As today’s world becomes increasingly connected, it’s no wonder that the transfer of personal data abroad is becoming more and more common for multinational companies and for many smaller companies. The rapid development of modern technology and the shift of corporate activities to the online space allows companies to share data in real time. Such sharing very often involves the transfer of personal data to third countries.
In 2018, the General Data Protection Regulation (hereinafter “GDPR”) set standards for the transfer of personal data abroad. However, since the GDPR came into force, the Court of Justice of the European Union (hereinafter “CJEU”) has had to deal with several issues relating to the transfer of personal data abroad and ensuring that the processing of personal data in non-EU/EEA countries complies with the requirements of the GDPR. Also, the European Commission (hereinafter “Commission”) has adopted decisions concerning new standard contractual clauses that reflect the requirements of the GDPR.
The aim of this article is to provide a brief summary of the rules on the transfer of personal data abroad in light of the CJEU’s case law and the European Commission’s decisions, as well as recommendations on how to effectively manage the issue in practice.
When we are talking about transfers of personal data abroad, we mean transfers to third countries, i.e. non-EU countries. There is no need to regulate data transfers within the EU as the legal framework for personal data protection is fully harmonized after GDPR. A transfer of personal data to a third country is any communication, disclosure or other provision of personal data to the controller, processor or other recipient in a third country outside the EU, regardless where the data are physically stored. To legally transfer data to third countries, the conditions of at least one of the legal grounds defined in GDPR have to be met. These legal grounds are as follows:
- transfer based on an adequacy decision,
- transfer based on appropriate safeguards and
- transfer based on exemptions for specific situations.
Transfers on the basis of an adequacy decision
If the European Commission decides that a third country ensures adequate level of protection, it is possible to transfer personal data to such country without any specific authorization. It is currently possible to transfer data on this basis only to Andorra, Argentina, Canada, Switzerland, Israel, Japan, New Zealand, Uruguay, the Faroe Islands and Guernsey Islands, Man and Jersey. The US was also a part of this group but was removed from the list by the recent CJEU decision.
Transfers subject to appropriate safeguards
GDPR distinguishes between two categories of appropriate safeguards based on which transfers to third countries may be carried out. The first category includes those safeguards that must be approved or are created by a Supervisory Authority or by the European Commission. Once these safeguards are approved, they can be used as such. These are as follows:
- binding corporate rules,
- standard contractual clauses,
- approved code of conduct,
- approved certification mechanism.
The binding corporate rules is a document that sets out common binding rules for holding groups or groups of companies conducting joint economic activity. These internal rules must include, in particular, a specification of the type of data transfers, an indication of the third countries, the liability of individual companies involved, and other matters.
The standard contractual clauses are a model text for a contract that an EU controller or processor concludes with a controller or processor in a third country. This text can be incorporated into another contract or terms and conditions or used as a separate contract text. The standard contractual clauses contain the different options (modules) for the transfer of personal data to third countries and are intended to ensure that the processing of personal data in third countries complies with the requirements and standards observed in the EU/EEA. The controller and processor can thus choose the most appropriate option for them. Standard contractual clauses are also one of the most used tools for the transfer of personal data to third countries outside the EU/EEA due to their relative ease of use.
In July 2020, the CJEU ruled in Case C-311/18 (hereinafter “the Schrems II judgment”) that the so-called Privacy Shield was invalid without any transitional period. The Privacy Shield constituted the legal basis for the transfer of personal data to the US. The Commission’s decision finding that the US ensures an adequate level of protection of personal data was annulled by this judgment. The Schrems II judgment has thus made the transfer of personal data to the US much more difficult. In Schrems II judgement, the CJEU held that personal data transferred to third countries must be provided with equivalent protection to that provided by the GDPR. In the Schrems II judgment, the CJEU also dealt with the question of the validity of the Commission’s decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC. The CJEU concluded that the Commission’s decision was valid but emphasised that if a given contract containing such clauses does not provide the personal data transferred in a third country with equivalent protection to that provided by the GDPR, it is the responsibility of the importer and exporter of personal data to provide additional guarantees to ensure the required protection.
Following this CJEU judgment, the Commission adopted in July 2021 a decision on new standard contractual clauses which takes into consideration the requirements of the GDPR and replaces the old standard contractual clauses with effect from 27 September 2021. It will be possible to use the “old” standard contractual clauses until 27 December 2022, but only if the processing operations remain unchanged. After 27 December 2022, it will be necessary to replace the ‘old’ standard contractual clauses with new ones. The approved Codes of Conduct and the mechanism for issuing certificates are rather dead letter law now. Currently there is a code of conduct only for cloud services and the mechanisms for issuing certificates do not work in practice yet.
The second category of appropriate safeguards includes custom contractual clauses, which the parties prepare themselves. However, these clauses must be approved by the Supervisory Authority before they can be used as a basis for data transfers to third countries.
Transfers based on derogation for specific situations
In cases where there is neither decision on adequacy, nor appropriate safeguards described above, a transfer shall take place only in the following situations:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
What is the most effective way to solve transfers of data to third countries?
The answer to this question depends on the particular situation. The use of one of the abovementioned exceptions would be appropriate in cases where an organization normally does not transfer personal data to third countries, but a rare situation occurs that requires a third-country transfer. However, also regular transfers that qualify for one of the exceptions may be based on this legal ground.
In most cases, however, it would not be possible or practical to use one of the exceptions. The easiest way, then, is to use standard contractual clauses as a basis for transfers. Considering the Commission’s new decision, we also recommend reviewing the existing contractual documentation relating to the transfer of personal data to third countries to see what standard contractual clauses are used and to ensure that they are amended if necessary.
Binding corporate rules would be the most appropriate instrument for multinational groups where data transfers abroad are a regular part of their business. In these cases, it certainly makes sense to adopt unified, sophisticated and robust rules that govern all the transfers. Custom clauses can be recommended in those cases where standard contractual clauses are inadequate, and adopting binding corporate rules would be an unnecessarily robust solution.
If you need help with setting up GDPR processes, do not hesitate to contact us. We will be happy to help you with a review of your company’s process setup.