Out-Law Analysis | 04 Jun 2018 | 3:28 pm | 4 min. read
The clarity is provided in new guidance published by the new European Data Protection Board (EDPB) (17-page / 750KB PDF), intended to help businesses comply with the General Data Protection Regulation (GDPR).
Although the guidance concerns derogations that apply to the GDPR's main rules on data transfers, the document provides a useful framework for businesses to follow when considering what they need to have in place for any data transfers they wish to make.
The GDPR stipulates that personal data transferred outside of the EEA must generally be subject to the same level of protection that applies to that information when in it is processed in the EEA. The GDPR sets out in law a number of ways in which this equivalent level of protection can be provided for.
In its guidance, the EDPB provided a checklist for general counsel and senior decision makers to go through to ensure their data transfers are compliant.
The first step, according to the guidance, should be to check whether the non-EEA country they wish to transfer personal data to "provides an adequate level of protection".
To-date, the European Commission has designated a number of non-EEA countries as providing for an adequate level of protection for personal data originating in the EU. Such a designation gives businesses comfort that the personal data they transfer to that destination is automatically considered to be protected in accordance with the GDPR.
The Commission considers a range of factors when assessing so-called 'adequacy'. These include the rule of law, respect for human rights and fundamental freedoms and domestic legislation in the 'third' country, as well as the existence or otherwise of an independent data protection regulator and the country's international commitments in particular concerning the protection of personal data.
Canada, Switzerland and New Zealand are among the countries that already benefit from a Commission 'adequacy decision'. Japan looks like being the next country that is added to the 'adequacy' list. The EU's chief Brexit negotiator, Michel Barnier, recently confirmed that the UK would need to obtain an adequacy decision post-Brexit to maintain the current ease with which data flows between the UK and EU countries.
The GDPR provides for data transfers to take place even if the destination non-EEA country does not benefit from an adequacy decision.
According to the EDPB's guidance, if there is no adequacy decision for the intended destination for data, businesses should consider whether they can put in place "adequate safeguards" to provide for GDPR-equivalent levels of protection for the transfers.
Safeguards listed under the GDPR include using EU model clauses that the European Commission has developed or establishing binding corporate rules that businesses commit to with regulators. It also provides for the possibility of data transfer safeguards being provided for within approved codes of conduct or under an approved certification scheme.
If the adequate safeguards cannot be put in place, businesses may nevertheless rely on one of the listed exemptions in the GDPR to proceed with data transfers.
The EDPB has been clear in its guidance, however, that the derogations can only be relied upon after data exporters have tried to provide for adequate levels of protection, either through transfers to 'adequate' countries or through the use of safeguards.
The derogations allow for data transfers to take place without adequate protections being in place in a number of scenarios. These include where the business has obtained the explicit consent of data subjects to carry out the transfer having explained the possible risks of the arrangement.
Other derogations include where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, and where the transfer is necessary for important reasons of public interest, where it is necessary to protect the vital interests of individuals where the data subject is physically or legally incapable of giving consent, or where it is necessary for the establishment, exercise or defence of legal claims.
Where none of the derogations listed apply, data transfers that are not repetitive and limited in volume may still be permitted where it is necessary "for the purposes of compelling legitimate interests" the business is pursuing, so long as those interests are not overridden by the interests or rights and freedoms of the data subject and "suitable safeguards" are provided for.
In its guidance, the EDPB highlighted wording in the GDPR which serves to limit the circumstances in which the derogations can be relied upon.
For example, the watchdog said the 'contract' and 'legal claims' derogations can only be relied upon for "occasional" transfers.
Although the other derogations are not limited in this way, the EDPB explained that all the derogations "must be interpreted restrictively so that the exception does not become the rule".
"Even those derogations which are not expressly limited to 'occasional' or 'not repetitive' transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place," it said.
Data transfer derogations could gain importance over time
The EDPB's guidance contains more detailed information about how each of the derogations apply and what general counsel and decision makers at Europe's top companies need to think about when intending to rely upon them for their data transfer arrangements.
It is a distinct possibility that the GDPR's data transfer derogations and the EDPB's guidance on them will become increasing important to businesses over time.
This is due to the fact that some of the existing mechanisms that businesses rely upon to underpin their data transfers are subject to legal challenge.
For example, the Court of Justice of the EU (CJEU) is set to determine whether EU model clauses – one of the adequate safeguards provided for under the GDPR – are valid for use for transferring data to the US, and potentially other non-EEA countries too.
In addition, the EU-US Privacy Shield – a framework that the European Commission has endorsed as providing adequate protection for personal data transferred to the US from the EU – is also subject to a legal challenge, while EU data protection authorities have also threatened to raise their own legal challenge against the framework.
Claire Edwards is an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.