EDUCATE

Personal Data Protection Regulation and International Transfers

What is the state of transatlantic EU-US personal data transfers?

Increasingly, data protection regulations impose restrictions on where data can be processed. Be it as part of a law, a contractual obligation, or a technical requirement, it is common that personal data cannot leave a territory, a country, or a region.

A good example of this obligation can be found in the European Union’s General Data Protection Regulation (EU’s GDPR), which deals with international transfers of personal data to third countries and/or international organizations in Chapter V. Likewise, there are jurisdictions in Canada that have similar requirements (e.g., Nova Scotia’s Personal Information International Disclosure Protection Act, when it comes to public bodies and municipalities).

The rationale for this obligation, at least in the case of the EU, is that the transferring of personal data to a third country should not undermine the level of protection guaranteed by the GDPR. The just adopted EU-U.S. Data Privacy Framework will allow organizations to more easily transfer personal data from the EU/EEA (European Economic Area) to the US.

International transfers under the EU’s GDPR

But in a global, borderless Internet, what counts as an international transfer of personal data? In the case of the GDPR, the European Data Protection Board (EDPB) understands that an international transfer takes place when the three following requirements are met:

· A controller or a processor is subject to the GDPR or the given processing.

The territorial scope of the GPDR:

It is important to recall that the EU’s GDPR applies to (art. 3):

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

· This controller or processor (“exporter”) discloses by transmission or otherwise to make personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).

· The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect to the given processing in accordance with Article 3.

Therefore, an international transfer could take place when a website from an organization in the EU (the “exporter”) sends visitor data to Google Analytics, which processes this personal data in the US (the “importer”). Likewise, an international transfer may take place when a company in the EU sends personal data to a parent or affiliate outside the EU/EEA.

Notwithstanding, the GDPR does not apply if the data subject themselves sends their data to an organization outside the EU/EAA. Nor does it apply if, for example, an employee of a company accesses company data while working abroad.

Lawful international transfers of personal data under the GDPR

When there is an actual transfer to a third country and/or international organization, it is necessary to comply with the conditions of Chapter V of the GDPR. The controller or the processor needs to frame the transfer by using the instruments which aim at protecting personal data after they have been transferred. These instruments include:

• Adequacy decisions (art. 45): i.e., the recognition of the existence of an adequate level of protection in the third country or international organization to which the data is transferred. So far, the European Commission has adopted adequacy decisions for the following countries: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, Uruguay, and now again the U.S.
• The implementation by the exporter of appropriate safeguards (as provided for in art. 46): Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Codes of Conduct; Certification mechanisms; Ad hoc contractual clauses; International agreements/Administrative Arrangements.

SCCs and other transfer tools mentioned under art. 46 of the GDPR do not operate in a vacuum. However, in contrast to adequacy decisions, the Court of Justice of the EU (CJEU) has stated that exporters are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the transfer tools.

More specifically, and according to the EDPB, the steps that should be taken by a data exporter include: (1) mapping all transfers of personal data to third countries; (2) verifying the transfer tool(s) on which each transfer relies; (3) assessing if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards (e.g., legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice; there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking; the transferred data and/or importer fall or might fall within the scope of problematic legislation); (4) identifying and adopting supplementary measures, if necessary; (5) taking formal procedural stakes; and (6) re-evaluating.

• Derogations (art, 49) exceptions in specific situations or under certain conditions.

The current state of EU-US personal data transfers

Therefore, under the GDPR, a transfer of personal data from the EU to a third country has to comply with the provisions of Chapter V, and this includes transfers between the U.S. Traditionally, any such transfer could be justified under an adequacy decision (known as the Safe Harbour until 2015 and the Privacy Shield until 2020). However, the CJEU twice stuck down these adequacy decisions following complaints from EU citizens. In the opinion of the CJEU in its more recent ruling (Schrems II), U.S. public authorities had too much access to personal data transferred from the EU to the U.S., resulting in limitations on the protection of their personal data. Similarly, in 2015 the CJEU found (in Schrems I) that the Safe Harbour Decision denied the national supervisory authorities their powers where a person called into question whether a decision by U.S. authorities was compatible with EU data protection regulations.

Following the 2020 ruling, several fines were imposed to organisations precisely for relying on providers located in the U.S. who did not have any of the appropriate safeguards listed in art. 46 in place. A good example can be found in the use of the popular cookies by Google Analytics, with bans and fines in Austria, Italy, France, and more recently in Sweden (with fines amounting to 1 million €!).

With the newly adopted EU-U.S. Data Privacy Framework, it will be easier for organizations to transfer their personal data to the U.S. Notwithstanding, the process for having the framework negotiated has been a bumpy road: the draft adequacy decision was published by the European Commission in December 2022 and earlier this month the US’s Secretary of Commerce issued a statement claiming that it had “fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (EU-U.S. DPF)”. Notwithstanding, in between this process the EDPB already warned that some issues were still unaddressed. Likewise, civil society organizations (including Max Schrem’s noyb) have also warned about shortcomings in the new adequacy decision.

The question that we can ask ourselves now is: should we start getting ready for Schrems III?

To know more about how Scytl complies with the GDPR, check out our previous blogpost!

This article was written by Adrià Rodríguez-Pérez, PhD and Senior Public Policy Researcher at Scytl.