Review of the applicable law in the light of current events

Transfers of personal data to third party countries are one of the major issues of European protection of personal data due to the globalization of exchanges and the daily use of new technologies mainly from the United States.

Although the notion of “data transfer” is not clearly defined in the GDPR, the authorities nevertheless wished to clarify this notion. A data transfer is commonly understood as “any communication, copy or movement of data in a country outside the European Union, by an international organization”.

2020 and 2021 have been marked by numerous news and developments in the field: invalidation of the Privacy Shield, Brexit and new adequacy decision, publication of new Standard Contractual Clauses, EDPS recommendations, etc.

Data Legal Drive proposes to focus on the basics while deciphering the latest evolutions and their consequences for companies.

Rules for international data transfer

The GDPR allows, at this time, a free circulation of personal data within the European Union without prerequisites administrative formalities.

The sending of data to a third-party country is possible when there is an adequacy decision of the European Commission (Article 45 of the GDPR). An “adequacy decision” is a decision establishing that a third-party country, through its internal legislation, offers a level of protection of personal data equivalent to that guaranteed within the European Union.

Therefore, such a decision authorizes data flows from the European Union to the appropriate third country, without the need for a transfer instrument under Article 46 of the GDPR.

What criteria are used to determine adequacy?

Une décision d’adéquation repose sur la norme de l’équivalence essentielle. Il s’agit d’une évaluation globale du cadre de protection des données du pays en ce qui concerne à la fois les mesures de protection applicables aux données, et les mécanismes de surveillance ou de recours disponibles.

The Japanese example: Like several third-party countries, Japan has been the subject of an adequacy decision by the European Commission since July 2018. Several elements motivated this decision, and in particular the fact that Japan has recognized the protection of personal data as a fundamental right. In addition, several measures have been adopted, namely a common set of guarantees and individual rights, or the supervision of the proper application of the legislation by an independent authority, the Personal Information Protection Commission.

When assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the elements described in Article 45.2, including the rule of law, respect for human rights and fundamental freedoms, the existence and effective functioning of one or more independent supervisory authorities in the third-party country, etc.

What if there is no matching decision?

Not all countries in the world are subject to an adequacy decision. The GDPR has therefore provided for “fallback mechanisms” that allow for “appropriate safeguards” to be put in place for such data transfers. The absence of an adequacy decision does not therefore make the transfer impossible.

Article 46 of the GDPR states that the Data Controller, or Data Processor, may transfer personal data to a third-party country if appropriate safeguards are provided.

These appropriate safeguards can be of various kinds:

  • Binding Corporate Rules (article 47 of the GDPR): These are internal binding corporate rules relating to transfers of personal data to countries outside the European Union. They constitute an internal “Code of Conduct” within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees;
  • Standard Contractual Clauses (article 93, paragraph 2) adopted by the European Commission, which have very recently been recast, as detailed below
  • Codes of conduct approved in accordance with Article 40
  • International agreements or administrative commitments

What if there are no appropriate safeguards?

In the absence of an adequacy decision and appropriate safeguards, the GDPR provides a third way to transfer data to a third country. Article 49 of the GDPR, which is exceptional in nature, provides for the possibility of transfers through “Derogations for specific situations”. The derogations provided in this text therefore relate to occasional, non-repetitive processing activities and must be interpreted restrictively.

Several derogation scenarios exist, including the fact that:

  • The data subject has given his/her explicit consent to the proposed transfer;
  • The transfer is necessary for the performance of a contract between the data subject and the data controller;
  • The transfer is necessary for important reasons of public interest.

As this list is not exhaustive, we refer you to Article 49 of the GDPR which details all possible exemption scenarios.

Decoding – the “Schrems II” ruling of July 16, 2020, what are the consequences for companies?

On 2020 July 16th, the CJEU invalidated in its “Schrems II” judgment (named after Maximilian Schrems who initiated the complaint to the Data Protection Commission) the EU Commission Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield. As a reminder, this “shield” allowed the transfer of personal data between the European Union and American operators who adhered to the Privacy Shield principles.

In its ruling, the CJEU finds that the Privacy Shield does not provide an adequate level of protection under the GDPR and the Charter of Fundamental Rights of the European Union as it considers that it is not sufficient to ensure the protection of personal data of European citizens against the National Security Agency (NSA) and US surveillance programs.

However, this ruling has a broader significance. At the same time, the CJEU indicated that, as a general rule, Standard Contractual Clauses (SCCs) may be used to transfer data to a third country. However, it will be up to the exporter and importer to jointly assess whether the legislation of the third-party country provides a level of protection equivalent to that required by EU law.

Therefore, the CJEU requires that a case-by-case consideration of the safeguards offered by an importer located in a third country be conducted. Data controllers and supervisory authorities will therefore be required to assess the effectiveness of the safeguards as applied by the importer with respect to the obligations of the importer in the country concerned.

If this is not the case, then companies will have to take additional measures to ensure an adequate level of protection.

What about the United States?

With regard to the United States, the CJEU considers that U.S. law does not provide an equivalent level of protection. Therefore, the transfer on the basis of the Standard Contractual Clauses will have to be accompanied by additional measures to be put in place.

As in the case of the United States, third-party countries that do not provide appropriate safeguards will only be able to transfer data if additional measures are taken.

What are these additional measures?

In its Recommendation the EDPS specifies that these additional measures should take into account all the circumstances of the transfer as well as the legislation of the country.

With regard to the additional measures recommended by the EDPS, he provides a non-exhaustive list:

  • Technical measures, namely the encryption of data hosted outside the European Union and/or the pseudonymization of exported data
  • Contractual measures governing the transfer, such as an audit clause allowing the exporter to inspect the subcontractor’s information systems
  • Organizational measures such as the implementation of internal policies and organizational methods

The New Standard Contract Clauses (SCC):

In parallel to these numerous evolutions, new standard contractual clauses (SCC) have been definitively adopted by the European Union on June 7th, 2021.

The purpose of these clauses is to simplify the framework for transfers, while ensuring a high level of protection for the personal data of data subjects.

  • Taking into account the diversity of contractual situations: Whereas the old SCCs dealt with only two transfer scenarios, the new ones now provide for four, namely (i) from data controller to data controller; (ii) from data controller to data processor; (iii) from data processor to data processor, and (iv) from data processor to data controller. Therefore, prior to any transfer, it will be necessary to determine the qualification of the parties involved.
  • Strengthening the rights of data subjects: The SCCs contain a “third-party beneficiary clause for the benefit of data subjects,” allowing recourse to enforce the SCCs against one of the parties or seek redress in case of breach.

Note that:

  • Although these new versions of the SCCs are effective as of June 27th, 2021, the old versions remain in force for a transitional period under certain conditions. These will be repealed on September 27th, 2021
  • On December 27th, 2022, any contract involving transfers with SCCs must include the new SCCs

Brexit, the end of six months of uncertainty

As of January 1, 2021, the United Kingdom is no longer part of the European Union.

Although many concerns related to this exit concerned the movement of goods and people, the question that also arose was what would happen to the transfer of personal data, and what would be the consequences on companies?

The UK’s exit was first followed by a six-month transitional period, during which the provisions of the GDPR remained applicable. Finally, at the end of this period, the European Commission adopted an adequacy decision on the UK‘s personal data protection.

Indeed, Ms. Vera Jourova, Vice President for Values and Transparency, stated that although the United Kingdom has left the European Union, “its legal regime for the protection of personal data has remained the same”. Indeed, the UK has fully integrated the principles, rights and obligations of the GDPR into its post-Brexit system.

The transfer of personal data to the UK will therefore remain possible without the need for additional measures, in the same way as all countries subject to an adequacy decision.

Sources (french)