GDPR - Cross-border data transfers

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the transfers of personal data to ‘third countries’ and the different legal bases for such transfers.

General principle for legitimate data transfers

The GDPR does not make radical changes to the provisions of the EU Data Protection Directive (Directive 95/46/EC) regarding cross-border data transfers.

The GDPR does however introduce some new legal grounds for cross-border data transfers, as well as significant changes to the recognition of “adequate” countries.

Read more below on these changes and their impact on cross-border data transfers. We will also discuss the requirements for personal data transfers when there is no “adequacy” decision, as well as the specific characteristics of these alternative legal grounds and exceptions.

Free data flows to “adequate” third countries

As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection.

Third countries’ level of personal data protection is assessed by the European Commission through ‘adequacy findings’, which are binding in their entirety to all Member States. Once the “adequacy” of a third country has been recognised, personal data can be transferred to this country without having to take further protective measures.

The existing adequacy findings will all be grandfathered under the GDPR. A current list of “approved countries” is available here.

A novelty in the GDPR with respect to adequacy decisions is that they are subject to periodic review, at least every four years, taking into account all relevant developments in the relevant third country. The GDPR furthermore obliges the European Commission to monitor on an ongoing basis developments that could affect the proper functioning of existing adequacy decisions. The GDPR has also introduced the possibility of adequacy decisions being repealed, amended or suspended.

One of the most heavily debated existing adequacy findings is the EU-US Privacy Shield, replacing the Safe Harbor which was struck down by the EU Court of Justice in the Schrems case (C-362/14). Certification under the Privacy Shield is achieved by voluntary commitment to a set of data processing principles. Members are subject to supervision by the US Federal Trade Commission. The Privacy Shield has been adopted on 12 July 2016. It has, however, already been subject to a legal challenge by the Privacy advocacy group Digital Rights Ireland (click here) and – in particular in view of the political developments in the US – risks not surviving this challenge (or its next formal review, planned in September 2017).

Restricted data flows to “non-adequate” third countries

In the absence of an adequacy decision, personal data may in principle only be transferred to third countries (i) if the controller or processor exporting the data has himself provided for “appropriate safeguards”, and (ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

The most relevant “appropriate safeguards” are the following:

 Binding Corporate Rules (BCRs) 
  • Internal code of conduct adopted by multinationals to allow transfers between different branches of the organisation (useful for intra-group data transfers).
  • New: GDPR expressly recognises BCRs for both controllers and processors and lists a number of mandatory elements to be included in BCRs.
  • Require approval from a supervisory authority, but once approved, individual transfers under the BCRs do not require further authorization.
 Contractual clauses

(a) Standard Contractual Clauses (SCCs)

  • Adopted by the European Commission.
  • Adopted by a national authority and approved by the European Commission.
    (new under the GDPR: without requiring any further notification or authorization)

(b) ‘Other’ contractual clauses

  • Ad hoc contractual clauses between data exporter and data importer can be deemed “appropriate”, provided that these have been submitted to and authorised by the competent supervisory authority.
 Approved Codes of Conduct / certification mechanisms

See our previous GDPR Update on Codes of Conduct and Certification.

Existing BCRs or SCCs implemented under the Directive 95/46/EC remain valid until amended, replaced or repealed in accordance with the GDPR.

Exceptions / derogations for specific situations

In the absence of either an adequacy decision or the implementation of “appropriate” safeguards as listed above, a cross-border transfer may only still take place in one of the following cases:

  • the data subject has explicitly consented to the proposed transfer, after having been duly informed hereof (and of the possible risks);
  • the transfer is necessary for the performance of a contract between the data subject and the controller (or the implementation of pre-contractual measures);
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons (where the data subject is incapable of giving consent);
  • under certain conditions, when the transfer is made from a register which is intended to provide information to the public; or
  • only if none of the other derogations listed above can be applied (and provided that the supervisory authority is informed of the transfer): if the transfer (i) is not repetitive, (ii) concerns only a limited number of data subjects, (iii) is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and (iv) the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

New: Transfers not authorised by EU law

Finally, the GDPR expressly confirms that, if no other legal ground is available, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable if based on an international agreement (such as a mutual legal assistance treaty) in force between the requesting third country and the EU or a Member State. The exact scope of this provision still needs to be further clarified, but already promises to lead to an interesting debate.

Summary - Controllers and processors to do list:

Identify and map all cross-border data flows.
Examine and assess for each of these flows whether (i) the receiving country is an EEA Member State or deemed “adequate”, (ii) if not, whether any “appropriate safeguards” have been put in place, and/or (iii) if not, whether any specific derogations apply.
Determine whether you intend to adhere to an approved code of conduct / certification mechanism and do so in due course.