Organisations that have recently implemented or are continuing to grapple with GDPR compliance projects will be aware that rules governing transfers of personal data outside the European Economic Area can be challenging to navigate and address. This is partly due to ongoing uncertainty regarding the long term validity of certain of the currently available mechanisms for lawfully engaging in such transfers. In this update, we consider some recent developments in this area, and the pros and cons associated with the most popular transfer solutions.
Adequacy decisions and Privacy Shield
Where the European Commission deems that the level of protection afforded to personal data in a third country, or a territory or sector within a third country ensures an “adequate level of protection” it can make an adequacy decision in respect of that country, territory or sector meaning that personal data may be transferred there without taking any additional legitimising steps to comply with international data transfer requirements. Twelve adequacy decisions are currently in force, including the Privacy Shield framework for the United States, which permits transfers to companies that have self-certified to the Privacy Shield principles.
The twelve existing adequacy decisions pre-date the GDPR becoming applicable, but expressly continue to be valid under the new regime unless and until they are amended, superseded, repealed or held by a competent court to be invalid. The existing decisions must be reviewed at least every four years; and it remains to be seen whether the existing decisions will withstand scrutiny through the lens of the GDPR. The EU-US Privacy Shield, in particular, is under threat – the framework is being challenged in the Court of Justice of the European Union (“CJEU”) by La Quadrature du Net (a French privacy activist group), and the European Parliament has recently called for the European Commission’s decision to be struck down. Its second annual review by the European Commission is due to be conducted in mid-October, and issues flagged following its first review last October remain unaddressed.
By contrast, there is good news for organisations transferring personal data from the EEA to Asia, as steps have recently been taken to put adequacy decisions in place for Japan and South Korea. The Japanese proposal is more advanced; a draft decision has been published and the process of formal adoption was initiated on 5 September 2018. The draft is the culmination of lengthy negotiations and consideration of Japanese data privacy laws, and although it has yet to be finalised, it is expected that the decision will be implemented soon. Importantly, it appears that the decision will only legitimise transfers to commercial organisations that are subject to Japan’s Act on the Protection of Personal Information (“APPI”), and the draft decision expressly excludes educational, religious, and political organisations from its scope.
In the absence of an adequacy decision, most organisations choose to rely on a contract incorporating the ‘standard contractual clauses’ approved by the European Commission for the purpose of legitimising transfers. Three sets of standard contractual clauses are currently available for this purpose, and they can form a neat solution in many cases, particularly for straightforward controller-to-controller or controller-to-processor transfers. However, no such standard contractual clauses have been approved for processor-to-processor transfers. In addition, doubt has been cast over the long-term prospects of the current sets of standard contractual clauses, as the validity of one of the sets of clauses has been challenged in the “Schrems II” litigation and may fall to be considered by the Court of Justice of the European Union. The existing sets of standard contractual clauses are likely to remain a popular transfer mechanism, where applicable, for the foreseeable future but organisations need to be mindful of ongoing legal developments regarding their long-term prospects.
Following the looming exit of the UK from the EU, the UK is likely to become a “third country” for the purposes of rules governing transfers of personal data out of the EEA. According to Brexit guidance that the UK government released on 13 September 2018, the UK government’s desired outcome is for an adequacy decision to be put in place before the exit date in March 2019. Although the prospects of an adequacy decision will be assisted by the fact that the GDPR is being adhered to in the UK, and certain aspects have been implemented into UK law by the Data Protection Act 2018, there is a significant risk that the European Commission will not have made an adequacy decision by this date and no alternative workaround will have been agreed between the EU and the UK. Against this backdrop, the UK Government’s own guidance recommends that UK companies start considering whether alternatives, such as standard contractual clauses, might need to be ready to be implemented to take effect on the exit date. Organisations based in other EU Member States will similarly need to have contingency plans in place in respect of transfers of personal data to the UK post-Brexit.
Binding corporate rules
Although they have had a low uptake to date, binding corporate rules are increasing in popularity for multinational corporate groups. BCRs consist of an agreed framework between members of a corporate group that may be relied upon to legitimise transfers of personal data outside the EEA but within the group. These rules (which may apply to organisations acting as controllers, as processors, or both) must be approved by a competent supervisory authority (such as the Irish Data Protection Commission) and the time and effort involved in obtaining such approval can be off-putting. However, for corporate groups who already have robust data protection policies and compliance frameworks in place, the BCR approval and adoption process might not require as much additional effort as would have been the case before the GDPR became applicable. Since BCRs can provide for long-term efficiencies, particularly when compared with entering into numerous contracts incorporating the standard contractual clauses, and since they are not currently directly under threat, their appeal is likely to continue to grow for large corporate groups.
Derogations for specific circumstances
Where no other alternatives are available, certain derogations can be relied on in limited circumstances, such as where the transfer is necessary for the performance of a contract with the data subject, or where it is necessary for the establishment, exercise or defence of legal claims. The European Data Protection Board has published guidance on these derogations to assist controllers in determining whether it is appropriate to rely on them.
Considering the impacts that would be caused to global trade by a lack of viable transfer solutions, it is likely that EU data protection law will continue to adapt to the challenge of ensuring protection for personal data that traverses the boundaries of the EEA. However, given the questions about the long-term validity of certain existing mechanisms, organisations should keep their transfer arrangements under review and try to select the mechanisms that are effective and most efficient both now and, as much as possible, in the future.