Rationale for prohibition

Key References

• GDPR Art. 44
• Recitals 101, 102

Background

• Prior to the entry into force of the GDPR, the OECG Guidelines, Convention 108 and the Data Protection Direction of 1995 tried to create harmonized rules that promote transborder flow of data while ensuring privacy and data protection guaranteed to EU citizens under the ECHR and the EU Charter. However, inconsistent adoption of rules and non-binding guidelines led to a patchwork of inconsistent data protection rules which failed to provide a minimum threshold of data protection to EU citizens.
• GDPR attemps to address that by prohibiting transfer of personal data to third countries (jurisdictions outside the EEA) unless specific rules apply, rules which ensure full compliance with the GDPR. The purpose is to ensure that data proteciton rights guaranteed under the GDPR are not undermined as a result of transfer to non-GDPR jurisdictions.
• Note: Data can be freely transferred within the EEA (27 EU member states) where GDPR applies.

Article 44 and Recital 101

• Art. 44 states that controllers and processors can transfer data to third countries only if conditions relating to international transfer under the GDPR are met.
• Recital 101 states that while flow of personal data across borders if necessary for international trade and cooperation, such transfer of data should not undermine the level of protection for data subjects guaranteed under the GDPR.
• Therefore, Art. 44 and Recital 101 require that personal data transfers to third countries and international organisations may only be carried out in full compliance with the GDPR.

Adequate jurisdictions

Key References

• GDPR Art. 45
• Recitals 103, 104, 105, 106, 107

Adequacy decisions

• Art. 45.1 states that personal data can be freely transferred to third countries that the European Commission has decided as providing “adequate level of protection” for data subjects.
• Art. 45.2 states that such transfers do not require any specific authorizations.
• The European Commission explains an adequacy decision as follows:
  • “An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries guaranteeing a comparable level of protection of personal data to that in the European Union. It is a decision taken by the Commission, as a result of which personal data can flow freely and safely from the European Economic Area (EEA) (the 27 EU Member States as well as Norway, Liechtenstein and Iceland) to that third country, without being subject to any further conditions or authorisations.”

Role of the European Commission

• The European Commission is the executive body of the EU.
• It proposes new European legislation, manages EU policies, enforces EU Laws, and represents the EU internationally including negotiating international agreements for the EU.
• Under the GDPR, the European Commission has the power to determine which third countries have adequate levels of data protection for transfer of EU personal data.

GDPR Guidance on Findings of Adequacy

• Art. 45(2) and Recital 104 provides specific guidance to the European Commission on criteria for assessing adequate data protection in third countries.
  • The European Commission states that the criteria to assess adequacy “does not require the third country’s data protection system to be identical to the one of the EU, but is based on the standard of “essential equivalence”. It involves a comprehensive assessment of this country’s data protection framework, both of the protection applicable to personal data and of the available oversight and redress mechanisms.”
• Art. 45(3) requires the European Commission to adopt mechanisms for periodic reviews, at least every four years, to ensure that third countries (adequate jurisdictions) continue to ensure adequate protection for EU personal data.
• Recital 107 gives European Commission the authority to revoke, suspend, or amend adequacy decisions for jurisdictions previously found adequate. Data transfers to such jurisdictions is prohibited unless other transfer mechanisms apply.

Adequate Jurisdictions

• Art. 45(8) requires the European Commission to publish a list of third countries “for which it has decided that an adequate level of protection is or is no longer ensured.”
• The European Commission has recognised the following countries as providing adequate protections:
  • Andorra,
  • Argentina,
  • Canada (commercial organisations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Republic of Korea,
  • Switzerland,
  • United Kingdom under the GDPR and the LED,
  • Uruguay.
• The EC also states that, “with the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

Safe Harbor and Privacy Shield

US EU Safe Harbor

• In 2002, the European Commission (EC) and US Federal Trade Commission (FTC) finalized U.S.-EU Safe Harbor Framework on the basis of which EU data controllers could transfer personal data to the US.
• The Safe Harbor Framework was based on the Safe Harbor Privacy Principles.  The Framework created a self- certification program for US companies to certify themselves with the FTC as having complied with the seven privacy principles.
• On October 6, 2015, in the landmark case Schrems v Data Protection Commissioner (Schrems I) the CJEU declared the Safe Harbor Framework as invalid for failing to provide sufficient level of data protection required by EU law.

Privacy Shield

• The EU-US Privacy Shielf Framework replaced the Safe Harbor Framework. In 2016, the EC declared as adequate the Privacy Shield Framework, another self-certification program for US companies, on the basis of which EU data controllers could transfer personal data to the US.
• On July 16, 2020, in yet another landmark case Schrems v Data Protection Commissioner II (Schrems II) the CJEU declared Privacy Shield invalid for also failing to provide adequate level of data protections required by EU law.

Standard Contractual Clauses

Key References

• GDPR Art. 46(2), 57
• Recitals 108, 109
• European Commission, Standard contractual clauses for international transfers (04 June 2021)

Transferring personal data in the absence of adequacy decision: appropriate safeguards (SCCs)

• Art. 46(1) states that in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country … only if the controller or processor has provided appropriate safeguards…”
• Art. 46(2) enumerates several appropriate safeguards that may be used by controllers and processors to transfer personal data lawfully outside the EEA. One such approproiate safeguard under Art. 46(2)(c) and (d) are standard contractual clauses (SCCs), also known as standard data-protection clauses and EU Model Contracts.
• Recital 108 explains further that, “In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of … standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority.”
• Thus, the GDPR permits transfer of personal data to third countries without an adequacy decision if other approved mechanisms (or, appropriate safegaurds) exist.

Standard Contractual Clauses (SCCs)

• Pursuant to Art. 46(2)(c) and (d), SCCs are either adopted by the European Commission or adopted by supervisory authorities and approved by the Commission.
• Under the Data Protection Directive of 1995, the European Commission approved two sets of SCCs to transfer data on controller-to-controller basis outside the EEA.
• In Schrems I and II, the CJEU analyzed the challenges to EC approved SCCs and noted lack of adequate transparency and data subject rights. However, the Schrems I and II decisions held that the SCCs remained valid.
• On June 4, 2021, the EC released modernized SCCs for controllers and processors in the EEA for transfer of personal data to controllers or processors outside the EEA. The modified SCCs strengthened controller and processor transparency obligations and data subject rights.
• The EC stated that, “These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.”

Binding Corporate Rules (BCRs)

Key References

• GDPR Art. 46(2), 47
• Recitals 110  

Transferring personal data in the absence of adequacy decision: appropriate safeguards (BCRs)

• Art. 46(2)(b) lists Binding Corporate Rules (BCRs) as another example of appropriate safeguards for controllers and processors to transfer data to third countries that do not have an adequacy decision.

Binding Corporate Rules (BCRs)

• Recital 110 defines binding corporate rules as follows: “A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.”
  • Key elements of BCRs:
    • BCRs are limited to companies within a corporate group such as affiliates, subsidiaries, that may be located outside the EEA. BCRs cannot be used to transfer data outside the EEA to companies that are not within the corporate group.
    • BCRs have to be approved by competend supervisory authorities. See, Art. 47(1).
    • BCRs must be legally binding on the companies.
• Art. 47(2) lists specific rules that must be specified in BCRs namely data subject rights, transparency and accountability obligations, complaint mechanisms and so forth.
  • In 2008, WP29 introduced a framework for BCRs for controllers to transfer data outside EEA in compliance with the Data Protection Directive of 95.
  • In 2018, WP29 published updated guidelines for BCRs on necessary content required to be compliant with GDPR Art. 47(2) requirements. See, WP29 Working Document on Binding Corporate Rules for Controllers.

Codes of Conduct and Certifications

Key References

• GDPR Art. 46(2), 40, 42
• Recitals 98, 99

Transferring personal data in the absence of adequacy decision: appropriate safeguards (Codes of Conduct, Certifications)

• Art. 46(2)(e) and (f) list Codes of Conduct and Certifications as two other example of appropriate safeguards for controllers and processors to transfer data to third countries that do not have an adequacy decision.
• Arts. 40 & 42 (on codes on conduct and certification respectively) and Recitals 98-100 place obligations on member states, supervisory authories, and the European Data Protection Board (EDPB) to draw up codes of conducts and certification mechasism that have apprpriate safeguards by which means controllers and processors can transfer personal data outside EEA.
• Currently there are no approved codes of conducts or certifacate mechanisms.
• In 2021, WP29 published guidelines on codes of conduct as tools for transfers, Guidelines 04/2021 on codes of conduct as tools for transfers.

Derogations

Key References

• GDPR Art. 49,
• Recitals 111-115
• WP29 Guidelines 2/2018 on derogations of Article 49 under GDPR

Transferring personal data in the absence of adequacy decision or appropriate safeguards:

Derogations:

• Art. 49(1).1 states that in the absence of an adequacy decision or appropriate safeguards, controllers and processors may nevertheless be able to transfer personal data outside EEA to third countries under specific conditions (i.e. derogations).
• Art. 49(1).1(a)-(g) list the limited derogations on prohibition of transfer to countries without adequacy or approprate safeguards. Recitals 111-115 elaborate on the conditions.
  • Art. 49(1).1(a) states that a transfer can occur on the basis of data subject’s explicit consent after being informed of possible risks from the proposed transfer. Note: Art. 4(11) defines consent as freely given, specific, informed, unambiguous, by clear affirmative act and capable of revocation.
  • Art. 49(1).1(b) and Recital 111 state that a transfer can occur if it is occasional and necessary for a contract or legal claim.
  • Art. 49(1).1(c)-(g) enumerate other limited derogations.

No Derogations Applicable

• Art. 49(1).2 and Recital 113 state that if there is no adequacy, or appropriate safeguards, or BCRs, and none of the above derogations are applicable, a transfer to third country can nevertheless proceed if:
  • the transfer is not repetitive
  • concerns only a limited number of data subjects
  • the transfer is necessary for compelling legitimate interests of the controller which are not overridden by interests or rights and freedoms of the data subject, and
  • the controller has assessed all the circumstances surrounding the data transfer and provided suitable safeguards for protection of the data.
• Note: all the above requirements must be met for the proposed transfer.
• Controller must inform the supervisory authority and data subjects of the transfer, and also inform data subjects on the compelling legitimate interests pursued.

Public authorities

• Art. 49(3) has carved out specific protections for public authorities who are exempt from Art. 49(1) derogation requirements for activities carried out in the exercise of public powers.
• Recital 112 elaborates further on the needs and necessities for public authories to transfer personal data to third countries even when there is no adequacy, appropriate safeguards, or applicable derogations.

WP29 Guidance on application of Art. 49

• In 2008, WP29 published guidelines to provide guidance on the application of Art. 49 derogations.

Transfer impact assessments (TIAs)