< Back

Share |

Impact of the draft EC data protection Regulation on data transfers

March 2013

One of the main compliance headaches for those operating under the current regime is navigating the European data protection rules applicable to data transfers. In January the Global Data Hub focussed on this topic specifically. The approach proposed by the draft EC data protection Regulation (Regulation) intends to streamline these obligations and includes considerably more detail on how to ensure compliant data transfers.

Adequacy rulings (Article 41)

decisionThe draft Regulation builds on the provision under the current Data Protection Directive (Directive) by proposing that an adequacy ruling could apply to certain processing sectors or territories within a third country as well as to a third country as a whole. This might allow adequacy findings for transfers to industry sectors or states, such as the USA where adequate sector specific or state specific privacy legislation may exist despite the absence of federal-level data privacy law.

The Regulation also clarifies the process by which adequacy rulings are made, setting out detailed adequacy criteria (on which the European Commission should consult). If the Commission is not satisfied that an adequate level of protection is provided, it may decide to expressly prohibit the relevant data transfers unless an alternative solution applies (see below).

Appropriate safeguards (Article 42)

In the absence of an adequacy ruling there are four ways to legitimise a data transfer to a third country if the data controller or the processor applies and enforces the appropriate safeguards by way of a legally binding instrument:

  • binding corporate rules (‘‘BCRs’’);
  • standard data protection clauses adopted by the Commission;
  • standard data protection clauses adopted by a regulator; and
  • contractual clauses authorised by a regulator.

Where a transfer is based on one of the first three solutions, no further authorisation is needed. This differs from the current Directive, where member states’ national laws may require such transfers to be individually approved by the national regulator (even if already approved by the Commission).

BCRs (Article 43)content

The Regulation removes the current uncertainty around the effective scope of BCR approvals by providing statutory recognition for BCRs and a clearly defined approval process.   The criteria for approval of BCRs by a regulator are set out in Article 43.  Provided the BCRs are legally binding, confer enforceable rights on data subjects and satisfy certain further requirements as to their content, then these shall be approved by the regulator.

The further requirements are that the BCRs must at least specify:

  • the structure and contact details of the group of undertakings and its members;
  • the data transfers, including the categories of personal data, the type of processing and its purposes, the data subjects affected and the third country or countries in question;
  • their legally binding nature, both internally and externally;
  • the general data protection principles;
  • the rights of data subjects and the means to exercise these rights;
  • the acceptance by the controller or processor established on the territory of a member state of liability for any breaches of the BCRs by any member of the group of undertakings not established in the Union; the controller or the processor may only be  exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
  • how the information on BCRs is provided to the data subjects in accordance with requirements for clear and transparent information and communication;
  • the tasks of the data protection officer;
  • the mechanisms within the group to ensure the verification of compliance with the BCRs;
  • the mechanisms for recording changes to the policies and reporting them to the regulator;
  • the co-operation mechanism with the regulator to ensure compliance by any member of the group of undertakings.

diskThe scope of BCRs is intended to apply equally to data processors and data controllers. Data processors with international operations will therefore also have the ability to rationalise their international data transfer controls around the processing of personal data.

Although regulator approval is still required for BCRs, a significant change proposed by the Regulation is the general recognition of a lead authority or ‘one-stop-shop’ in cases where the controller or processor is established in more than one EU member state.  Approvals or authorisations will, under the Regulation, only be made to the regulator where the controller or processor has its main establishment.

Contractual Clauses

Authorisation will only be required where the parties depart from the standard clauses. The Regulation proposes to simplify the current authorisation process through a consistency mechanism under which the lead national regulator will first submit any custom drafted contractual clauses to the European Data Protection Board (EDPB) to ensure consistent decision making, and to avoid conflicting approval decisions by national regulators.

Derogations (Article 44)

In the absence of adequacy grounds arising under one or more of the above solutions, the Draft Regulation includes pre-conditions which permit transfers to a third country or international organisation if satisfied:

  • informed consent of the data subject;
  • transfer being necessary for the performance of a contract;
  • transfer being necessary on the grounds of public interest;
  • transfer being necessary for the establishment, exercise or defence of legal claims;
  • transfer being necessary to protect vital interests of the data subject; or
  • transfer being necessary for the pursuit of legitimate interests of the data controller / processor.

These pre-conditions are on similar terms to those provided for by the current Directive, except that the definition of consent in the Regulation will mean that the data controller will have to demonstrate explicit consent by the data subject to the transfer under the first pre-condition.

Conclusionsfountain pen

Although many aspects of the Regulation have been criticised for being overly bureaucratic, the data transfer provisions appear to reflect a genuine attempt by the Commission to recognise the needs of a globalised economy. The transfer provisions provide more scope for adequacy grounds to be established and make transfer restrictions easier to navigate.  

What remains unclear, is whether the proposals go far enough, and whether measures such as the consistency mechanism will be effective in delivering consistent, timely authorisations. The worst case scenario is that these measures merely create a decision making bottle-neck at the EDPB however, in the absence of a consensus approach between member states.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Vinod Bange

Vinod Bange      

Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons

Vinod, Sally and Lucy set out the options for legitimising data transfers to third countries.

"The scope of BCRs is intended to apply equally to data processors and data controllers. Data processors with international operations will therefore also have the ability to rationalise their international data transfer controls around the processing of personal data."