Review of the applicable law in light of current events
Transfers of personal data to third-party countries are one of the major issues of European protection of personal data due to the globalization of exchanges and the daily use of new technologies, mainly from the United States.
Although the notion of “data transfer” is not clearly defined in the GDPR, the authorities nevertheless wished to clarify this notion. A data transfer is commonly understood as “any communication, copy or movement of data in a country outside the European Union by an international organization.”
2020 and 2021 have been marked by numerous news and developments in the field: invalidation of the Privacy Shield, Brexit, new adequacy decision, publication of new Standard Contractual Clauses, EDPS recommendations, etc.
Data Legal Drive proposes to focus on the basics while deciphering the latest evolutions and their consequences for companies.
Rules for international data transfer
The GDPR allows, at this time, the free circulation of personal data within the European Union without prerequisites or administrative formalities.
The sending of data to a third-party country is possible when there is an adequacy decision of the European Commission (Article 45 of the GDPR). An “adequacy decision” establishes that a third-party country, through its internal legislation, offers personal data protection equivalent to that guaranteed within the European Union.
Therefore, such a decision authorizes data flows from the European Union to the appropriate third country without requiring a transfer instrument under Article 46 of the GDPR.
What criteria are used to determine adequacy?
An adequacy decision is based on the standard of essential equivalence. It involves an overall assessment of the country’s data protection framework in terms of the applicable data protection measures and the available supervisory or appeal mechanisms.
The Japanese example: Like several third-party countries, Japan has been the subject of an adequacy decision by the European Commission since July 2018. Several elements motivated this decision, in particular, the fact that Japan has recognized personal data protection as a fundamental right. In addition, several measures have been adopted, namely a standard set of guarantees and individual rights or the supervision of the proper application of the legislation by an independent authority, the Personal Information Protection Commission.
When assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the elements described in Article 45.2, including the rule of law, respect for human rights and fundamental freedoms, the existence and effective functioning of one or more independent supervisory authorities in the third-party country, etc.
What if there is no matching decision?
Not all countries in the world are subject to an adequacy decision. The GDPR has therefore provided for “fallback mechanisms” that allow for “appropriate safeguards” to be put in place for such data transfers. The absence of an adequate decision does not make the transfer impossible.
Article 46 of the GDPR states that the Data Controller, or Data Processor, may transfer personal data to a third-party country if appropriate safeguards are provided.
These appropriate safeguards can be of various kinds:
- Binding Corporate Rules (article 47 of the GDPR): These are internally binding corporate rules relating to transfers of personal data to countries outside the European Union. They constitute an internal “Code of Conduct” within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees
- Standard Contractual Clauses (article 93, paragraph 2) adopted by the European Commission, which have very recently been recast, as detailed below
- Codes of conduct approved following Article 40
- International agreements or administrative commitments
What if there are no appropriate safeguards?
In the absence of an adequacy decision and appropriate safeguards, the GDPR provides a third way to transfer data to a third country. Article 49 of the GDPR, which is exceptional, provides for the possibility of transfers through “Derogations for specific situations.” Therefore, the derogations provided in this text relate to occasional, non-repetitive processing activities and must be interpreted restrictively.
Several derogation scenarios exist, including the fact that:
- The data subject has given their explicit consent to the proposed transfer
- The transfer is necessary for the performance of a contract between the data subject and the data controller
- The transfer is necessary for important reasons of public interest
As this list is not exhaustive, we refer you to Article 49 of the GDPR which details all possible exemption scenarios.
Decoding – the “Schrems II” ruling of July 16, 2020, what are the consequences for companies?
On 2020 July 16th, the CJEU invalidated in its “Schrems II” judgment (named after Maximilian Schrems, who initiated the complaint to the Data Protection Commission) the E.U. Commission Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield. As a reminder, this “shield” allowed the transfer of personal data between the European Union and American operators who adhered to the Privacy Shield principles.
In its ruling, the CJEU finds that the Privacy Shield does not provide an adequate level of protection under the GDPR and the Charter of Fundamental Rights of the European Union as it considers that it is not sufficient to ensure the protection of personal data of European citizens against the National Security Agency (NSA) and US surveillance programs.
However, this ruling has a broader significance. At the same time, the CJEU indicated that, as a general rule, Standard Contractual Clauses (SCCs) may be used to transfer data to a third country. However, it will be up to the exporter and importer to jointly assess whether the legislation of the third-party country provides a level of protection equivalent to that required by E.U. law.
Therefore, the CJEU requires a case-by-case consideration of the safeguards offered by an importer in a third country to be conducted. Data controllers and supervisory authorities will therefore be required to assess the effectiveness of the safeguards as applied by the importer with respect to the obligations of the importer in the country concerned.
If this is not the case, companies will have to take additional measures to ensure adequate protection.
What about the United States?
Concerning the United States, the CJEU considers that U.S. law does not provide equivalent protection. Therefore, the transfer based on the Standard Contractual Clauses will have to be accompanied by additional measures to be put in place.
As in the case of the United States, third-party countries that do not provide appropriate safeguards will only be able to transfer data if additional measures are taken.
What are these additional measures?
In its Recommendation, the EDPS specifies that these additional measures should take into account all the circumstances of the transfer as well as the legislation of the country.
Concerning the additional measures recommended by the EDPS, he provides a non-exhaustive list:
- Technical measures, namely the encryption of data hosted outside the European Union and/or the pseudonymization of exported data
- Contractual measures governing the transfer, such as an audit clause allowing the exporter to inspect the subcontractor’s information systems
- Organizational measures such as the implementation of internal policies and organizational methods
The New Standard Contract Clauses (SCC):
In parallel with these numerous evolutions, the European Union definitively adopted new standard contractual clauses (SCC) on June 7, 2021.
These clauses simplify the transfer framework while ensuring a high level of protection for the personal data of data subjects.
- Taking into account the diversity of contractual situations: Whereas the old SCCs dealt with only two transfer scenarios, the new ones now provide for four, namely (i) from data controller to data controller; (ii) from data controller to data processor; (iii) from data processor to data processor, and (iv) from data processor to data controller. Therefore, before any transfer, it will be necessary to determine the parties’ qualifications
- Strengthening the rights of data subjects: The SCCs contain a “third-party beneficiary clause for the benefit of data subjects,” allowing recourse to enforce the SCCs against one of the parties or seek redress in case of a breach
Note that:
- Although these new versions of the SCCs have been effective as of June 27, 2021, the old versions remained in force for a transitional period under certain conditions. These were repealed on September 27, 2021
- On December 27, 2022, any contract involving transfers with SCCs must include the new SCCs
Brexit, the end of six months of uncertainty
As of January 1, 2021, the United Kingdom is no longer part of the European Union.
Although many concerns related to this exit concerned the movement of goods and people, the question that also arose was what would happen to the transfer of personal data, and what would be the consequences on companies?
The UK’s exit was first followed by a six-month transitional period, during which the provisions of the GDPR remained applicable. Finally, at the end of this period, the European Commission adopted an adequacy decision on the UK‘s personal data protection.
Indeed, Ms. Vera Jourova, Vice President for Values and Transparency, stated that although the United Kingdom has left the European Union, “its legal regime for the protection of personal data has remained the same.” Indeed, the UK has fully integrated the principles, rights, and obligations of the GDPR into its post-Brexit system.
The transfer of personal data to the UK will therefore remain possible without additional measures, in the same way as all countries subject to an adequacy decision.
