Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR
The position under the General Data Protection Regulation (“GDPR“) relating to international transfers of personal data is similar to the existing regime under the Data Protection Directive (the “Directive“). However, there are a number of important differences that are likely to have key practical implications.
What does the law require today?
Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments. A current list of “approved countries” is available from the European Commission’s website here.
Following the ECJ decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the US Department of Commerce’s U.S.-EU Safe Harbor Framework is no longer recognised as providing adequate data protection.
Businesses may also transfer personal data to a third country on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (“Model Clauses“) or Binding Corporate Rules (“BCR“) or if one of the derogations under the Directive applies.
The implementation of the rules in relation to international transfers under the Directive may vary from Member State to Member State. For example, some Member States require prior notification to, or approval by the DPA, even if relying on Model Clauses.
What will the General Data Protection Regulation require?
The GDPR provides for, not just the designation of a third country, but also of a territory or one or more specified sectors within the third country as providing an adequate level of data protection. Further, it details the factors to be taken into consideration in making such designation and the procedure for doing so.
It is clear from the GDPR that adequacy decisions may not necessarily last indefinitely. The GDPR envisages that the European Commission, in the context of a particular designation, would provide for a mechanism of periodic review, at least every four years. The Commission shall also be obliged to monitor on an ongoing basis, developments in third countries and international organisations that could affect the functioning of adequacy decisions taken by the Commission pursuant to the Directive or the GDPR. The GDPR specifically envisages the possibility of an adequacy decision, whether taken under the Directive or the GDPR being repealed, amended or suspended (albeit without retro-active effective).
The GDPR continues to allow for transfers of personal data based on standard data protection clauses (i.e. Model Clauses) adopted by the Commission and gives official recognition to the possibility of transfers based on an organisation’s approved BCR. Significantly, the GDPR specifically states that such transfers may be made without requiring specific authorisation from a data protection authority (“DPA”).
Further, the GDPR seeks to introduce other mechanisms to legitimise international transfers of personal data, including, for example:
• Transfers on the basis of standard data protection clauses adopted by a DPA and approved by the Commission;
• Transfers pursuant to contractual clauses between the controller or processor and the controller, processor or the recipient of the data in the third country (where such contractual clauses have been authorised by the competent DPA);
• Transfers on the basis of an approved code of conduct (e.g. a code of conduct dealing with the transfer of personal data to third countries that has been approved by the relevant DPA);
• Transfers pursuant to an approved certification mechanism (e.g. a data protection seal or mark that has been issued by specified certification bodies or by the competent DPA on the basis of criteria approved by the competent DPA or the European Data Protection Board).
In the last two cases, the transfers must also be on the basis of binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
The derogations set out in the Directive will continue in force, subject to some amendments, for example, explicit consent to the proposed transfers is required if the transfer is being made on the basis of the consent-based derogation. The GDPR underlines the limited application of these derogations by describing them as “Derogations for specific situations”.
Importantly, the GDPR introduces a new derogation where the transfer cannot be made on the basis of the mechanisms outlined in the GDPR or if none of the other derogations apply, namely if the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject. Any controller seeking to rely on this derogation must have assessed all the circumstances surrounding the data transfers and, based on this assessment, adduced suitable safeguards with respect to the protection of personal data. The derogation is limited and will only apply if the transfer is not repetitive and concerns only a limited number of data subjects. In addition, the controller is subject to significant information requirements – the controller must inform the data subject about the transfer and the compelling legitimate interests pursued by the controller. The data controller must also inform the DPA of the transfer.
The GDPR provides official recognition to BCR as a means of lawfully transferring personal data outside the EEA. It also sets out uniform criteria for BCR approval that apply across the EU and makes the BCR approval process subject to the consistency mechanism specified in the GDPR (by means of which the data protection authorities are required to co-operate with each other and, where relevant, with the European Commission). The GDPR also removes any obligation to obtain additional approval from data protection authorities for transfers of personal data based on BCR.
The GDPR introduces a provision whereby any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable if based on an international agreement in force between the requesting third country and the European Union or the Member State from which the data are being requested (e.g. a mutual legal assistance treaty). So, for example, controllers and processors are restricted from complying with a demand from a non-EU court for the disclosure of personal data under the GDPR where such demand is not based on an appropriate international agreement. However, the UK has opted out of this restriction. Consequently, it will not apply to businesses in the UK.
What are the practical implications?
Given the clarity and increased simplicity introduced in relation to BCR, it is likely that more businesses will opt for BCR as a means of legitimising international transfers of personal data. This trend is also likely to see an increase in the applications for BCR for processors (albeit that the GDPR does not explicitly mention BCR for processors).
The fact that the GDPR dispenses with the need to notify, or to obtain authorisation from, the DPA if the requirements of the GDPR are otherwise satisfied will probably mean an appreciable reduction in red tape in the context of international transfers. Obtaining a European Data Protection Seal or other recognised seal is also likely to be an option in due course.
Businesses may also be able to avail of the additional derogation, namely, that the transfer is made on the basis of the controller’s legitimate interests – this derogation may be particularly useful in the context of a one-off transfer of a limited amount of personal data where it would be difficult to obtain consent (and, in particular, explicit consent). However, it is very restrictive in nature and may be of limited use in practice.
Where a request for personal data is received from a non-EU court or authority (which is not based on an appropriate international agreement), businesses in EU Member States other than the UK will be in the unenviable position of having to decide whether to breach the GDPR, or breach the laws of the country whose courts or authorities are seeking the disclosure of personal data.
Businesses that infringe the provisions of the GDPR dealing with international transfers of personal data may be subject to administrative fines up to 20,000,000 EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In view of the level of sanctions that may be imposed, it would be prudent for businesses to audit their data flows at this stage and ensure that they will be GDPR-compliant by the time the new rules come into effect. Businesses should also consider putting a policy in place for dealing with requests for personal data from non-EU law enforcement authorities – this could be part of a policy for dealing with requests for personal data from law enforcement authorities in general.