One of the key objectives of the GDPR is ensuring an equivalent level of protection of persons and the free flow of personal data throughout the European territories. To that end, it includes different mechanisms including the establishment of an independent public authority in each member state responsible for monitoring the application of the Regulation and the effectiveness of the data protection rights of individuals across the Union.
However, when personal data is transferred or made available outside the European territories, there is a risk that these protections and the effectiveness of the individual’s rights would diminish. For this reason, the GDPR establishes limitations for transferring personal data to countries outside the EU/EEA jurisdictions unless appropriate safeguards are in place. The purpose of this measure is to ensure that personal data remains protected outside of European jurisdiction.
The regulation establishes different data transfer mechanisms that companies can implement depending on the country of destination and the nature of the transfer. The most common data transfer mechanisms include:
- Adequacy Decisions
- Standard Contractual Clauses
- Authorization from the competent Data Protection Authority
- Binding Corporate Rules
Data transfer mechanisms for the transfer of personal data outside EU/EEA
Adequacy Decisions are European Commission’s (EC) decisions stating that a specific country ensures an ‘adequate’ level of data protection. These decisions have been approved by the European Commission through time and are publicly available on its website.
1. Transfers based on Adequacy Decisions
So far, the EC has recognized the following countries as providing an adequate level of protection:
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
- United States of America (limited to the Privacy Shield framework)
- South Korea (adequacy talks are ongoing)
In the context of data transfers, these countries are like extensions of the European territory. Accordingly, transfers of personal data originating in the EU/EEA to these countries (or to Privacy Shield certified companies) are equivalent to transfers between 2 EU/EEA territories. This means that no other transfer mechanisms are necessary; nonetheless, other GDPR requirements would still apply (e.g. when the transfer involves engaging with a vendor that process personal data on behalf of a controller, a controller-processor agreement should be in place).
With regards to the US companies certified under the Privacy Shield framework, transfers to these organizations have a similar consequence; however, the Privacy Shield establishes its own provisions in addition to the GDPR that should also be considered, including some restrictions in the context of clinical trials or regarding onward transfers outside the US.
2. Standard Contractual Clauses (SCC) approved by the European Commission
The European Commission has approved two main templates of Standard Contractual Clauses to address transfers of personal data from EU/EEA controllers to non-EU/EAA controllers/processors. These templates are available in the following links:
- Controller-Controller SCC: EU/EEA-based controller to non-EU/EEA based controller.
- Controller-Processor SCC: EU/EEA-based controller to non-EU/EEA based processor.
This mechanism has been largely implemented by multiple companies to address transfers between companies located in the European territory to companies located elsewhere. Under the GDPR, SCCs do not need to seek approval from the EU supervisory authorities.
The SCCs can only be signed between an EU/EEA based entity (acting as controller) and a non-EU/EEA based entity (acting as co-controller or processor). Although, in case of onward transfers, it is authorized that all recipients sign the SCCs with the original controller.
This mechanism is appropriate for specific data transfers from the EU/EEA to another country, but when those are used to address multiple transfers or involve numerous onward transfers to sub-processors, it requires drafting a myriad of contracts that would need to be customized, including the type of individuals concerned, purposes of the transfer, categories of data, recipients, security measures, etc.
For companies operating worldwide, which need to transfer personal data to multiple locations on a regular basis, including numerous onward transfers, the task of maintaining up to date SCCs present significant challenges from an economical and effective perspective, including lack of compliance due to defective monitoring. In addition, the validity of these clauses is currently under scrutiny before the ECJ, as a result of the Facebook case initiated by privacy activist Max Schrems.
This means that, in case SCCs survive this challenge, the EC is already preparing updates to these terms that may be potentially significant, requiring monitoring through time. However, if the ECJ decides that these Clauses are no longer valid, it could result in a massive breach of compliance with the transfers requirements, entailing some of the highest fines of the GDPR.
3. Seeking approval from the regulator
This procedure entails engaging with supervisory authorities to get approval of ad hoc contractual terms that a company wants to use to legitimize data transfers. The procedure should ensure that these contractual terms and safeguards ensure an equivalent level of protection as other transfer mechanisms.
Some companies have taken this approach by using the SCCs as a baseline and changing some of the clauses to facilitate operationalization of certain requirements, specially with regards to the restrictions for engaging new processors and sub-processors and with regards to their clients’ audit rights. Although this solution is very effective, having used the SCCs as a basis to provide adequate safeguards to these ad hoccontractual terms, a potential challenge to the SCCs may also impact their validity.
4. Relying on derogations
The GDPR also provides a list of derogations that companies can use as a last resource when no other transfer mechanisms could be implemented. One of the derogations is the explicit consent of individuals. However, obtaining consent can be incredibly challenging.
The European Authorities have approved some guidelines on these derogations showing a restrictive interpretation for their interpretation while stressing their exceptional nature.
5. Binding Corporate Rules (BCRs)
5.1 Introduction and origin of BCRs
Binding Corporate Rules (BCRs) are another tool for international data transfers and must be distinguished from codes of conduct that refer to a specific sector.
BCRs allow multinational corporations to make intra-organizational transfers of personal data across borders in compliance with GDPR. This means that for transfers to third parties (e.g. external vendors) additional transfer mechanisms should be put in place.
This mechanism is especially useful for organizations that have massive data transfers with numerous affiliates located worldwide; although, it is not very useful for loose conglomerate groups. It covers all types of information transferred within the multinational group, and it is possible to differentiate certain categories of data (outside the scope of the GDPR) which would not be subject to the same requirements, allowing for a great flexibility of data flows within the group.
BCRs are the most robust transfer mechanism currently available for companies. But this was already true under the previous regime, although not expressly included in the old Directive 95/46/EC. By then, the EU Data Protection Authorities (EU DPAs) developed a “tool box” providing guidance on BCRs. This first set of rules was intended to regulate the transfers of personal data that were originally processed by an organization as Controller within the same corporate group.
Later on, in 2012, the EU DPAs introduced the BCR for Processors, as a response to outsourcing industry requests (including cloud providers, data centers, global software providers) for a new legal instrument to legitimize cross border transfers in the outsourcing business. This mechanism would allow these organizations to efficiently legitimize massive transfers made by a Processor to sub-processors (part of the same organization) acting on behalf and under the instructions of multiple controllers.
With the GDPR though, BCRs are expressly recognized in arts. 46-47, which are also complemented with new cooperation procedures to facilitate and streamline the approval process. In addition to that, one of the first acts of the European Data Protection Board (EDPB) when the GDPR entered into force was to expressly endorse 4 relevant documents part of the “tool box” guidelines for BCRs developed under the previous regime, which demonstrates their clear preference and commitment with this mechanism.
5.2 Key elements of a BCR program
The BCR’s procedure requires companies have a solid and well detailed program tailored to their particular needs, considering their industry sector, organization, data flows and how personal data is processed. The development, time, and cost of BCRs highly depends on the maturity of the privacy program currently in place and should be approved by the Supervisory Authority in accordance with the consistency mechanism.
These rules should be legally binding and enforced by every member of the corporate group, including their employees, and expressly provide enforceable rights to data subjects.Every entity acting as data controller shall be responsible for and able to demonstrate compliance with the BCRs.
- Structure and contact details of the group of undertakings and of each of its members
- Describe the material scope of the transfers including: categories of personal data, type of processing, purpose, type of data subject, identification of recipients in third country
- Should have a legally binding nature, internally and externally;
- Application of general data protection principles (purpose limitation, data minimization, limited storage periods, data quality, data protection by design/default, legal basis for processing, processing of special categories of data, security, and also requirements reonwardtransfers to bodies not bound by the BCRs
- Rights of data subjects and complaint procedures. Implement means to exercise those rights, including automated decisions, right to lodge a complaint with the supervisory authority and courts of member state, and to obtain redress and compensation for a breach of the BCRs
- Acceptance ofliabilityby the controller or processor established on the territory of the member state for breaches of the BCRs by any member not established in the Union – there is an exemption in whole/part if it proves that that member is not responsible for the event giving rise to the damage
- Transparency and Right to information about BCRs (d, e, f), in addition to provide privacy notices according to arts. 13 and 14 GDPR
- Tasks of the Data Protection Officeror any other person/entity in charge of the monitoring compliance with the BCRs, as well as monitoring training and complaint-handling
- Data protection audits, and methods for ensuring corrective actions;
- Mechanisms for reporting and recording changes to the rules, and reporting those changes to the supervisory authority;
- Cooperation mechanisms with the supervisory authority:
a) making available to the supervisory authority the results of audits and changes
b) reporting any legal requirement to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided– including legally binding request for disclosure by a law enforcement authority or state security body
- Appropriate data protection training to personnel having permanent or regular access to personal data
In addition to the flexibility on facilitating international data transfers within the corporate group, it’s a powerful tool to demonstrate compliance before data subjects, clients, partners, and Supervisory Authorities, and, as a consequence mitigates potential audit requests.