Out-Law / Your Daily Need-To-Know

EU suggests certification schemes and codes of conduct could offer data transfer tools of the future, says expert

Out-Law News | 11 Jan 2017 | 3:08 pm | 4 min. read

Industry-developed certification schemes and codes of conduct backed by EU regulators could become the tools by which personal data is transferred globally in the future, an expert has said.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said a new paper issued by the European Commission demonstrated the EU body's appetite for new mechanisms for transferring personal data to emerge from certification schemes and codes of code provided for by the General Data Protection Regulation (GDPR).

Dautlich said that legal uncertainty over the future of some data transfer tools, including to EU model contract clauses, could help encourage the development of alternatives based on GDPR certification schemes and codes of code. A legal challenge against model clauses has been lodged in Ireland, with hearings due to begin next month. A separate legal challenge has been raised against the EU-US Privacy Shield, a framework which was set up last year to facilitate trans-Atlantic data flows.

The Commission's paper, on exchanging and protecting personal data in a globalised world, set out its hope for closer "convergence" of data protection legal frameworks around the world, to help the flow of data between businesses and other organisations based in different jurisdictions. It cited the potential of certification schemes and codes of code as data transfer tools.

"New transfer mechanisms such as approved codes of conduct and accredited third-party certifications provide industry with the possibility to introduce tailor-made solutions for international transfers while benefiting from the competitive advantages associated, for example, with a privacy seal or mark," the Commission said.

"Some of these instruments can be developed as transfer-specific mechanisms or as part of more general tools to demonstrate compliance with all the provisions of the GDPR, such as in the case of an approved code of conduct. The Commission will work with industry, civil society and data protection authorities with a view to harnessing the full potential of the GDPR toolkit for international transfers."

The paper also included a new strategy framework detailing the criteria the Commission will assess when taking so-called 'adequacy decisions'. Adequacy decisions involve designating countries as providing data protection that is "essentially equivalent" to that on offer in the EU. In essence, such designations mean pre-approving those countries as places which organisations can transfer data to and automatically know that those arrangements accord with the requirements of EU data protection law.

Dautlich said: "The Commission’s strategy will take on added importance if the current sets of model clauses do not survive the judicial scrutiny they are undergoing. We won’t know the outcome of that scrutiny, or which countries make the 'adequacy' grade under the Commission’s ambitious new strategy, for some time yet."

"In the meantime, a more tangible way for organisations to engage and exercise some control over their international data transfers is to consider certification schemes and codes of conduct as mechanisms to re-establish more legal certainty over such transfers. That said, as anyone knows who has ever been involved in promulgating such schemes or codes, they involve a unique combination of energy, patience and strong diplomatic skills," he said.

The ability to transfer personal data outside the European Economic Area (EEA) is restricted under existing EU data protection laws set out in the Data Protection Directive, and similar restrictions will apply under the GDPR when it takes effect on 25 May 2018.

If 'adequate protections' are put in place for data transfers, or if special derogations apply, such as a data subject's consent has been obtained to the transfer of personal data, then data can flow. Personal data can also be transferred to destinations that the European Commission has pre-approved as providing data protection that is "essentially equivalent" to that on offer in the EU.

A number of countries and territories already benefit from these adequacy decisions, including Argentina, Israel, New Zealand, Switzerland and Uruguay. Partial adequacy decisions have also been implemented for data transfers to Canada and the US.

In its paper, the Commission said business, geographical, cultural and political factors should be taken into account when determining whether it should open adequacy decision talks with individual countries.

The Commission said: "Under its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:  the extent of the EU's (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations; the extent of personal data flows from the EU, reflecting geographical and/or cultural ties; the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level."

The Commission said it plans talks with Japan and Korea this year on reaching 'adequacy decisions' in relation to those countries, and that similar discussions could be opened in India should the country modernise its data protection laws. In addition, the Commission said it would explore the potential for adequacy decisions "with countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an 'adequacy finding'".

The Commission said it would not engage in talks about an adequacy decision in the context of broader trade agreements between the EU and individual countries. However, it said reaching an adequacy decision could "ease trade negotiations" and "amplify" the benefits of existing trade deals.

The Commission also suggested that it is to open to talks with countries on partial, or sector-specific, adequacy decisions, for example in the context of financial services or in the technology market.

"For countries wishing to agree adequacy status with the Commission, stakeholders from quite a number of different disciplines will be useful on the working team – the Commission’s list of adequacy criteria presupposes a significant investigation into the target country far beyond mere judicial, legislative and regulatory matters," Dautlich said.

"For organisations wishing to do business with any country that makes it onto the adequacy list, they will certainly need to keep checking the list regularly. The inherently changeable nature of some of the Commission’s criteria means that the Commission’s findings are apt to change as governments in the target country come and go, or indeed other conditions change," he said.