority in accordance with the consistency mechanism in Article 63 and govern what must be included in BCRs at a minimum, such as structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply general data protection principles, complaint procedures, and compliance mechanisms.
BCRs are a favored mechanism in practice because of their flexibility, and their lower administrative burden once implemented. Article 4(20) and Recital 110 also allow a corporate group or group of enterprises engaged in joint economic activity to use the same BCR structure for international data transfers.
Derogations for specific situations
Article 49 sets out the derogations or exceptions from the GDPR prohibition on transferring personal data outside the EU without adequate protections. The derogations generally parallel those in the Directive along with a new derogation for acceptable transfers for the “compelling legitimate interests” of the controller. The derogations apply when:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.
A final derogation allows for the greatest flexibility but also, like the GDPR regime generally, requires careful and consistent internal documentation. It provides that where a transfer could not be based on standard contractual clauses, BCRs, or any of the other derogations, a transfer to a third country or an international organisation may take place only if the transfer is “not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.”
Such language is subject to broad interpretation by the data controller and regulators alike, suggesting data protection officers and supervisory authorities should work together to develop examples that will guide controllers in their documentation and decision-making.
From unambiguous to explicit consent
In these derogations above, the GDPR shifted from the Directive’s “unambiguous consent” to a higher standard of “explicit consent.” Unambiguous consent allows the data subject to express her wishes either by a statement or by a clear affirmative action (Article 4(11)). The standard for explicit consent, which likely carries over the definition applied under the Directive, requires a data subject to “respond actively to the question, orally or in writing” as defined the Article 29 working party.
Pursuant to Article 13, controllers must provide certain information to data subjects when their information is obtained. This explicitly includes (a) that the controller intends to transfer personal data to a third country or international organization; and (b) that such transfer is pursuant to an adequacy decision by the Commission; or (c) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and as otherwise required by Article 12.
Perhaps one of the most significant implications of the GDPR is that, unlike under the Directive, failure to comply with the GDPR’s international data transfer provisions may result in hefty fines.
Violations of the data transfer provisions in Articles 44-49 are subject to the steeper of the two administrative fine provisions in the GDPR. Such violations may result in “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” The factors considered for imposing a fine include “the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.”
Photo credit: GWP Virtual Network Meeting 2015 via photopin (license)
Looking to dive deeper into the General Data Protection Regulation to read the text regarding cross-border transfers for yourself? Find the full text of the Regulation here in our Resource Center.
You’ll want to focus on these portions:
(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States’ data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country’s or international organisation’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country’s accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or internationalorganisations.
(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. ….
(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. ….
(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. ….Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.
(110) A group of undertakings or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. ….
(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport.A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject’s or another person’s vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. ….
Article 4, Definitions
– 1 personal data
– 20 binding corporate rules
– 23 cross-border processing of personal data
– 26 international organisation
Article 13, Information to be provided where personal data are collected from the data subject
Article 14, Information to be provided where personal data have not been obtained from the data subject
Article 15, Right of access by the subject
Article 28, Processor
Article 30, Records of processing activities
Articles 40 and 41, Codes of conduct, Monitoring of approved codes of conduct
Articles 42 and 43, Certification, Certification bodies
Chapter V, Articles 44-50, Transfer of personal data to third countries or international oranisations
Article 70, Tasks of the Board
Article 83, General Conditions for imposing administrative fines
If you want to comment on this post, you need to login.