14. GDPR – Data Transfers to third countries
Outline of the chapter
The focus of this chapter is to introduce the rules and measures envisaged by the GDPR for safe and secure transfer of data outside the Union. In the global digital economy such international transfers of personal data are common. The Regulation aims to ensure that the level of protection of data subjects in the EU is not undermined when their data are transferred to third countries. Otherwise, the whole data protection system is jeopardised.
The topics discussed are:
- International data transfers (14.1)
- Adequacy decisions (14.2)
- Other appropriate safeguards for transferring data to third countries (14.3)
- Derrogations for specific situations (14.4)
(14.1) International data transfers
Contemporary digital ecomomy would be unthinkable without international data flow. For instance, students at the University of Groningen have access to multiple digital libraries – some of which belong and are managed outside the European Union. To get access to those resources, students at the University provide their personal student emails, their student numbers and their educational institution. This information easily fits the definition of personal data under article 4(1) GDPR. The examples of data transfers to third countries are, in fact numerous – purchases from Amazon, streaming on Netflix, using Google applications, etc.
The rapid development of the global digital market is acknowledged by the GDPR in its Recital 101:
Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
Brainstorming
A Spanish student that is currently enrolled at the University of Groningen, wants to switch from an EU-based health and fitness app to a US-based one. The student downloads his workout data and uploads it to the new app. No formal agreement exists between the two companies and the student initiated the transfer himself.
- Does this kind of activity fall under the material scope of application of the GDPR?
Let us suppose that the activity falls under the scope of application of the GDPR.
- In your opinion, would such activity qualify as international data transfer?
- Who would qualify as data subject, controller and processor in this case?
Transfers of personal data are often necessary, but lack of effective safeguards would expose data subjects to multiple and potentially grave risks.
For these reasons, the GDPR has constructed tools and mechanisms to ensure that its objectives will not be compromised and the rights of data subjects will be safeguarded when their data leave the territory of the European Union.
Article 44 GDPR – General principle for transfers
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
(14.2) Adequacy decisions
The mechanism of adequacy decisions is described in article 45 GDPR. According to it, an international transfer of data can take place if the Commission has declared that the third state/region/organization ensures an adequate level of protection. The data are transfered to countries that have an adequacy decision in the same way as if they were transferred within the territory of the European Union.
The adoption procedure of the adequacy decision includes the following steps:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board;
- an approval from representatives of EU countries;
- the adoption of the decision by the European Commission.
Article 45 GDPR – Transfers on the basis of an adequacy decision
- A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.[…]
The effect of an adopted adequacy decision is that data controllers can freely transfer data to the third country without any further safeguard checks being necessary.
The European Commission has so far recognized adopted adequacy decisions only with a limited number of countries and territories. You can find the list here.
As clearly stated in the 2nd paragraph of article 45 GDPR, there are 3 main criterias that the Commission asseses in order to decide if a 3rd country offers or not an adequate level of data protection: i. the respect for the rule of law, human rights and fundamental freedoms; ii. the existence and effective functioning of one or more independent supervisory authorities; iii. the international commitments the third country or international organisation concerned has entered into.
2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data. […]
The core element of an adequacy decision is the assessment that the third country offers an adequate level of protection of personal data. The CJEU has clarified the meaning of the phrase by considering that adequate does not mean ‘identical level of protection’ but it means ‘essentially equivalent’.
Case C-362/14 Schrems I EU:C:2015:650
[74] It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.
[75] Accordingly, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the applicable rules in that country resulting from its domestic law or international commitments and the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46, take account of all the circumstances surrounding a transfer of personal data to a third country.
[76] Also, in the light of the fact that the level of protection ensured by a third country is liable to change, it is incumbent upon the Commission, after it has adopted a decision pursuant to Article 25(6) of Directive 95/46, to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard.
The history of the agreements between the EU and the USA with regards do data transfers is of particular interest. Not only because the EU and us as individual rely a lot on services provided by US companies (think of Meta, X, Amazon, etc.), but also because of the different standard on the protection of personal data between the two jurisdictions. There has not been an adequacy decision stricto sensu between the EU and the USA for the transferral of personal data. The decisions of 2000 ‘‘Safe harbour ‘ and 2016 ‘Privacy shield‘ have relied on declarations of self compliance of commercial companies in the US with the EU legal framework without finding that the US legal framework provided adequate protection for EU data subjects. Both these decisions were invalidated by the Court of Justice of the EU in the Schrems I and Schrems II decisions.
Case C-362/14 Schrems I EU:C:2015:650
[92] Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
[93] Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (see, to this effect, concerning Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54), judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 57 to 61).
[94] In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
[95] Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter. The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law (see, to this effect, judgments in Les Verts v Parliament, 294/83, EU:C:1986:166, paragraph 23; Johnston, 222/84, EU:C:1986:206, paragraphs 18 and 19; Heylens and Others, 222/86, EU:C:1987:442, paragraph 14; and UGT-Rioja and Others, C‑428/06 to C‑434/06, EU:C:2008:488, paragraph 80).
[96] As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.
[97] However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.
[98] Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.
Case C-311/18 Schrems II EU:C:2020:559
[178] In the present case, the Commission’s finding in the Privacy Shield Decision that the United States ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR, read in the light of Articles 7 and 8 of the Charter, has been called into question, inter alia, on the ground that the interference arising from the surveillance programmes based on Section 702 of the FISA and on E.O. 12333 are not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed by the second sentence of Article 52(1) of the Charter. It is therefore necessary to examine whether the implementation of those surveillance programmes is subject to such requirements, and it is not necessary to ascertain beforehand whether that third country has complied with conditions essentially equivalent to those laid down in the first sentence of Article 52(1) of the Charter.
[179] In that regard, as regards the surveillance programmes based on Section 702 of the FISA, the Commission found, in recital 109 of the Privacy Shield Decision, that, according to that article, ‘the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence (DNI)’. As is clear from that recital, the supervisory role of the FISC is thus designed to verify whether those surveillance programmes relate to the objective of acquiring foreign intelligence information, but it does not cover the issue of whether ‘individuals are properly targeted to acquire foreign intelligence information’.
[180] It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes. In those circumstances and as the Advocate General stated, in essence, in points 291, 292 and 297 of his Opinion, that article cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter, as interpreted by the case-law set out in paragraphs 175 and 176 above, according to which a legal basis which permits interference with fundamental rights must, in order to satisfy the requirements of the principle of proportionality, itself define the scope of the limitation on the exercise of the right concerned and lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.
[181] According to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28. However, although the Commission stated, in recitals 69 and 77 of the Privacy Shield Decision, that such requirements are binding on the US intelligence authorities, the US Government has accepted, in reply to a question put by the Court, that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter, contrary to the requirement in Article 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights.
….
[185] In those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter.
….
[192] Furthermore, as regards both the surveillance programmes based on Section 702 of the FISA and those based on E.O. 12333, it has been noted in paragraphs 181 and 182 above that neither PPD‑28 nor E.O. 12333 grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.
….
[197] Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.
[198] Therefore, in finding, in Article 1(1) of the Privacy Shield Decision, that the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in that third country under the EU-US Privacy Shield, the Commission disregarded the requirements of Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter.
[199] It follows that Article 1 of the Privacy Shield Decision is incompatible with Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid.
A new data transfer agreement, this time known as the ‘EU-US data privacy framework‘ was adopted in 2023. This time the Commission has adopted the decision in the form of an adequacy decision. The main points of this decision include:
- the possibility for US companies to voluntarily join the EU-US Data Privacy Framework
- the possibility for EU data subjects to benefit from several redress avenues (including free of charge complaints before independent dispute resolution mechanisms and an arbitration panel)
- limited access to personal data by US intelligence agencies only when considered as necessary and proportionate to protect national security
- the possibility for EU data subjects to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. This Court will independently investigate and
resolve complaints and adopt binding remedial measures.
(14.3) Other appropriate safegards for transferring data to third countries
In the absence of an adequacy decision, Article 46 GDPR provides for transferral of data to 3rd countries when appropriate safeguards are in place. These appropriate safeguards, following the second paragraph of the article are:
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
a) a legally binding and enforceable instrument between public authorities or bodies;
b) binding corporate rules in accordance with Article 47;
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
The aim of the appropriate safeguards is to ensure protection of data subjects’ rights in those situations when the legal framework of the 3rd country is not considered in itself as adequate. In Schrems II, the Court of Justice of the EU argued that controllers, after using one of the adequate safeguards listed in the law, still remain responsible for assessing that these allow for an appropriate protection of data subjects in the legal framework of the 3rd country.
Case C-311/18 Schrems II EU:C:2020:559
[105] Therefore, the answer to the second, third and sixth questions is that Article 46(1) and Article 46(2)(c) of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
(14.4) Derogations for specific situations
In the absence of an adequacy decision and appropriate safeguards, data can be exceptionally transferred to 3rd countries following the special derrogations contained in Article 49 GDPR. This rule is the last option for third states/regions/organizations where neither Article 45 GDPR nor Article 46 GDPR are applicable. As such, a data transfer based on derrogations may take place only if it is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
The list of derrogations for specific situation can be found in the first paragraph of article 49 GDPR.
Article 49 GDPR – Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
d) the transfer is necessary for important reasons of public interest;
e) the transfer is necessary for the establishment, exercise or defence of legal claims;
f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
Feedback/Errata