< Back

Share |

Understanding the impact of the European Commission Draft Data Protection Regulation on international data transfers

January 2013

On 25 January 2012, the European Commission published a package of measures to overhaul and harmonise the EU data protection regime. This included a proposal for a draft General Data Protection Regulation (Draft Regulation).  When finalised, the Draft Regulation will replace the current patchwork of European data protection laws implementing the EC Directive 95/46/EC (Directive), with a single harmonised legislation applicable to the processing of personal data across the EU by data controllers and data processors.

One of the main compliance headaches for those operating under the current regime is in navigating the European data protection rules applicable to data transfers. The approach proposed by the Draft Regulation intends to streamline these obligations and includes considerably more detail on how to effect compliant data transfers.  The solutions for achieving complaint data transfers are set out in Chapter V of the Draft Regulation and in particular Articles 41 to 44 of Chapter V.  These proposals are considered in more detail below.

BookSolution: Adequacy Rulings (Article 41)

The Draft Regulation builds on the provision under the current Directive for adequacy findings by proposing that an adequacy ruling could apply to certain processing sectors or territories within a third country as well as to a third country as a whole. This opens up the possibility of enabling adequacy findings for transfers to industry sectors or states, such as in the USA where adequate sector specific or state specific privacy legislation may exist, despite the absence of federal-level privacy law.

The Draft Regulation (under Article 41 (2)) also provides more clarity around the process by which adequacy rulings are made by setting out criteria which should be consulted by the European Commission (Commission) when assessing the adequacy of the protection of data in third countries or to a territory or sector in that country. If the Commission is not satisfied that an adequate level of protection is provided, it may further decide to expressly prohibit data transfers to a third country, territory or sector within that third country, unless a solution under Articles 42 - 44 applies (see below).

Existing adequacy rulings made under the current Directive will remain in force until such time as they are amended, replaced or repealed by the Commission.

Solution: Appropriate safeguards (Article 42)

MalletIn the absence of an adequacy ruling under Article 41 then, under Article 42 of the Draft Regulation, there are four ways in which a data transfer to a third country may take place if the data controller or the processor applies and enforces the appropriate safeguards by way of a legally binding instrument. 

These are:

  • binding corporate rules (‘‘BCRs’’);
  • standard data protection clauses adopted by the Commission;
  • standard data protection clauses adopted by a regulator; and
  • contractual clauses authorised by a regulator.

Where a transfer is based on one of the first three safeguard solutions listed above, no further authorisation is needed to allow for a transfer. This is in contrast to the current Directive where different member state national laws may require transfers made under such safeguard solutions to be separately approved by the national regulator, even if already approved by the Commission.

As with the provision in relation to existing Commission adequacy rulings, a similar provision allows for any existing standard contractual clauses approved by the Commission under the current Directive to remain in place until replaced, amended or repealed by the Commission.

BCRs  Article 43

The Draft Regulation does away with the current uncertainty around the effective scope of BCR approvals by providing statutory recognition for BCRs and a clearly defined process by which approval of BCRs will be provided.   The components necessary for approval of BCRs by a regulator are set out in Article 43.  Provided the BCRs are legally binding, confer enforceable rights on data subjects and satisfy certain further requirements as to their content, then these shall be approved by the regulator.

The further requirements are that the BCRs must at least specify:

  • the structure and contact details of the group of undertakings and its members;
  • the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
  • their legally binding nature, both internally and externally;
  • Diskthe general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
  • the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling, the right to lodge a complaint, to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
  • the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be  exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
  • how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) above is provided to the data subjects in accordance with requirements  of the Draft Regulation for clear and transparent information and communication;
  • the tasks of the data protection officer;
  • the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;
  • the mechanisms for reporting and recording changes to the policies and reporting these changes to the regulator;
  • the co-operation mechanism with the regulator to ensure compliance by any member of the group of undertakings, in particular by making available to the regulator the results of the verifications of the measures referred to in point (i) above.

The scope of BCRs is intended by the drafting in the Regulation, to apply equally to data processors as well as data controllers. Data processors with international operations will therefore also have the ability to rationalise their international data transfer controls around the processing of personal data.

KeyAlthough regulator approval is still required for BCRs, a significant change in the Draft Regulation from the current Directive is the general recognition in the Draft Regulation of a lead authority or ‘one-stop-shop’ in the case where the controller or processor is established in more than one EU member state.  Approvals or authorisations, (including those required in respect of BCRs) will, under the Draft Regulation, only be made to the regulator where the controller or processor has its main establishment.

Contractual Clauses

Where standard data protection transfer clauses adopted by the Commission are used, then no prior authorisation is necessary but if the parties depart from the standard clauses then prior authorisation is needed. The Draft Regulation proposes to simplify the current authorisation process through the use of a consistency mechanism described in Chapter VII of the Draft Regulation. Under this process, the lead national regulator will first submit any custom drafted contractual clauses to the European Data Protection Board (EDPB) in order to ensure consistent decision making and to avoid situations where one country accepts specific custom contractual clauses and another other does not.

Solution: Derogations (Article 44)

In the absence of adequacy grounds arising under one or more of the above solutions then, preconditions remain in the draft by which a transfer to a third country or international organisation may take place.

The pre-conditions are set out at Article 44 and apply in the following circumstances:

  • consent of the data subject after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
  • transfer being necessary for the performance of a contract;
  • transfer being necessary on the grounds of public interest;
  • transfer being necessary for the establishment, exercise or defence of legal claims;
  • transfer being necessary to protect vital interests of the data subject; or
  • transfer being necessary for the purposes of legitimate interests of the data controller / processor.

These pre-conditions are on similar terms to those provided for by the current Directive with the exception that the definition of consent in the Draft Regulation will mean that the data controller will have to demonstrate that he has the explicit consent of the data subject to the transfer under the first of these pre-conditions.

Conclusions

Fountain penAlthough many aspects of the Draft Regulation have been criticised for being overly bureaucratic, the data transfer provisions appear to reflect a genuine attempt on the part of the Commission to recognise the needs of a globalised economy. The transfer provisions provide more scope for adequacy grounds to be established and make transfer restrictions easier to navigate.  

What remains unclear is whether the proposals go far enough or if measures such as the consistency mechanism will be effective in delivering consistent authorisations in a timely fashion. The worst case scenario is that these measures merely create a decision making bottle-neck at the EDPB, in the absence of a consensus approach between member states.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

World
Vinod Bange

      

Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons





Vinod, Sally and Lucy consider the Draft Regulation and how this differs from the current EU data protection regime.

"As with the provision in relation to existing Commission adequacy rulings, a similar provision allows for any existing standard contractual clauses approved by the Commission under the current Directive to remain in place until replaced, amended or repealed by the Commission."