What do I need to know?
- The key principles already underpinning transfers (namely adequacy and appropriate safeguards) will continue to apply under the GDPR.
- Existing Commission decisions regarding adequacy and approved contractual clauses will continue to be valid.
- The prohibition on transfers now applies to data processors.
- Additional ‘appropriate safeguards’ are available, including some new options: approved codes of conduct, certification mechanisms, seals and marks and a new prescribed process for BCRs. Supervisory authority authorisations/filings will not be required where these safeguards are used.
- Where relying on consent as a derogation, that consent must be explicit and the data subject must have been informed of the risks of the transfer.
What do I need to do?
- Take stock of existing transfers and assess how they should be protected under the existing legal regime.
- Watch out for new proposed transfers and ensure you adopt suitable transfer solutions.
- For all transfers, keep a record of its details and the transfer solution you have applied to it.
- Watch out for GDPR-related updates from supervisory authorities and the Commission which may provide useful guidance as to which safeguards will most suit your needs.
What is the current position?
Privacy professionals will be familiar with the provisions governing international transfers of data set out in the Directive. To recap, the Directive imposed a general prohibition on the transfer of personal data to a country outside the EEA unless that country ensures an ‘adequate level of protection’.
EU Member States implemented the above prohibition into their own laws. In the UK, the DPA enshrined the prohibition as the eighth data protection principle: that personal data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
What will remain the same?
As is the case under the current legal regime, transfers of personal data to a third country are generally prohibited unless an adequacy decision, appropriate safeguard or derogation can be applied. ‘Third country’ is not defined in the GDPR but we assume it continues to mean any country or territory outside the EEA.
The principle of adequacy has been carried across into the GDPR. In a similar vein to the provisions of the Directive, adequacy should be assessed in light of a number of different elements. A detailed list is provided and they still include the rule of law, professional rules and security measures which are in force and complied with in that country (however, there are changes, see below). Adequacy decisions already adopted by the Commission (i.e. the ‘white list’) shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with the GDPR.
Organisations will also still be able to rely on standard contractual clauses (i.e. the various sets of model clauses approved by the Commission) as a means of ensuring lawful transfers. However, it is unclear whether this rationale will extend to other transfer contracts which have been approved by local supervisory authorities. In addition, the existing standard contractual clauses will remain intact until amended, replaced or repealed – this departs from the provisions of earlier GDPR drafts which referred to a ‘sunset’ period.
The derogations available to organisations wanting to transfer data overseas generally remain unchanged, with the exception of a new derogation where the transfer is necessary for the purposes of the controller’s ‘compelling legitimate interests’ (described in further detail below).
What is Changing?
Extending the scope of the prohibition
A key change introduced by the GDPR is that the prohibition on transfers outside of the EEA has been extended to apply to data processors as well as data controllers. For more information on how the GDPR impacts data processors please read our separate briefings on Territorial scope and application and Data processor obligations (coming soon!).
In addition, the prohibition now expressly covers ‘onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation’ – a possible product of the Snowden/NSA revelations. The concept of ‘onward transfers’ is not new and various supervisory authorities have made attempts to limit them under the existing legal regime. However, the explicit inclusion of ‘onward transfers’ in the GDPR will encourage the Commission and supervisory authorities to pay closer attention to this going forward.
The GDPR provides that a transfer may take place where the Commission has decided that the third country or international organisation in question ensures an adequate level of protection and that transfer will not require any specific authorisation. So what? By way of reminder, in contrast the Directive does not limit who is permitted to determine adequacy in this way. Whilst it is true that the Directive empowers the Commission to make adequacy determinations and requires Member States to take measures necessary to comply with those decisions, it also allows scope for Member States and in turn supervisory authorities to determine and assess adequacy, in some cases, as in the UK, allowing data exporters to self-assess adequacy. A number of national supervisory authorities, including the UK’s ICO, have issued guidance on self-assessments regarding adequacy. Indeed, the self-assessment approach to adequacy assessments was paraded as something of a saviour when Safe Harbor was declared invalid back in October 2015. The position appears to be different under the GDPR – seemingly only the Commission can actually determine adequacy. We await further guidance in this respect.
It is also worth noting that the adequacy assessment criteria laid out in the GDPR (i.e. what the Commission will take into account when assessing adequacy) has been widened to explicitly include (among others) rules for onward transfer, national security, criminal law and the access of public authorities to personal data. This is, no doubt, another consequence of the Snowden revelations.
Appropriate safeguards: Model clauses, BCRs, codes of conduct and certification mechanisms
The standard contractual clauses which already exist as a possible transfer mechanism remain available. The GDPR also provides a number of alternatives. BCRs have been enshrined in the legislation for the first time to cover transfers of personal data to companies within a corporate group. Further information on the BCR approval process has to date been confined to advice and guidance issued by the Commission and supervisory authorities. The GDPR recognises BCRs as an official transfer instrument and sets out an approval process. For the first time, BCRs must be accepted as a lawful transfer mechanism across all EU Member States.
The GDPR also provides a suite of new transfer mechanisms. These include approved codes of conduct, certification mechanisms, seals and marks. Where these are relied upon as an appropriate safeguard for data transfers, they must be provided in conjunction with binding and enforceable commitments of the recipient controller or processor in the third country.
The GDPR clarifies that the appropriate safeguards noted above do not require any specific authorisation from any supervisory authority. To date, transfer approval regimes have varied significantly across the Member States – different filing and/or authorisation requirements have been a headache for international companies in particular. The GDPR’s apparent removal of red-tape will be welcomed by data exporters. However, it comes with a health warning because (i) some of the new transfer mechanisms (e.g. codes of conduct, certification and seals) must first have been approved by the local supervisory authority; and (ii) organisations wishing to amend Commission-approved contractual clauses will still require authorisation from their local supervisory authority.
Derogations: consent, ‘compelling legitimate interests’ and ‘important reasons of public interest’
As mentioned above, the GDPR includes a new (albeit limited) derogation. Where a data controller cannot rely on an adequacy decision, appropriate safeguard or other derogation a transfer may take place if it: is not repetitive, concerns only a limited number of data subjects, is necessary for compelling legitimate interests pursued by the controller, which are not overridden by the interests, rights or freedoms of the data subject and the controller has adduced suitable safeguards in relation to the protection of personal data. The controller must notify the relevant supervisory authority where it seeks to rely on this derogation. In addition, the compelling legitimate interests of the transfer must be explained to the data subject. How useful this derogation will be in practice remains to be seen.
Where a data controller looks to rely on a data subject’s consent to transfer their personal data, that consent must be explicit. In addition, the data subject must have been informed of the possible risks of the transfer due to the absence of an adequacy decision or appropriate safeguard.
It should also be noted that Member States may, for ‘important reasons of public interest’, expressly set limits to the transfer of specific categories of personal data to a third country or international organisation. The interplay between this rule and local implementation of the new “Privacy Shield”/Safe Harbor 2.0 (and any of its successors) may prove interesting.
Transfers in response to a foreign legal requirement
It is no surprise that, in the wake of the Snowden/NSA revelations, the GDPR recitals expressly state that any judgment or decision of a court or administrative authority of a third country which requires a controller or processor to transfer/disclose data will only be enforceable if based on an international agreement between the requesting country and the European Union or relevant Member State.
Contracts between data controllers and data processors
The GDPR requires the mandatory contract governing any data processor appointment must stipulate that the processor may only process the relevant personal data on documented instructions from the controller, including with regard to transfers (except where the transfer is required by law). We await further guidance as to how detailed such instructions need to be. This could be difficult to satisfy in practice where vendors have established extensive processing operations overseas which are utilised as part of their standard offering.
Recording your transfers
The GDPR requires both controllers and processors to maintain a record of any transfers of personal data to a third country or international organisation, the identity of the relevant country or organisation and details of what adequacy decision or safeguard has been applied in respect of each transfers. These obligations have been introduced as part of a suit of internal governance requirements. See our Governance (coming soon!) briefing for further information on these.
Supervisory authorities – what can they do?
Although adequacy determinations will be made by the Commission (as explained above), local supervisory authorities will still have decision-making powers in respect of international transfers in certain circumstances. For example, contractual clauses, codes of conduct, certification mechanisms, seals and/or marks approved by the competent supervisory authority are deemed to be appropriate safeguards, so long as the supervisory authority applies the GDPR’s rules on wider EU approval, such as the consistency mechanism – to help ensure a harmonised approach.
How will your business be affected?
The above changes will impact organisations differently depending on the extent to which they transfer personal data outside of the EEA and why they do this. What is clear is that the GDPR provides a wider menu of options to data controllers in this respect and it will be interesting to see how the mechanisms on offer will work in practice – in particular, the new certification mechanisms, seals and marks and also the application of the ‘compelling legitimate interests’ derogation.
Multi-nationals will take comfort in the abolition of authorisations where an appropriate safeguard can be applied, which have caused headaches to date (in the guise of local transfer-related notifications, permits and filings). In addition, global companies may be encouraged by the GDPR’s statutory recognition of BCRs and its provision of additional detail about them. Hopefully, the new process will help to clarify the procedure overall and we should see an increased take-up.
Adding the eagerly anticipated “Privacy Shield”/Safe Harbor 2.0 to the mix, the next two years are set to be very interesting indeed as regards international data transfers.
Remember, that many of the existing mechanisms for safeguarding data transfers will continue to be sufficient under the GDPR. In line with this, making sure you comply with the current legislation is a good place to start.
Conduct a data transfers audit. Salient questions to be asking of your organisation include: Are you transferring any personal data overseas – is it going outside of the EEA? Who are you sending data to and why? Are the recipients processing personal data on your behalf or are you sharing data with a third party organisation for them to use for their own purposes? Are you sharing data intra-group – could BCRs be an attractive option for you under the GDPR?
Consider which of the current safeguards offers you the most appropriate solution to ensure adequate transfers – including the “Privacy Shield”/Safe Harbor 2.0 in respect of transfers to the US, to the extent that crystallises.
Keep track of the steps your organisation has taken to address international transfers of personal data so far and what your plans are for the future. Aside from this being a future requirement under the GDPR (see our separate briefing on Governance (coming soon!)), the information will serve as a useful resource if, in light of new guidance from the Commission and supervisory authorities which is expected to emerge in the run up to implementation, a transfer solution provided under the GDPR starts to look more appealing.