The transfer of personal data to third countries has been an important topic that is currently coming to the attention of the wider public, especially since the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“).
This applies not only in the context of the adoption of the European Commission’s implementing decision of 10 July 2023 on the adequate protection of personal data provided by the EU-US Data Privacy Framework (“DPF“).
General
The principle of free movement of personal data applies across the Member States of the European Union, or the European Economic Area, as the same standard of protection is set across Member States.
In principle, personal data transferred to third countries must be afforded the same level of protection as when transferred within the EU, which can be achieved in various ways.
The purpose of the transfer of personal data is to migrate the protection of personal data together with the personal data itself.
A controller or processor transferring personal data from the EU to a third country (outside the EU, EEA) may be in different transfer regimes:
- the transfer is made possible on the basis of an adequacy decision,
- handover is possible on acceptance of appropriate guarantees, most commonly standard contract clauses (SCC) or binding corporate rules (BCR),
- special transfers of personal data to U.S. certified organizations under the DPF, or
- in the absence of the above schemes, transfers may be based on so-called exceptions.
The controller or processor cannot transfer personal data to third countries without further notice and must inform the data subject of this fact.
Together with this, it is also obliged to explain to the data subject under which regime his or her personal data are transferred and, if the transfer is not based on the existence of an adequacy decision, to communicate the safeguards adopted.
When is personal data transferred?
For a long time, the concept of transfer has not been enshrined and defined anywhere, but in its Guideline No. 5/2021[1] the European Data Protection Board (“EDPB“) has attempted to do so by setting out three criteria that must be cumulatively met to constitute a transfer of personal data:
- the data exporter is a controller or processor subject to the GDPR, specifically Article 3;
- the exporter transfers or discloses personal data to another controller or processor referred to as the data importer during processing; and
- the data importer is located in a third country or is an international organisation, regardless of whether it is subject to Article 3 of the GDPR.
Given the relatively new area, the EDPB has provided an overview of the possible situations where a transfer is involved and in which example it is not.
Examples of situations that are transfers and to which Chapter V applies include the transfer of personal data from a subsidiary (controller) to its parent company (processor) in a third country or the transfer by an EU processor back to its controller in a third country, even if the personal data are of non-EU subjects.
In addition to these situations, the EDPB highlights scenarios to which the GDRP (Chapter V) does not apply. To illustrate, there is no transfer if a controller in a third country processes personal data directly from data subjects in the EU (e.g. a citizen of an EU country ordering from an e-shop in a third country), nor if an EU employee travels abroad on a business trip and discloses personal data. However, a different scenario would arise in the latter case, assuming a self-employed person travels and acts as a controller, in which situation the GDPR would of course apply.
Adequacy decision
The European Commission issues an adequacy decision if a third country as a whole or a specific sector or part of a territory ensures an adequate level of protection of personal data and can thus be considered a safe third country. As part of the assessment, the European Commission evaluates the rule of law, human rights, the international obligations of the third country, etc.
The practical consequence for both the Member States and the third country concerned with this Decision is an easier transfer of personal data without unnecessary administrative burdens, as the third country is at the level of the EU/EEA Member States in the area of transfer and therefore no guarantees are required from the controller or processor.
More than 23 years have passed since the first such decision by the European Commission, and in that time several countries have been deemed safe for the transfer of personal data.
The European Commission publishes all of its decisions on its website, a list of which can also be found in the Official Journal of the European Union or on the website of the Office for Personal Data Protection (“OPDP“).[2]
The list includes Israel, New Zealand, Japan, the United Kingdom, and the most recent decision issued concerned the Republic of Korea. In addition to decisions on transfers to specific countries, some decisions concern specific laws.
In view of the 2018 GDPR and the changes it has brought, it is necessary to review the decisions made by the European Commission prior to its entry into force. This review will result in a summary report assessing each “safe“ country and is scheduled for publication in October 2023.
Transfers based on the acceptance of appropriate safeguards
The transfer of personal data to countries without an adequacy decision is only possible if three criteria are met:
- the controller or processor provides sufficient guarantees,
- enforceable rights of the data subject are available; and
- the existence of effective legal protection for the data subject.
The controller or processor may choose the instrument to achieve the appropriate safeguards at its own discretion, and most instruments are not subject to authorisation by the supervisory authority (OPDB). In general, standard contractual clauses and binding corporate rules are the most commonly used and do not require authorisation, however, if the controller or processor wishes to use ad hoc contractual clauses, authorisation needs to be requested from the OPDP.
The standard contractual clauses approved by the European Commission are more flexible than the previous ones, with four modules covering common transfers:
- administrator – administrator,
- administrator – processor,
- processor – processor, and
- processor – administrator.
Provided that the parties have concluded standard contractual clauses, there is no longer any need for them to conclude a data processing agreement at the same time.
In addition to standard contractual clauses, despite the complexity of the recruitment process, binding corporate rules are widely used. The BCR is a pre-approved set of policies for processing personal data within an organization that is legally binding for its members and employees. Compared to standard contractual clauses, however, they are not flexible given their challenging adoption process, which can take up to 2 years.
Transfer of personal data to the USA – Data Privacy Framework
A new development that resonates throughout the legal landscape dealing with personal data is the new privacy framework, which was confirmed by the European Commission on 10 July 2023 with the adoption of the adequacy decision.
For now, the transfer of personal data to the US is at least partially back on track after the previous Privacy Shield framework was struck down by the EU Court of Justice in a decision known
as Schrems II.
The DPF is based on President Biden’s Executive Order No. 14086 of 7 October 2022, strengthening safeguards related to U.S. signals intelligence activities. The basis of the substance of the DPF on a non-legislative act is considered undesirable by the EDPB, as the executive order can be subsequently amended by amendments without the contents being publicly known.
The reaction from the EU was not long in coming and in February 2023, EDPB Opinion No 5/2023[3] was adopted on the draft adequacy decision in the context of the EU-US Privacy Shield Framework. In its opinion, the EDPB takes a positive approach to the DPF, as there are improvements compared to the previous legal framework, in particular the DPF seeks to address the shortcomings highlighted in the Schrems II decision.
On the other hand, the EDPB is concerned about the lack of application of the key principle of proportionality and, in particular, that it should be applied in the sense of European law. The different interpretation of the concept of proportionality in the US and the European environment is a central point of the negative reactions to the DPF and also one of the main arguments in the complaints lodged or planned to the CJEU.
Although this is a new privacy framework, it does not differ much from its predecessors and operates again on the principle of importer certification administered by the US Department of Commerce and overseen by the Federal Trade Commission and the US Department of Transportation, respectively. This similarity to previous EU-US privacy frameworks is also one of the reasons why it is already certain that the independent organisation NOYB, led by its founder Max Schrems, will file a complaint in the first half of 2024.
The transfer of personal data to US organisations, importers, is only allowed if they are certified, thereby publicly committing themselves to comply with the rules set out in the DPF.
A US organisation listed on the publicly available list of certified organisations[4] is considered secure and can be transferred personal data as if it had been subject to an adequacy decision, so there is no need for standard contractual clauses, TIA implementation, etc.
The certification itself is valid for 1 year and then it is necessary to apply for an extension. Certification must be applied for even if the U.S. organization has already been certified under a previous privacy framework. However, the data exporter must check not only the presence of the importer on the list of certified US organisations, but also its validity and what personal data is covered by the certification – this may be HR data or personal data of a different nature. In addition to certification, to enable the transfer of personal data from the EU, the importer must have in place a means of dealing with complaints made by data subjects.
Czech companies now most often transfer personal data to the US under contractual clauses, and even if the new US organisation is on the public list, it is recommended that existing contractual clauses or other safeguards be left in place, given the expected complaints and uncertain developments in the matter. The first complaint against the DPF has already been lodged with the EU Court of Justice by French Parliament member Philippe Latombe.
Transfer on the basis of so-called exemptions
The collecting category, unless there is an adequacy decision or the exporter has given reasonable assurances, is transfers based on exemptions for specific situations based on Article 49 GDPR, without the need for the consent of the OPDP.
The application of the exemptions is more closely addressed in Guidance No. 2/2018[5] of 25 May 2018, which, among other things, warns of the possibility of overuse of the exemptions, as they are the last resort when transferring personal data to third countries, and it is therefore necessary to take a restrictive approach to the interpretation of the exemptions.
Specific situations include, for example, transfers based on explicit consent, transfers necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject, transfers necessary for important reasons of public interest, etc.
Summary
Due to the constant developments in the field of data protection, currently especially in the field of transfers to the USA, it is important to keep up to date with the current rules and pay attention to the standards set in the EU. If you need to transfer personal data to other countries, it will always be easiest to carry out such transfers within the EU.
In the event that a transfer to third countries cannot be avoided, it is always necessary to follow the currently issued adequacy decision and, in the absence thereof, to check sufficiently whether the importer of personal data guarantees a safe transfer or even whether one of the exceptions applies.
We at PEYTON legal will monitor developments in the area of personal data transfers, particularly in relation to transfers to the USA.
[1] EDPB, Guidance 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. In: edpb.europa.eu. [online]. 14 February 2023 [cited 2023-10-06]. Available from: https://edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf
[2] Data Protection Authority, Transfers based on an adequacy decision. In: uoou.cz. [online]. [cited 2023-10-06]. Available from: https://www.uoou.cz/predavani-zalozene-na-rozhodnuti-o-odpovidajici-urovni-ochrany-osobnich-udaju/ds-5065
[3] EDPB, Opinion No 5/2023 on the European Commission’s Draft Implementing Decision on adequate protection of personal data under the EU-US Data Privacy Framework. In: edpb.europa.eu. [online]. 28 February 2023 [cited 2023-10-06]. Available from: https://edpb.europa.eu/system/files/2023-02/edpb_opinion52023_eu-us_dpf_en.pdf
[4] United States Department of Commerce, Data Privacy Framework List, In: dataprivacyframework.gov. [online]. 13 July 2023 [cited 2023-10-07]. Available from: https://www.dataprivacyframework.gov/s/participant-search
[5] EDPB, Guidance 2/2018 on derogations of Article 49 under Regulation (EU) 2016/679, In: edpb.europa.eu. [online]. 25 May 2018 [cited 2023-10-07]. Available from: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf
Tereza Benešová, Legal Assistant – benesova@plegal.cz
Mgr. Jakub Málek, managing partner – malek@plegal.cz
Mgr. Radim Šulc, Associate – sulc@plegal.cz
24. 10. 2023