Skip to main content

Transfer of Personal Data to Third Countries and International Organisations


Legal requirements

The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced.

It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences.

One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure). There are, however, no standard contractual clauses approved under the new rules yet.
The new rules allow some derogations in paragraph 1 of Article 50 (which were present also in the old Regulation 45/2001, except one change in the condition of protecting the vital interest of the data subject, namely, a new, additional condition, that of the incapability of the data subject to give consent, has been added).

There are basically three possible solutions which can be used in daily activity: explicit consent of the data subject "after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards" (paragraph 1/a of Article 50 of Regulation (EU) 2018/1725, of Article 49 of the GDPR), appropriate safeguards or the abovementioned other derogations.

Risks of international transfers

The risk is on one hand that laws or other intervention of state actors can interfere with the protection ensured by the contract. This is in most cases illustrated by the case of the U.S., but an indication is also, what declarations Russia and Turkey attached to their ratification of Convention 108 of the Council of Europe (the latter did not ratify the 2018 protocol amending it): Turkey exempted personal data in public registers under Turkish law, data to be available to the public by law, data processed by public authorities for national security, defence and fight against crime. Russias exemptions include data under state secrecy.

Jurisdictions not applying the GDPR and not ensuring adequate protection may also not provide data subject rights, transparency or appropriate redress against infringements of data subject rights.
In the case of international organisations, there is an additional risk: some of these have immunity and to be brought to court in the case of infringing the conditions of the contract, they have to renounce their immunity or agree to another arbitration mechanism, which also enables enforceability of data subject rights and the obligations toward the EU controller transferring the data (called the "data exporter").

When using standard contractual clauses, it has to be assumed that these cover all risks. If, however, individual clauses are used, all these risks have to be mitigated adequately. This is assisted by the EDPBguidelines on Article 46 (2) a and (3) b of the GDPR open for comments until April 6th 2020.

Possibility to use derogations
The EDPB has issued guidelines also about the derogations.

Consent is not applicable to activities carried out public authorities in the exercise of their public powers. This limitation would constrain us mainly, if the data subject is the one to whom the public powers are exercised (clearly in this case consent is not freely given). It is doubtful whether evaluations and other outsourcing in the framework of legislative activity could be covered by these derogations.

In order to apply derogation according to subparagraph d (important reasons of public interest) of paragraph 1 of Article 49 of the GDPR (Article 50 of the EUDPR), the public interest has to be recognised in Union law.

Derogations in subparagraphs b and c (necessary for a contract to which the data subject is a party or which is concluded in the interest of the data subject - the first case covers performance, the second conclusion and performance of a contract) underlie the same limitation as consent. Also, these derogations should be interpreted strictly according to practice of the European Court of Justice. This means that it must be absolutely necessary to transfer data to a third country or an international organisation, i.e. For example no processor in the EU is available.

Moreover, only data of individuals who are parties to the contract or in whose interest the contract is concluded, can be transferred, i.e. If the data subjects are only employees or members of such an organisation, the transfer cannot be based on this derogation. It also has to be taken into account when there is a possibility to apply appropriate safeguards (for example in a public procurement the contracting authority can include appropriate contractual clauses in the call for tender). Also, when it is not the data subject who is the party to the contract or the contract is concluded in the interest of an organisation and not the individual, this derogation cannot be applied. Neither can it be applied for data of staff working on the contract. A positive example can be an individual expert or beneficiary to work in a non-EU country whose data have to be communicated to authorities, research partners or service providers in that country whose services are necessary (a similar example is in the position paper of the EDPS about transfers). "While that paper is still about the old Regulation (EC) 45/2001, the general architecture of possible safeguards remains the same." says the EDPS. The EDPB guidelines state: It requires a close and substantial connection between the data transfer and the purposes of the contract.

It also has to be noted that the opinion of the EDPS and the EDPB is that derogations can only be applied "provided that the transfer is not repeated, massive or structural, and no other legal framework can be used". Basis is Recital 111 of the GDPR, respectively 68 of the EUDPR.

Use of appropriate safeguards

Thus, in most cases the only realistic solution is to provide appropriate safeguards according to Article 48 of the EUDPR, Article 46 of the GDPR. The national data protection authority (DPA, in the case of EU institutions the EDPS) has to be informed of the categories of cases in which this Article has been applied. At the same time, paragraph 2 of this article foresees safeguards for which no specific authorisation of the DPA is necessary.

Subparagraph a of this paragraph foresees a legally binding and enforceable instrument between public authorities or bodies. It contains no further requirements except that this should ensure enforceable data subject rights and effective legal remedies for data subjects. I would argue that this implies compliance with the principles, not just express data subject rights, and also compliance with Articles about security of processing, data breach notifications and confidentiality of electronic communications. It is trivial that general processor obligations also have to be complied with.
If the data are not transferred to public authorities or bodies, only standard contract clauses approved by the Commission pursuant to the examination procedure referred to in Article 96(2) can be applied without specific approval of the EDPS (subparagraphs b and c). The difference between the two subparagraphs is only whether these clauses are adopted by the EDPS or by the Commission but they have to be approved by the Commission according to the specific comitology procedure (examination procedure, with practically the right of veto of the expert committee).

In my opinion safeguards according to subparagraph d (binding corporate rules, codes of conduct or certification mechanisms) are not yet available. By the way, the opinion of the EDPS published on its informationpage about international transfers is that binding corporate rules cannot be entered into by public entities, such as the EU institutions and bodies, for their own transfers.

Situation of standard contractual clauses

The standard contractual clauses have been modified twice (the second time following the Schrems judgment to take into account some elements of it), among others taking into account subprocessing and the possibility for the data protection authorities to oversee personal data transfers even if they are implemented under the standard contractual clauses.

Hereinafter I analyse the standard contractual clauses applicable to processors in third countries.
Beyond the main conditions necessary for any contract with a processor (see later), these clauses contain some specific prescriptions to handle the risks of a transfer to a third country jurisdiction. Some obligations are: agreeing and warranting that the data importer (in this case the processor in a third country) has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; and also to notify the controller about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

Data subject rights can only be directly enforced against the processor if the data exporter (the controller) has ceased to exist without a legal successor and against a sub-processor if this is the case for both the data exporter and the data importer (the main processor). The processor undertakes, however, two responsibilities which amount together to the assistance to the controller in ensuring data subject rights: first, to promptly notify the data exporter about any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so and to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred.

One point where the standard contractual clauses are only partly conforming to the obligations of the GDPR is the notification about data breaches, the formulation being: any accidental or unauthorised access” which could encompass most of the possible cases but not for example destruction or distortion due to a technical problem.
The processor, however, directly undertakes, according to the clauses, the responsibility to implement the security measures which are to be attached to the contract.
There are two indications showing that the standard contractual clauses are nevertheless considered valid in spite of the change from the Data Protection Directive and Regulation 45/2001 to the GDPR and Regulation (EU) 2018/1725.

First, the EDPS published an information page (entitled Authorisation Decisions for Transfers, but giving detailed information about transfers under the new regulation) where the existing standard contractual clauses are explicitly referenced as a preferred basis of transfers if no adequacy decision exists.

Also, the advocate general concluded in the Schrems 2 case (subject to confirmation by the Court) that there is no reason to invalidate the standard contractual clauses. The transfer by Facebook Ireland to its U.S. mother company based on the standard contractual clauses was investigated also taking into account the GDPR in this case.

What sort of agreement should be signed?

According to the EDPS information page about international transfers, the safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties.

The EDPS adds (on the abovementioned page on authorisation decisions): Another solution is to use "ad hoc" clauses or insert provisions into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. The EDPS has to approve these. Recital 108 of the GDPR and recital 65 of the EUDPR say, however, that: Authorisation by the competent supervisory authority (EDPS in the EUDPR) should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding. This is not reflected in the articles, however. The EDPB guidelines on Article 46 (2) a and (3) b of the GDPR, however, also contain this formulation: In this respect, Article 46 (1) and recital 108 of the GDPR specify that these arrangements have to ensure enforceable data subject rights and effective legal remedies. Where safeguards are provided for in administrative arrangements that are not legally binding, authorisation by the competent SA has to be obtained.

Administrative arrangements are thus sometimes referred to as a general term covering different legal instruments, sometimes only as instruments for which the approval of the EDPS is necessary. A legally binding instrument can take the form of a contract or a Memorandum of Understanding (these are considered instruments by the EDPS for which there is no need for its approval.

The EDPB guidelines referred to above state: Even if the form of the instrument is not decisive as long as it is legally binding and enforceable, the EDPB considers that the best option would be to incorporate detailed data protection clauses directly within the instrument. If, however, this solution is not feasible due to the particular circumstances, the EDPB strongly recommends incorporating at least a general clause setting out the data protection principles directly within the text of the instrument and inserting the more detailed provisions and safeguards in an annex to the instrument.

Can international organisations be considered public authority or body?

The EDPB guidelines on Article 46 (2) a and (3) b of the GDPR state (point 8) that The EDPB considers that this notion is broad enough to cover both public bodies in third countries and international organisations. This is based on Recital 108 of the GDFPR (the corresponding Recital is No. 65 in the EUDPR), which states: Transfers may also be carried out by Union institutions and bodies to public authorities or bodies in third countries or to international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects., i.e. allows transfers based on administrative arrangements also to international organisations.

Transparency requirement in case of a transfer

Beyond the transparency obligation of the data importer (recipient in third country), whenever data are transferred to third countries or international organisations, according to the EDPB:
a general information notice on the website of the public body concerned will not suffice. Individual information to data subjects should be made by the transferring public body in accordance with the notification requirements of Articles 13 and 14 GDPR

Some aspects of working out clauses for legal instruments of transfers

They should clearly describe the data protection principles that have to be respected, in particular:
  • -          data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
  • -          data quality and proportionality;
  • -          information of individuals concerned;
  • -          security measures;
  • -          possibility for the individuals involved to exercise their rights of access, rectification and opposition,
  • -          restrictions on onward transfers by the data recipient;
  • -          effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.

The EDPB guidelines also list the requirements for legal instruments:
  • -          Data protection principles
  • -          Rights of the data subjects
  • -          Restrictions on onward transfers and sharing of data
  • -          Sensitive data
  • -          Redress mechanisms
  • -          Supervision mechanisms
  • -          Termination clause

According to the Guidelines: the agreement should also set out the way in which the receiving public body will apply the core set of basic data protection principles and data subject rights to all transferred personal data in order to ensure that the level of protection of natural persons under the GDPR is not undermined.

For international institutions, the following paragraph is also interesting: If there is no possibility to ensure effective judicial redress in legally binding and enforceable instruments so that alternative redress mechanism have to be agreed upon, EEA public bodies should consult the competent SA (DPA) before concluding these instruments.


Labels:

Comments

Post a Comment

Popular posts from this blog

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more