27 July 2018
Advisory Body Adopts Guidelines on Which Kinds of Personal Data Transfers to Non-EU Countries are Permitted
On 25 May 2018, the European Data Protection Board (the EDPB) adopted Guidelines on the derogations that are allowed with regard to international data transfers of an individual’s (e.g. a customer’s) personal data.
Under the EU’s Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR), the general rule is that data can only be transferred to non-EEA countries if these countries offer an “adequate level of protection”. EEA countries comprise the European Union plus Norway, Iceland and Liechtenstein. The existence of an adequate level of protection can either follow from an “adequacy decision” for a whole non-EU country issued by the European Commission, or be a consequence of specific measures taken by the data controller, i.e., if the data controller has put into place “adequate safeguards” such as the implementation of Binding Corporate Rules or the use of standard model clauses.
Article 49 of the GDPR provides for specific derogations by virtue of which data controllers may still transfer personal data to non-EEA countries even if those countries do not offer an adequate level of protection for such personal data. The EDPB addresses each of the derogations under Article 49 of the GDPR, as follows:
Explicit consent: Article 49 authorises data transfers if the data subject has given his or her “explicit consent” for the use of such a derogation. The EDPB underlines that consent should be specifically given for the particular data transfer at issue, and that, with this is mind, it might sometimes be impossible to obtain the data subject’s consent for a future transfer at the time of collection of the personal data, e.g. if the occurrence and specific circumstances of the transfer remain unclear at that time. The EDPB also stresses that it is crucial that the data subject should be properly informed in advance of the specific circumstances of the transfer (including, but not limited to, the data recipients and the countries to which the data are transferred) and that, therefore, he or she should also be informed of the specific risks of a transfer to a country not providing an adequate protection in the absence of adequate safeguards. If such information is not supplied, the derogation will not apply.
Contract: Article 49 of the GDPR permits a derogation for transfers that are necessary for the performance of a contract between the data subject and the controller or for implementing pre-contractual measures. The EDPB explains that such transfers must be strictly “necessary” for the contractual purpose and that the derogation only permits “occasional” transfers for this purpose. By way of example, the EDPB indicates that this basis cannot be used for international transfers in order to centralise payment and human resource management functions within a group of companies. For such a situation, standard contractual clauses or Binding Corporate Rules may provide a more suitable basis.
Contract in interest of data subject: Next, Article 49 of the GDPR permits transfers that are necessary for the conclusion or performance of a contract concluded expressly in the interest of the data subject. This derogation is interpreted similarly as the above, meaning that the transfer of personal data must be occasional and necessary. There must be a close and substantial link between the transfer and the contract concluded in the interest of the data subject.
Public interest: Article 49 of the GDPR allows transfers that are necessary for important reasons of public interest. Here, the EDPB reiterates earlier guidelines, that this “derogation only applies when it can also be deduced from EU law or the law of the Member State to which the controller is subject”. Accordingly, foreign interests do not qualify to permit the transfer, but the EDPB nevertheless indicates that account should be taken of “the spirit of reciprocity for international cooperation”.
Legal claims: Under Article 49 of the GDPR, transfers may take place when the transfer is “necessary for the establishment, exercise or defence of legal claims”. This derogation provides an important basis for international transfers in the context of international litigation as well as criminal or administrative investigations in a third country (including antitrust law, corruption and insider trading investigations). Transfers for the purpose of pre-trial discovery procedures may also fall under this derogation. However, the EDPB states that such transfers must still be “occasional and necessary”, and it points out that the transfer of all personal data that is only possibly relevant to the legal proceedings “would not be in line with this derogation or with the GDPR more generally”.
Protection of vital interests of data subject or other persons: Article 49 of the GDPR applies to transfers necessary in order to protect the vital interests of the data subject or other persons, if the data subject is physically or legally incapable of giving consent. This derogation applies, for instance, in the event of a medical emergency.
Compelling legitimate interest of controller: Finally, international transfers may be permitted where there are compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject. The Guidelines confirm that this Article 49 derogation can only be relied upon in residual cases, where none of the other derogations applies. In this respect, the EDPB states that the data exporter should be able to demonstrate its serious attempts to rely on the other grounds for transfer or the impossibility to rely on such grounds. For example, the EDPB notes that Binding Corporate Rules may often not be a feasible option for small and medium-sized enterprises due to the considerable administrative investments they entail. Also, the EDPB stresses that not all “legitimate interests” can be qualified as “compelling” and that a higher threshold applies in such an assessment.
An example of a compelling legitimate interest would be, according to the EDPB, if a data controller is forced to transfer the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business. The EDPB adds that such a transfer can only concern a limited number of data subjects. Moreover, this derogation also requires the transfer to be “not repetitive”. Transfers may happen more than once, but not regularly.
These Guidelines provide a welcome insight for companies wishing to export personal data out of the EU, e.g., to Hong Kong or mainland China, especially since derogations for data transfers could gain importance over time in view of the challenges currently faced by existing transfer mechanisms. Indeed, the validity of both the EU-US Privacy Shield and the European Commission model clauses which allow such data transfers is currently being questioned.
Please click on the following for the full text of the Guidelines.