Skip to main content

Advertisement

SpringerLink
Log in

Transfers of personal data to third countries

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

The EU’s General Data Protection Regulation GDPR confirms the general principles of the existing Directive on the transfer of personal data to a third country (in particular the requirement of an “adequate level of protection”). Nevertheless, and among others, the GDPR:

  • harmonises, as a regulation, the national practices which could be dispersed;

  • falls in line with a reinforcement of protection following the recognition of personal data protection as a fundamental right by the Charter; and

  • explicitly introduces new instruments of transfer to third countries (in particular, codes of conduct or certification mechanisms).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

Notes

  1. Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation) [2016] OJ L119/1.

  2. Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31.

  3. Article 25(1) of the Directive and 45(1) of the GDPR; see infra No 4.2.1 and 4.2.5.1 for more detailed information on this notion.

  4. Case C-101/01 Lindqvist, EU:C:2003:596; judgment available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=437082.

  5. Position Paper of the EDPS of 14 July 2014, “The transfer of personal data to third countries and international organisations by EU institutions and bodies” available at https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Papers/14-07-14_transfer_third_countries_EN.pdf. This position paper relates to the transfer of personal data carried out by the bodies of the European Union on the basis of Regulation 45/2001 of December 18, 2000, relating to the protection of natural persons with regard to the processing of personal data by Community institutions and bodies and to the free movement of such data. That being said, the notion of transfer is a common community notion in EU legislation relating to personal data protection. The suggested definition therefore seems appropriate.

  6. With regard to this last hypothesis, the EDPS specifies that the position of the Court of Justice of the European Union (CJEU) in the Lindqvist case (Case C-101/01 Lindqvist, EU:C:2003:596), only case law of the CJEU on the matter to this day, must be limited, as specified by the Court, to “circumstances such as those in the case in the main proceedings”; case law available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=437082.

  7. For examples of international transfers, one can also refer to FAQs of the Commission on international transfers available at the following link and in English only http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf.

  8. Norway, Liechtenstein and Iceland.

  9. In order to be applicable in the EEA, EU acts must be incorporated in the EEA Agreement, specifically in the annex or protocol to the Agreement relating to such matter. These amendments to the EEA Agreement are adopted by way of a decision of the EEA Joint committee, which can, furthermore, adapt certain provisions of the European act concerned to the specificities of non-EU countries. In this case, Directive 95/46 was integrated and adapted to point 5 of Annex XI (Telecommunications services) to the EEA Agreement by Decision No 83/1999 of the EEA Joint committee.

  10. They, in particular, refer to principles on personal data processing, to the lawfulness of processing or processing of special categories of personal data.

  11. The same rules apply to international organisations. This precision shall thereafter no longer be made, as this contribution is focused on the transfer of personal data to third countries. An international organisation is defined at Article 4(26) of the GDPR as follows “an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries”.

  12. This excludes purely technical transfers, namely the fact that the data crosses, or is likely to cross borders to reach its destination.

  13. In contrast to the Directive, the GDPR also explicitly includes the processor.

  14. Art. 8 of the Charter of Fundamental Rights of the European Union (the Charter) [2010] OJ C 83/01.

  15. This hierarchy, which was not explicit in the Directive, but nevertheless applicable, is now expressly reproduced by the GDPR in its Article 49. Under the Directive, this hierarchy between these instruments of transfer to third countries is very precisely described at point 1.3 of “Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995” (WP 114) adopted by the Article 29 Working Party on 25 November 2005:

    Accordingly, a best practice approach would be for a controller planning an international data transfer to consider first whether the third country provides an adequate level of protection and to satisfy himself that the exported data will be safeguarded in that country”. In the case of exports to the US, the controller exporter may want to encourage the importer to subscribe to the Safe Harbor principles. If the level of protection in the third country is not adequate in light of all the circumstances surrounding a data transfer, the data controller should consider Article 26(2), i.e., providing adequate safeguards through, for example, the standard contractual clauses or binding corporate rules. Only if this is truly not practical and/or feasible, then the data controller should consider using the derogations of Article 26(1).

    This document is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2005/wp114_en.pdf.

  16. See in particular, Art. 46(3) and 47 of the GDPR.

  17. Cf. Article 25(6) of the Directive.

  18. Regulation 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers [2011] OJ L 55/13. Under the Directive they are found in Articles 4 and 7 of Decision 1999/468 laying down the procedures for the exercise of implementing powers conferred on the Commission [1999] OJ L 184/23.

  19. In addition to these adequacy decisions, there are specific bilateral agreements concluded with some States for the sending of air passenger data (Australia, Canada and the United States) or the use of financial data (Data and Terrorist Finance Tracking Programme-TFTP).

  20. Decision 2000/520 of the Commission of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) [2000] OJ L 215/07.

  21. Case C-362/14 Schrems, EU:C:2015:650, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=98007.

  22. For now, two cases are pending before the CJEU relating to the validity of the Privacy Shield (Case T-670/16 Digital Rights Ireland v. Commission and Case T-738/16 La Quadrature du Net and Others v. Commission). See also Article 29 Working Party Opinion (WP 238) available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf. Finally, the Privacy Shield will be reviewed, as stated in the opinion referred to above, on September 2017.

  23. The adequacy evaluation criteria are, therefore, of general application whether the evaluation relates to a third country in its entirety, a territory of this country or one or more given sectors.

  24. Art. 45(2) GDPR.

  25. Convention n°108 of the Council of Europe of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data [1981] ETS No. 108, 28.01.1981.

  26. Cf. recital 104: “The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union”. See also infra point 4.2.5.1 in fine concerning the explanation of this notion by the CJEU.

  27. Regulation 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers [2011] OJ L 55/13.

  28. The EDPB will replace the Article 29 Working Party.

  29. In accordance with Art. 97 of the GDPR, the Commission will have to submit a report to Parliament and the Council on the evaluation and review of the GDPR. This evaluation report relates, in particular, to adequacy decisions. In this context, the Commission must take into account “the positions and opinion of the European Parliament, of the Council, and of other relevant bodies or sources.” (Art. 97(4) GDPR).

  30. This list is available at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

  31. Opinion of Advocate General Bot in Case C-362/14 Schrems, EU:C:2015:627, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=102005; See, in particular, No 232 to 236.

  32. The Regulation 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers [2011] OJ L 55/13 specifies the limits of the power of the Commission in this situation in its Article 8:

    1. By way of derogation from Articles 4 and 5, a basic act may provide that, on duly justified imperative grounds of urgency, this Article is to apply.

    2. The Commission shall adopt an implementing act which shall apply immediately, without its prior submission to a committee, and shall remain in force for a period not exceeding 6 months unless the basic act provides otherwise.

    3. At the latest 14 days after its adoption, the chair shall submit the act referred to in paragraph 2 to the relevant committee in order to obtain its opinion.

    4. Where the examination procedure applies, in the event of the committee delivering a negative opinion, the Commission shall immediately repeal the implementing act adopted in accordance with paragraph 2.”

  33. Implementing Decision 2016/2295 of the Commission of 16 December 20016 amending Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2003/821/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU and 2011/61/EU, and Implementing Decisions 2012/484/EU and 2013/65/EU noting that, pursuant to Article 25(6), of Directive 95/46/EC of the European Parliament and of the Council, the adequate Level of personal data protection ensured by some countries pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2016) 8353) [2016] OJ L 344/83.

  34. Cf. Points 76 and 77 of the judgment available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=98007.

  35. Cf. Point No 147 of the Opinion of the Advocate General available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=102005.

  36. Art. 45(6) GDPR.

  37. Cf. Points 73 and 74 of the judgment.

  38. See also supra point 4.2.5.

  39. Art. 51 and 58 GDPR.

  40. Cf. Art. 49 GDPR. See also note No 13.

  41. Art. 45(2)(a) and recital 104 of the GDPR.

  42. Art. 46(3) GDPR.

  43. For example, Art. 46(2) GDPR.

  44. All these safeguards are listed, this contribution being limited to private law, we will, however, only elaborate on safeguards laid down in points b to f.

  45. Therefore, BCRs, codes of conduct and certification mechanisms require an approval of the supervisory authorities, but once approved may be freely used under the exporter’s responsibility.

  46. Art. 46(5) GDPR.

  47. As this contribution is limited to private law, we shall only elaborate on the safeguards set out in point a.

  48. Recital 110 of the GDPR summarises the contents of BCRs as such:

    A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.”

  49. Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers (WP 74) available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp74_en.pdf.

  50. The Portuguese supervisory authority (Comissao nacional de proteccao de dados) in essence indicates in its activity report (Relatorio de Actividades) 2003/2004 at point 2.1 (page 59) that under Portuguese law BCRs, because they result from Article 29 Working Party, “cannot be a source of obligation”. This document is available at https://www.cnpd.pt/bin/relatorios/anos/RELATORIO_03_04.pdf.

  51. Art. 47 GDPR.

  52. Art. 47(2) GDPR.

  53. See in this respect WP 244 of Article 29 Working Party, available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf.

  54. The standard clauses can possibly be complemented, but additions should not contravene the clauses.

  55. Decision 2001/497 of the Commission of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (notified under document number C(2001) 1539) [2001] OJ L 181/19; Decision 2004/915 of the Commission of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271) [2004] OJ L 385/74; and Decision 2010/87 of the Commission of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) [2010] OJ L 39/05. All clarifications regarding standard clauses already adopted by the Commission, as well as the standard clauses themselves are also available at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

  56. WP 214 available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp214_en.pdf.

  57. Case C-362/14 Schrems, EU:C:2015:650.

  58. Cf. Art. 46(2)(c) and (d) of the GDPR.

  59. Where the code relates to processing activities which are limited to one Member State.

  60. Where the code relates to processing activities which are carried out in several Member States.

  61. Art. 42(5) of the GDPR.

  62. Cf. recital 113 of the GDPR. See also note No 13.

  63. Clarifications regarding these derogations are also provided at paragraphs 2 to 6 of Article 49.

  64. This is the list of specific requirements which determines the use of this derogation. All the other general conditions relating to the derogations regime or the information obligation (for example to provide data subject with the information laid down in Articles 13 and 14 of the GDPR) remain applicable.

  65. WP 158 of Article 29 Working Party available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2009/wp158_en.pdf.

  66. Art. 48 and recital 115 of the GDPR. The GDPR finally did not integrate the mechanism initially provided for by the Parliament with a view to creating conflict of laws. This approach appears to be safeguarding the interests of concerned parties, while guaranteeing an adequate level of protection.

  67. Cf. Art. 14(1) GDPR.

  68. Cf. Art. 50 GDPR.

Author information

Authors and Affiliations

  1. Rue des Colonies 56, Box 3, 1000, Brussels, Belgium

    Paul Van den Bulck

Authors
  1. Paul Van den Bulck
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paul Van den Bulck.

Additional information

The author thanks Patrick A. Wallace for his contribution.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Van den Bulck, P. Transfers of personal data to third countries. ERA Forum 18, 229–247 (2017). https://doi.org/10.1007/s12027-017-0482-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-017-0482-3

Keywords

Search

Navigation