As the pandemic winds down and normalization procedures for the new normal speeds up, international data transfers have become even more important than it has ever been. In light of rising importance of multinational scientific and commercial operations, companies are doomed to transfer personal data legally, safely, and quickly. Even though international data transfers are essential for combating the pandemic and the normalization steps, such transfers are restricted in most of the legal systems. Accordingly, the Article 44 of the Regulation (EU) 2016/679 (“GDPR”) stipulates that any transfer of personal data to a third country or to an international organization shall take place only if conditions of the Chapter VI are meet.Pursuant to Article 45 of the GDPR, European Commission (“Commission”) can decide the list of third countries or international organizations which offers an adequate level of data protection (See for the list of recognized countries; https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
If the relevant data transfer involves a third country or an international organization which ensures an adequate level of data protection, such transfer may take place without any further instruments granted that such processing is lawful pursuant to the Article 6 of the GDPR and in line with the general principles stipulated under the Article 5 of the GDPR.
There are several safeguards provided by the GDPR to enable the data flow from European Economic Area (“EEA”) to a third country or an international organization with the appropriate level of data protection. According to the Recital 108 of the GDPR, parties of the restricted transfer can compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject though safeguards which ensures compliance with data protection requirements and the rights of the data subjects in a third country such as Binding Corporate Rules, Standard Contractual Clauses (“SCC”) adopted by the Commission, approved Code of Conduct, or an approved certification mechanism.
Moreover, in cases where neither an adequacy decision by the Commission for the related third country nor appropriate safeguards are provided, parties may transfer personal data from EEA to a third country under several conditions, derogations. In this information note, some of the applicable derogations regarding the data transfers in the shadow of the COVID-19 outbreak will be reviewed.
Derogations Applicable to COVID-19 outbreak
Considering the legal framework of the GDPR, firstly it should be checked that whether any applicable adequacy decision is available in order to make a data transfer from EEA to a third country. If not, data exporters and importers have to provide appropriate level of data protection with appropriate safeguards. However, restricted data transfers may also be made for some exceptional cases under the Article 49 of the GDPR without an adequacy decision, an appropriate safeguard, or further requirement of an authority’s approval.
As stated in European Data Protection Board’s (“EDPB”) guideline on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guideline 03/2020”) (See for our information note on such guideline; http://herdem.av.tr/european-data-protection-board-adopted-new-guidelines-regarding-covid-19-outbreak), due to the strains of COVID-19 outbreak data exporters may depend on the applicable derogations. Considering the nature of the outbreak and applicable derogations, data exporters may rely on the explicit consent of the data subject (Article 49(1)(a) of the GDPR) or necessity of the transfer for important reasons of public interest (Article 49(1)(d) of the GDPR). However, EDPB stresses in its Guideline 03/2020 that this derogations are exemptions from the general rule and, therefore, must be interpreted restrictively, and on a case-by-case basis. It should be taken into consideration that derogations are exceptional, therefore, parties eventually have to provide appropriate safeguards for the set of data transfers which involves continuous transaction patterns (See for more detailed information on one of the appropriate safeguards which enables parties to make restricted transfers by virtue of contractual clauses, SCC; http://herdem.av.tr/standard-contractual-clauses-for-data-transfers-to-third-countries). Data controllers also have to consider that in any event or under any derogation data processing or transfer still requires to be lawful under the Article 6 of the GDPR and in line with the general principles stipulated under the Article 5 of the GDPR.
Pursuant to the Article 4 of the GDPR, consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Additionally, consent provided by a data subject can be withdrawn at any time.
If the parties will conduct restricted transfers based on the explicit consent of data subjects, the obligation to inform data subject have to be fulfilled. If a data subject provides its explicit consent after having been informed of the possible risks of such transfers for itself due to the absence of an adequacy decision and appropriate safeguards in addition to the information to be provided as per the Article 13 and 14 of the GDPR, restricted transfers can be made.
Recently, EDPB adopted its guideline on consent under Regulation 2016/679 (“Guideline 05/2020”) which includes significant points regarding the idea of consent, especially explicit consent. In the Guideline 05/2020, EDPB refers to the Article 29 Working Party’s statement which stresses that consent for data transfers that occur periodically or on an on-going basis is inappropriate. Therefore, as mentioned above if the planned transfer will have continuous patterns, parties have to provide appropriate safeguards. Moreover, since consent may be withdrawn at any time, parties should prefer to frame appropriate safeguards to enable data flow without an interruption.
Furthermore, explicit consent brings the burden of proof with itself. The EDPB states that data controllers may prefer to obtain explicit consent through signed written statements to avoid any future conflict. However, explicit consent may be obtained by electronic forms or orally. Yet, data controllers may face several struggles on proving the obtained consent is expressed explicitly, since the burden of proof is on data controllers. Therefore, considering urgent need of data transfer, obtaining explicit consent of data subjects may not be efficient and feasible for data controllers.
Important Reasons of Public Interest
Pursuant to the Article 49 of the GDPR, personal data may be transferred from EEA to a third country in absence of an adequacy decision and appropriate safeguards if there is a public interest recognized in Union law or in the law of the Member State to which the controller is subject. The necessity of urgent measures and recognized COVID-19 combating process enables parties to conduct necessary data transfers in this context.
In such scenario, parties may transfer personal data after conducting a necessity test for exceptional situations such as conducting scientific research in context of COVID-19. Even though such derogation is not limited to transfers having occasional nature, EDPB states that data transfer for long lasting research projects should not be made on such basis. Additionally, the application of such derogation shall not relief data controllers from their obligation to inform data subjects under the Article 13 and 14 of the GDPR.
As stated by EDPB in its guideline on derogations of Article 49 under Regulation 2016/679 (“Guideline 2/2018”), the use of derogations should never lead to a situation where fundamental rights might be breached. Data controllers should rely on such derogations in context of COVID-19 only as an exceptional option. In light of the worldwide normalization steps, data transfers being made based on derogations have to be avoided and appropriate safeguards should be framed by the parties as soon as possible. It is expected more parties to enter into SCCs to provide an adequate level of data protection, since it provides easier and more flexible nature compared to the other available safeguards.