We are seeing an unprecedented amount of disruption in the law around exporting personal data outside the EEA. The recent judgment of the Court of Justice of the European Union (CJEU), that the Decision of the European Commission (Commission) which underpins Safe Harbor is invalid, has propelled not only Safe Harbor but also other data export mechanisms into the spotlight. It may seem slightly at odds with the globalised world in which we live, where data can be shot from country to country at the click of a button, that any restriction on the movement of data is practicable. However, under current data protection law in Europe, and as accentuated by the recent CJEU decision, personal data may only be transferred outside Europe where it is afforded an adequate level of protection. And that adequate level of protection is not lightly bestowed. What's more, this principle does not look set to change in the various proposed drafts of the General Data Protection Regulation (GDPR).
We explore the proposed drafts of the GDPR from the European Council, Commission and European Parliament in relation to data exports.
General Principle for transfers (Article 40)
Although the Council's draft merges Article 40 and 41 (see below) all three organisations agree that a transfer of personal data to a third country or international organisations may only take place if the conditions as set out in the GDPR are complied with (including for onward transfers). As such, the principle of the general prohibition on personal data being transferred outside the EU without ensuring adequate protection is maintained.
Commission finding of adequacy (Article 41)
There are some common points of agreement among the three drafts, for example, (and as set out in current law) the Council, Commission and Parliament proposals all agree that personal data may be transferred to a third country pursuant to a Commission finding of adequacy. Further, Article 41 extends the current European Data Protection Directive 95/46/EC (Directive) so that this provides that the Commission may also deem (i) a territory, (ii) an international organisation or (iii) a sector within a third country to provide adequate protection. However, there are small but significant differences between the three drafts:
- the Council provides that a sector in a third country which the Commission has decided ensures adequate protection may be any specific sector while the Commission and Parliament state that this will be a processing sector;
- the Commission and Council provide that any finding of adequacy shall not require further authorisation whereas the Parliament more carefully proposes no specific authorisation will be needed;
- the Parliament asserts that the Commission, when adopting delegated acts pursuant to Article 86 (deeming adequate protection), shall provide for a sunset clause in the case of an approved processing sector in a third country meaning that the act shall cease to have effect after a certain date;
- in assessing third country adequacy the Parliament and Council are aligned in stating that the relevant supervisory authority should have powers to impose sanctions while the Commission more moderately asserts that such authority should be responsible for ensuring compliance with data protection rules; and
- the Council draft provides that where the Commission decides that a third country, territory, specified sector within a third country, or international organisation no longer ensures adequate protection, a possible remedy feature shall subsist so that the Commission shall consult with the applicable third country or international organisation with a view to resolving the situation.
It is clear that the provisions of this Article aim to extend circumstances where the Commission may deem adequacy and, in some ways, although not radically so, reflect a more modern and flexible approach. An example of this is the inclusion in the Council's draft that any specific sector, and not just processing sector, may be deemed to be adequate by the Commission. The extent to which these may be extended or restricted in the final draft remains to be seen. In addition, whether or not adequacy rulings will require further or specific authorisations, especially given the recent CJEU ruling on the Commission's Safe Harbor decision, will be particularly interesting.
Appropriate safeguards (Article 42)
In the event that the Commission has not delivered an adequacy finding pursuant to Article 41, a controller or processor may transfer personal data to a third country or international organisation only where the controller or processor has adduced appropriate safeguards. The Council is clear that such safeguards should also cover onward transfers.
Click here to view the table.
The Commission and Council agree that where a Member State has authorised a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection but where the controller adduces adequate protection (pursuant to Article 26(2) of the current Directive, such authorisation shall remain valid until amended replaced or repealed by that supervisory authority. Yet, the Parliament suggests that such authorisation would remain valid only until two years after the GDPR comes into force unless amended replaced or repealed by that supervisory authority before the end of such two year period.
Binding Corporate Rules (BCRs) (Article 43)
All three drafts provide for legal recognition of BCRs for the first time in European data protection law. Importantly, and in an attempt to streamline the current BCR approval process, the drafts also set out that BCRs will be approved by the supervisory authority and in accordance with the consistency mechanism. The definitions of the 'corporate group' that can use BCRs vary slightly:
Click here to view the table.
Transfers or disclosure not authorised by Union law (Article 43a) (Parliament only)
The Parliament has suggested the inclusion of a new Article 43a which states that no judgement of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner without prejudice to a mutual legal assistance treaty or an international agreement in force between the third country asking and Member State. In a post Snowden era, it will be interesting to see how this materialises in the final draft.
Derogations (Article 44)
Article 44 sets out the possible derogations from the general prohibition that data must not be transferred outside of Europe unless adequately protected which essentially mirror the existing derogations in the Directive:
- where the data subject has consented to the transfer and been informed of the risks of such transfers; or
- the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of the data subject's request; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
- the transfer is necessary for important grounds of public interest; or
- the transfer is necessary for the establishment, exercise or defence of legal claims; or
- the transfer is necessary to protect the vital interest of the data subject or another person, where the data subject is physically or legally incapable of giving consent; or
- the transfer is made from a public register intended to provide information to the public and which is open to consultation either by the public in general or to any person who can demonstrate legitimate interest.
The Commission and Council also permit a derogation where the scale is not large or frequent, and the transfer is necessary for the purposes of the legitimate interests pursued by the controller (the Commission draft only also references processors) has assessed all the circumstances surrounding the data transfer operation and based on this assessment adduced appropriate safeguards with respect to the protection of personal data. Interestingly, the Council's draft adds that the legitimate interests of the controller are not overridden by the interests or rights and freedoms of the data subject.
International co–operation (Article 45)
This article sets out that the Commission, along with the supervisory authorities, shall take steps to develop effective international co-operation mechanisms to ensure the enforcement of legislation for the protection of personal data including providing international mutual assistance in the enforcement of such legislation. All drafts are similarly worded and re-inforce the principle of international cohesion in the sphere of data protection.
EDPS, ICO and WP
The European Data Protection Supervisor (EDPS), the Information Commissioner's Office (ICO) and the Article 29 Working Party (WP) have also commented on the drafts:
- the EDPS is clear that "effective safeguards, not procedures" should govern the GDPR, allowing parties to clearly demonstrate compliance without excessive documentation obligations. The EDPS is strongly against the permitted derogation allowing data transfers to data controllers due to what it considers insufficient protection for the data subject and is clear that any request for transfers from authorities outside the EU should only be recognised if established Mutual Legal Assistance treaties or similar agreements and legal channels are in place;
- the ICO has traditionally called for a more progressive approach to personal data transfers to reflect the current and future climate. The ICO has most recently commented that the code of conduct derogation with reference to transfers of personal data to third countries that third parties can oversee (i.e. trade bodies) is welcome. The ICO states it will be interesting to see if there "really is any consensus around Article 43(a)" and the attempt to regulate conflict between third country requiring the disclosure of European personal data to that country and the principles of European data protection law which inherently curb such disclosure. The ICO asserts that the GDPR should both support effective protection for data subjects and be easily workable in practice; and
- the WP has, whilst recognising that personal data does and indeed must cross borders, stressed the paramount importance of maintaining adequate protection when personal data is transferred outside Europe. It is clear that existing rights and protections must not be reduced and that Data Protection Authorities must be provided with enough powers and resource to enforce the GDPR effectively. The WP has, therefore, objected to the wide scope of derogations at Article 44 and any instruments which could be non-binding on the parties involved.
Safe Harbor and the CJEU ruling in Schrems v Data Protection Commissioner
A recent shock ruling from the CJEU declared that the Commission decision 2000/520 which underpins Safe Harbor is invalid (read more here).
While concerns about the Safe Harbor Principles are not new, the CJEU ruling is an exceptional development. The impact of the CJEU ruling has been that Safe Harbor Principles are no longer presumed to afford adequate protection to personal data transfers to the US and that Member State data protection authorities are no longer bound by such principles to allow the transfer of personal data to the US Also, importantly, any exports made to the US based on the Safe Harbor Principles will potentially be subject to an investigation from the applicable data protection authority and to possible enforcement action.
The Commission and US authorities have been engaged in discussions reviewing Safe Harbor for a couple of years and changes were expected with a revised and more privacy robust mechanism anticipated in the not so distant future. It remains to be seen how the CJEU ruling will impact this. The ICO has commented on the ruling to emphasise that organisations must carefully consider their obligations and ensure that data transferred to the US is compliant with the law. Further, organisations should be aware of the full suite of mechanisms available to ensure adequate protection of personal data when transferring to a third country.
The WP has welcomed the CJEU ruling as it reaffirms the inherent importance of data protection rights in the EU. The WP has not underestimated the impact of the decision on stakeholders and will conduct a more detailed review of the ruling in due course. In addition, the impact of the CJEU ruling could also mean a higher level of scrutiny on data transfer solutions in general. While it remains to be seen exactly how Member State data protection authorities will apply the CJEU ruling, it’s clear that organisations need to act fast to review their compliance mechanisms for data transfers to the US (and by extension to all third countries) and ensure that these are in line with the law.
So, where are we now?
The trilogues are in full swing with the Parliament, Council and Commission considering and discussing each of their versions to agree a final position. Each will have to compromise and inevitably the extent to which each party is willing to do so will prove key. Given the recent CJEU ruling and the increased media attention in a post-Snowden era, data exports are likely to prove a hotly debated area. While the various drafts of the GDPR do not differ massively from the existing Directive and available data export solutions, as stated by the ICO, "The devil is in the detail" and this remains to be seen.