The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses to destinations outside the EEA.
Recap on current framework
Transfers of personal data to a third country outside the EEA are allowed under the current Data Protection Directive only if:
- the Commission has established that the third country ensures an adequate level of data protection by reason of its domestic law or as a result of the international commitments it has entered into. The Commission has so far recognised a dozen countries, along with the US Department of Commerce’s U.S.-EU Safe Harbor Framework as providing adequate protection
- adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights have been adduced, such as:
- where the transfer is based on the standard contractual clauses approved by the Commission (“EU Model Clauses”)
- where other transfer mechanisms recognised by European DPAs under the Data Protection Directive (such as Binding Corporate Rules (“BCRs”)) are in place
- one of the derogations under the Data Protection Directive applies, such as where the data subject has consented to the transfer.
These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses, BCRs or the U.S.-EU Safe Harbor Framework. This approach is essentially set to continue with some variations.
The Regulation allows for the designation of not only third countries but also specific territories, sectors and states within such countries as providing an adequate level of protection for personal data transferred from the EU. In addition, the Regulation sets out in more detail the procedure and criteria for the Commission’s adequacy decisions, including the ability of the Commission to decide that a third country no longer ensures an adequate level of protection.
Existing adequacy decisions made by the Commission under the Data Protection Directive will continue to remain in force. The Parliament draft proposes a limitation for those existing decisions, meaning that they will remain valid for only five years after the Regulation comes into force. However, this is strongly disputed and reflected in neither the Commission draft nor in the Council draft.
Despite recent discussion, and unless otherwise repealed or amended, the U.S.-EU Safe Harbor Framework will continue to be recognised under the Regulation as providing for an adequate level of data protection for transfers of personal data from the EU to the U.S.
The Regulation recognises and preserves the existing transfer mechanisms under the Data Protection Directive for transfers of personal data to third countries which do not provide an adequate level of data protection.
However, while under the current Data Protection Directive, several Member States require that a transfer to third countries outside the EU/EEA must be notified to or authorised by local DPAs, in particular where based on EU Model Clauses or BCRs, the Draft Regulation explicitly provides that this will no longer be the case. In addition, the Regulation seeks to further extend the options and procedures available to data controllers to legitimise international transfers (such as standard and ad hoc contractual clauses and codes of conduct adopted or authorised by DPAs). The exact mechanisms, however, are still being debated and the draft texts of the Commission, the Parliament and the Council differ significantly. The Parliament draft proposes that international transfers should be permitted where both the data exporter and the data importer hold a valid “European Data Protection Seal” in accordance with the requirements set out in the Regulation. This is, however, not reflected in the same way by the other draft texts and it remains to be seen whether it will find its way to the final version of the Regulation. Further, the Parliament draft envisages the limitation of the validity of existing Commission decisions on the adequacy provided by the use of EU Model Clauses to five years after entry into force of the Regulation. However, this is strongly disputed and not reflected in the Commission draft or in the Council draft.
Importantly, although BCRs for processors are not explicitly mentioned in all drafts of the Regulation, given the clear recognition by the data protection authorities, they are likely to remain an innovative mechanism under which data processors can assist data controller clients to meet their obligations in relation to the international transfer of personal data.
The derogations set out in the Data Protection Directive will continue to apply under the Regulation. In addition, the Commission and Council drafts provide that transfers which are not frequent and/or massive (or, respectively, “large scale” as stipulated by the Council draft) could be allowed if the transfer is necessary for legitimate interests of the data controller. If the data controller wishes to rely on this derogation, it must have assessed all the circumstances surrounding the transfer, and must have adduced appropriate safeguards based on that assessment. The data controller is also subject to a documentation obligation which requires a full record of the transfer and the further processing operations to be kept.
Likely practical impact
Under the Regulation specific territories within a country (e.g. single U.S. States) may qualify as providing for an adequate level of data protection. The Commission may also decide that specific industry sectors are adequate in terms of data protection. Initially such standards are likely to be found in sectors in which high privacy standards already exist (e.g. the banking and/or insurance sectors).
The Regulation prevents local DPAs from requiring any specific authorisation for cross-border transfers outside the EEA if the requirements of the Regulation are otherwise met. For multinational companies relying on EU Model Contracts or BCRs to legitimise their transfers, this will drastically reduce the administrative burden – the days of local administrative differences or further notification or approval requirements will be over. The Draft Regulation formally recognises BCRs as a valid transfer mechanism and sets out uniform rules for their adoption. The Regulation is expected to simplify
the BCR approval process and further strengthen the role of BCRs as a mechanism to enable cross-border transfers. The likely practical impact is that we will see an increasing number of companies implementing BCRs.
Since the Regulation provides that transfers are also allowed on the basis of legitimate interests of the controller, we may see an increase in data transfers based on this derogation. This will particularly be the case where transfers only take place occasionally and not on a large scale, and no other derogations are reasonably available.
What to do now
- Identify the key international data flows carried out in the context of an organisation’s
- core operations.
- Assess what mechanisms are currently in place to legitimise international data transfers and assess their validity under the Regulation.
- For intra-group data transfers, consider carrying out a BCR Gap Analysis to determine the practical viability of BCR.
- For transfers of data to third party suppliers (e.g. cloud service providers), deploy a flexible contractual mechanism that also covers sub-contracting.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.