On 25 May 2018, the European Data Protection Board (the "EDPB") adopted its "Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679" with regard to international data transfers (the "Guidelines").
Derogations Are Last Resort
Under Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), the general rule is that data can only be transferred to non-EEA countries if these countries offer an "adequate level of protection". The existence of an adequate level of protection can either follow from an adequacy decision issued by the European Commission, or be a consequence of specific measures taken by the data controller, i.e., if the data controller has put in place "adequate safeguards" such as the implementation of binding corporate rules or the use of standard model clauses. Article 49 of the GDPR provides for specific derogations by virtue of which data controllers may still transfer personal data to non-EEA countries even if these do not offer an adequate level of protection for such personal data.
In the Guidelines, the EDPB first recalls that recourse to the derogations of Article 49 should always constitute a last resort and can never result in a situation where fundamental rights can be breached. The EDPB also underlines that all derogations of Article 49 should be interpreted restrictively so that the exception does not become the rule. The EDPB adds that, while it is true that Recital 111 of the GDPR differentiates among the derogations by expressly stating that the "contract" and "legal claims" derogations (Article 49 (1)(b), (c) and (e)) should be limited to "occasional" transfers, the other derogations of Article 49, which are not expressly limited, still have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions to the rule.
Which Derogations Does GDPR Allow For?
The EDPB then addresses each of the derogations under Article 49 of the GDPR.
Article 49 (1)(a) authorises data transfers if the data subject has given his or her "explicit consent" and confirms the high threshold applied for the use of such a derogation. The EDPB underlines that consent should be specifically given for the particular data transfer and that, with this is mind, it might sometimes be impossible to obtain the data subject's consent for a future transfer at the time of collection of the personal data, e.g., if the occurrence and specific circumstances of the transfer remain unclear at that time. The EDPB also stresses that it is crucial that the data subject should be properly informed in advance of the specific circumstances of the transfer (including, but not limited to, the data recipients and the countries to which the data are transferred) and that, therefore, he or she should also be informed of the specific risks of a transfer to a country not providing an adequate protection in the absence of adequate safeguards. If such information is not supplied, the derogation will not apply.
Article 49 (1)(b) of the GDPR permits a derogation for transfers that are necessary for the performance of a contract between the data subject and the controller or for implementing pre-contractual measures. The EDPB explains that such transfers must be strictly "necessary" for the contractual purpose and that the derogation only permits "occasional" transfers for this purpose. By way of example, the EDPB indicates that this basis cannot be used for international transfers in order to centralise payment and human resource management functions within a group of companies. For such a situation, standard contractual clauses or binding corporate rules may provide a more suitable basis, according to the EDPB.
Contract in Interest of Data Subject
Next, Article 49(1)(c) of the GDPR permits transfers that are necessary for the conclusion or performance of a contract concluded in the interest of the data subject. This derogation is interpreted in a similar way to the above, meaning that the transfer of personal data must be occasional and necessary, i.e., there must be a close and substantial link between the transfer and the contract concluded in the interest of the data subject.
Article 49(1)(d) of the GDPR allows transfers that are necessary for important reasons of public interest. Here, the EDPB reiterates earlier guidelines issued by the Article 29 Working Party, the predecessor of the EDPB, that the "derogation only applies when it can also be deduced from EU law or the law of the Member State to which the controller is subject". Accordingly, foreign interests do not qualify to permit the transfer, but the EDPB nevertheless indicates that account should be taken of "the spirit of reciprocity for international cooperation".
Under Article 49 (1)(e) of the GDPR, transfers may take place when the transfer is "necessary for the establishment, exercise or defence of legal claims". This derogation provides an important basis for international transfers in the context of international litigation as well as criminal or administrative investigations in a third country (including antitrust law, corruption and insider trading investigations). Transfers for the purpose of pre-trial discovery procedures may also fall under this derogation. However, the EDPB states that such transfers must still be "occasional and necessary", and it points out that the transfer of all personal data that is possibly relevant to the legal proceedings "would not be in line with this derogation or with the GDPR more generally". Indeed, the data minimisation principle also applies to this situation. Therefore, the EDPB sets out a "layered approach" for transfers under this derogation: first, a careful assessment should be made whether anonymised data would be sufficient for the particular case. If not, the transfer of pseudonymised data should be considered. If this is also not possible, and personal data must be transferred to a recipient in a third country in non-pseudonymised form, the transfer should be limited to only those data that are actually necessary for the purpose at hand.
Protection of Vital Interests of Data Subject or Other Persons
Article 49 (1)(f) of the GDPR applies to transfers necessary in order to protect the vital interests of the data subject or other persons, if the data subject is physically or legally incapable of giving consent. This derogation applies, for instance, in the event of a medical emergency.
Compelling Legitimate Interest of Controller
Finally, international transfers may be permitted where there are compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject (Article 49 (1), §2 of the GDPR). The Guidelines confirm that this derogation can only be relied upon in residual cases, where none of the other derogations applies. In this respect, the EDPB states that the data exporter should be able to demonstrate its serious attempts to rely on the other grounds for transfer or the impossibility to rely on such grounds. For example, the EDPB notes that binding corporate rules may often not be a feasible option for small and medium-sized enterprises due to the considerable administrative investments they entail. Also, the EDPB stresses that not all "legitimate interests" can be qualified as "compelling" and that a higher threshold applies in such an assessment. An example of a compelling legitimate interest would be, according to the EDPB, if a data controller is forced to transfer the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business. The EDPB adds that such a transfer can only concern a limited number of data subjects. Moreover, this derogation also requires the transfer to be "not repetitive". The EDPB clarifies this requirement as being similar to the "occasional" condition included in Recital 111. According to the EDPB, these terms indicate that transfers may happen more than once, but not regularly. It is also required that these transfers occur "outside the regular course of actions", e.g., under random, unknown circumstances and within arbitrary time intervals. As an example, the EDPB indicates that granting direct access to a data base (via an interface or IT-application) on a general basis or effecting transfers within a stable relationship between a data exporter and importer, would not be considered occasional or not repetitive.
These Guidelines provide a welcome insight, especially since derogations for data transfers could gain importance over time in view of the challenges currently faced by existing transfer mechanisms. Indeed, the validity of both the EU-US Privacy Shield and the European Commission model clauses is currently being questioned (See, VBB on Belgian Business Law, Volume 2017, No. 12, p. 9 and this Newsletter, Volume 2018, No. 4, p. 11, available at www.vbb.com). The full text of the Guidelines can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.