The required data protection level necessary within the European Union since the reform of EU data protection legislation adopted in 2016 (“GDPR”) requires that, in case of international data transfers, the protection travels with the related data.
The obligation to ensure that an adequate transfer mechanism is in place applies to both controllers and processors. Understanding the application of lawful data transfer mechanisms is essential for all kinds of organisations that wish to transfer personal data to recipients located outside the European Economic Area (EU-countries, Iceland, Liechtenstein and Norway).
In fact, there are some countries outside the EEA, which are considered as “adequate” by the Commission. If a country is considered as such, there are no special steps required to be taken by the operator of the organisation that carries out the data transfer.
In case the third country is not considered as “adequate”, there are some legal tools provided by the GDPR that can be used by the data-transferring entities. So, the logical legal process to follow is to first verify if there is an adequacy decision for the destination country, if not, to opt for Binding Corporate Rules, if not, to opt for certification or standard contract clauses and ultimately to verify if there are special derogations that possibly could apply.
Once the intended data transfer meets the general requirements, it must check in a second step whether transfers towards the third country are permitted. Indeed, it has to be differentiated between secure and unsecure third countries. Secure third countries are those for which, pursuant to Article 45, the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision.
The legal effect of such a decision is that data can flow between EU, EEA countries and countries that are considered adequate without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data, creating thus an area of safe data flows.
The adequacy decision guarantees as well that the, as adequate considered, country, territory or organisation offers legal backings like an independent data protection authority, a mediation or legal recourses for EU-citizens.
Binding corporate rules (“BCRs”) are internal rules for data transfers within multinational companies. They are like a code of conduct and allow multinational companies to transfer personal data internationally within the same corporate group towards countries that do not provide an adequate level of data protection. BCR’s are very useful for multinational companies because they are reducing the need for appropriate safeguards for each individual transfer and are providing an internal guide for employees with regard to the personal data management, as part of the GDPRs ‘accountability’ principle.
Furthermore, the GDPR provides for two new transfer mechanisms:
- A code of conduct, which must be approved by the supervisory authority; and
- A certification mechanism, which must be approved by the supervisory authority or the relevant certification body.
A code of conduct or certification mechanism must be accompanied by binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subject rights.
In the absence of an adequacy decision or other appropriate transfer mechanisms, data transfers to third countries are only allowed if one of the conditions of article 49 of the GDPR is met.
Derogations are for instance the explicit consent of the data subject, transfers based on performance of a contract, necessary transfers for legal claims or defenses etc. The derogations should be used narrowly and only in exceptional cases. Compliance only based on consent is a precarious legal basis (individuals can withdraw their consent at any time) and should not be used for international data transfers that take place on a large and/or structural basis.
GDPR provides comprehensive guidance to EU member states on how to impose regulations, monitor entities, track complains, conduct investigations, and impose fines or warnings, and requiring justifications of deviations from such guidance. It seeks to provide consistent ground and an optimal balance for private rights of EU citizens and the ability to conduct business within the EU.
Yet, since EU GDPR’s implementation, not a single DPA has issued a fine against any entity, despite the rapid increase of complaints received. DPAs, however, have issued several notices to data controllers to notify them of the violations, requesting prompt response and timeline to avoid escalation to a fine. This is consistent with the EU’s approach to regulation, as it fulfills the objective of ensuring the highest rate of compliance and resort to fines only as punitive measures.
Or, perhaps the European Data Protection Board, the EU body responsible for GDPR oversight, is reserving its resources to regulate behemoths like Facebook and Google. No doubt that the risk of incurring a fine is imminent and enforceable for EU entities or foreign businesses with EU representation. The question remains open whether such fines are enforceable in non-EU jurisdictions against actors that have no presence in the EU but deal with EU citizens’ data.
Master 2 Cyberjustice – Promotion 2018-2019
Commission nationale de la protection des données (Lux): Binding Corporate Rules
Council Directive 2016/679, art. 24, 28, 83, 2016 O.J. (L 119) 1; See also Charlie Osborne, UK Issues First-ever GDPR Notice in Connection to Facebook Data Scandal, ZDNet (Sep. 25, 2018)
Case C-131/12, Google Spain v. AEDP, 2014 E.C.R. 317 (May 13, 2014); Case C-362/14, Schrems v. Data Prot.
Comm’r, 2015 E.C.R. 650 (Oct. 6, 2015) (The European Court of Justice invalidated the Safe Harbor Decision which Facebook relied upon to execute its cross-jurisdictions data transfers). See also Vivienne Walt, Europe’s Top Court Just Gave U.S. Tech Firms a Huge Headache, Fortune (Oct. 6, 2015)
Intersoft Consulting: GDPR – Third Countries https://gdpr-info.eu/issues/third-countries/
ec.europa.eu: Adequacy decisions https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
ec.europa.eu: Binding Corporate Rules (BCR) https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en
Robin Kurzer, GDPR Complaints Stack Up Across the EU as Regulators Prepare to Issue Fines, Martech (Oct. 10, 2018),
Deloitte: GDPR Update: The future of international data transfers https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-the-future-of-international-data-transfer.html
ec.europa.eu: International dimension of data protection https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en