The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA.
Recap on current framework
Transfers of personal data to a third country outside the EEA are allowed under the current Data Protection Directive only if one of the following requirements has been met:
- the Commission has established that the third country ensures an adequate level of data protection by reason of its domestic law or as a result of the international commitments it has entered into. The Commission has so far recognised eleven countries as providing adequate protection
- adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights have been adduced, such as:
- where the transfer is based on the EU Model Clauses
- where other transfer mechanisms recognised by European DPAs under the Data Protection Directive (such as Binding Corporate Rules (“BCRs”)) are in place
- one of the derogations under the Data Protection Directive applies, such as where the data subject has consented to the transfer.
These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue with some variations.
The Regulation allows for the designation not only of third countries but also specific territories, sectors and states within such countries, as well as international organisations, as providing an adequate level of protection for personal data transferred from the EU. In addition, the Regulation sets out in more detail the procedure and criteria for the Commission’s adequacy decisions, including a requirement for a decision to be reviewed at least every 4 years and a mechanism under which the Commission can decide that a third country no longer ensures an adequate level of protection.
Although existing adequacy decisions made by the Commission under the Data Protection Directive will continue to remain in force, the Commission will be under an on-going obligation to monitor developments in third countries which could affect the adequacy decisions awarded under the Data Protection Directive.
The Regulation recognises and preserves the existing transfer mechanisms under the Data Protection Directive for transfers of personal data to third countries which do not provide an adequate level of data protection.
However, while under the current Data Protection Directive, several Member States require that a transfer to third countries outside the EU/EEA must be notified to or authorised by local DPAs, in particular where based on EU Model Clauses or BCRs, the Regulation explicitly provides that this will no longer be the case.
In addition to this improvement, the Regulation further extends the options and procedures available to data controllers (and to data processors) to legitimise international transfers, with the options now including:
- BCRs: BCRs (including BCRs for processors) are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved;
- standard contractual clauses: adopted by the Commission (including the existing EU Model Clauses, which will remain valid under the Regulation unless they are specifically amended or repealed by the Commission);
- standard contractual clauses adopted by a DPA and approved by the Commission;
- an approved code of conduct: groups of data controllers represented by an association will be able to prepare codes of conduct which set out how they comply with the Regulation. These codes will be approved by the competent DPA (or the DPA and the European Data Protection Board) and may then be adopted (by way of ‘binding enforceable commitments’) by entities which are not subject to the Regulation to provide appropriate safeguards for personal data transferred to them;
- an approved certification mechanism, seal or mark: the Regulation creates a mechanism under which data protection certifications, seals and marks can be established. Entities which are not subject to the Regulation will be able to obtain these certifications, seals and marks and make ‘binding enforceable commitments’ to comply with them to demonstrate that they offer appropriate safeguards for personal data transferred; and
- other contractual clauses authorised by a data protection authority in accordance with the so-called ‘consistency mechanism’ (so-called “ad hoc” contractual clauses).
The derogations set out in the Data Protection Directive will continue to apply under the Regulation. In addition, the Regulation provides that, where none of the other derogations for a specific situation is applicable, transfers which are not repetitive and involve only a limited number of data subjects could be allowed if the transfer is necessary for the ‘compelling’ legitimate interests of the data controller. If the data controller wishes to rely on this derogation, it must have assessed all the circumstances surrounding the transfer, and must have adduced appropriate safeguards based on that assessment. In addition, the data controller must:
inform both the DPA and the data subject of the transfer, and tell the data subject what the ‘compelling legitimate interest’ on which it is relying is; and
keep a full record of the transfer, the assessment conducted and the ‘appropriate safeguards’ implemented.
Transfers required by the law of a non-EU country
As anticipated, the Regulation specifically addresses transfers of personal data required by a non-EU court, tribunal or administrative authority. If a controller or processor receives a request from one of these bodies and it cannot rely on another basis for a transfer to it, the request will only be recognised under the Regulation if it is based on an international agreement (such as an mutual legal assistance treaty) in force between the non-EU country and the European Union or Member State. The UK government has already indicated that it intends to opt out of this provision.
Likely practical impact
Under the Regulation specific territories within a country (e.g. single U.S. States) may qualify as providing for an adequate level of data protection. The Commission may also decide that specific industry sectors or international organisations are adequate in terms of data protection. Initially such standards are likely to be found in sectors in which high privacy standards already exist (e.g. the banking and/or insurance sectors).
The Regulation prevents local DPAs from requiring any specific authorisation for cross-border transfers outside the EEA if the requirements of the Regulation are otherwise met. For multinational companies relying on EU Model Clauses or BCRs to legitimise their transfers, this will drastically reduce the administrative burden – the days of local administrative differences or further notification or approval requirements will be over.
The Regulation formally recognises BCRs as a valid transfer mechanism and sets out uniform rules for their adoption, further strengthening the role of BCRs as a mechanism to enable crossborder transfers. The likely practical impact is that we will see an increasing number of companies implementing BCRs.
It remains to be seen how the new transfer mechanisms, such as approved codes of conduct or certification mechanisms, will be implemented in practice. However, these mechanisms may be interesting solutions also for controllers and processors not established in the EU in order to provide appropriate safeguards for international data transfers from the EU.
What to do now
- Identify the key international data flows carried out in the context of an organisation’s core operations.
- Assess what mechanisms are currently in place to legitimise international data transfers and assess their validity under the Regulation.
- For intra-group data transfers, consider carrying out a BCR Gap Analysis to determine the practical viability of BCR.
- For transfers of data to third party suppliers (e.g. cloud service providers), deploy a flexible contractual mechanism that also covers sub-contracting.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.