After the Court of Justice of the European Union on October 6, 2015 invalidated the Safe Harbour arrangement (Schrems Case, C-362/14) which governed data transfers between the European Union (EU) and the US, the international transfer of personal data became an economic, social and political issue. The topic is now governed by the European Regulation passed by the European Union in April 2016. Why is this Regulation so important for non EU companies?
The European Regulation of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR) published on 5 May 2016 shall apply from 25 May 2018. The regulation repeals the European Directive 95/46/EC and is based on Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) which provides that everyone has the right to the protection of personal data concerning him or her. Its impact is quite important since regulations produce a direct effect: they are binding in all their provisions which means that individuals can invoke the Regulation in relation to another individual, a company, a State, a European institution and an international organisations (this is called a “complete direct effect”).
The GDPR territorial scope is quite wide since it applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (art.3). Because the Regulation’s objective is to facilitate the free flow of personal data within the Union and the transfer to third countries (and international organisations) it seeks to ensure a high level of the protection of personal data. Therefore, international transfer of personal data from the EU to controllers, processors or other recipients in third countries or to international organisations should not undermine the level of protection of natural persons ensured by the Regulation (art.44). GDPR Chapter V is dedicated to “Transfers of personal data to third countries” and offers different options to proceed to such international transfers.
How to comply with GDPR rules regarding international data transfers?
A transfer can take place only if the conditions laid down in the Regulation are complied with by the controller or processor. Different options are available, some of them did already exist with the Directive, while others are introduced by the Regulation.
The first legal basis for such transfer is the existence of an adequacy decision (art.45 Regulation) taken by the European Commission (EC) after the assessment of the level of protection provided by the third country considering:
its national legislation : data protection rules, including rules for the onward transfer of personal data to another third country and effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred,
the existence of an independent supervisory authority and
international agreements the third country has entered into.
The EC has so far recognized Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
From the Safe Harbour to the Privacy Shield
The European Commission’s decision of July 26, 2000 on the legal adequacy of the US was invalidated by the European Court of Justice (Schrems Case) in September 2015. Indeed, the protections for user data relied on the self-assessment and self-certification by private companies which was considered by the Court as a lack of adequacy. Since then, the EC and the US negotiated a replacement agreement: the EU-US Privacy Shield. Eventually, on July 12, 2016, the EC adopted Decision 2016/1250 on the adequacy of protection of the EU-U.S. Privacy Shield. However, the Privacy Shield is now being challenged by NGOs (La Quadrature du Net a French NGO, Case T-738/16 and Digital Rights Ireland, Case T-670/16) which both consider the decision infringes the Charter of Fundamental Rights of the EU because of the lack of effective remedy provided for and the lack of provision of independent monitoring under the US regulatory regime.
Other available options
In the absence of an adequacy decision, the international transfer is still possible if the controller or processor provides appropriate safeguards such as: binding corporate rules (or BCRs, art.47), standard data protection clauses adopted by the EC (art.93-2) or standard data protection clauses adopted by a supervisory authority and approved by the EC.
BCRs are internal rules adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection (art.47 Regulation). Legal tools are provided by the EC to help companies with BCRs.
The Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established inside or outside the European Economic Area. Such Decisions are governed by the Regulation 182/2011 of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers.
The GDPR introduces new options: the existence of an approved code of conduct (CoC, art.40 Regulation) or an approved certification mechanism (art.42-43 Regulation). Both should be used to demonstrate compliance with the Regulation which considers they are formal components of data protection regulation. Certification foster consumer trust in information-technology tools and services; it is provided today by EuroPriSe a certification body backed by EC funding. The European Privacy Seal (the Seal) for IT-products and IT-based services demonstrates privacy compliance on the basis of public criterias. The advantage of approved certification mechanisms in comparison with CoCs is that it covers privacy by design and by default compliance (art.25 Regulation).
The recognition of CoCs and certification reflects the US privacy regime impact based on self-regulation. Still, the GDPR influence is strong with the obligation for companies to communicate on the framework of such transfer no matter the data is collected from data subject or not (art.13-1-f and art.14-1-f). CoCs and certification may also be used as marketing tools to guarantee compliance with GDPR besides facilitating international data transfers.
What are the consequences in case companies don’t comply with those rules?
Data controllers and processors will have more opportunities to show their compliance with GDPR. The recognition of approved CoCs means they are binding and enforceable just like the adherence to the Network Advertising Alliance principles. The first consequence is that the Federal Trade Commission will be entitled to bring a deception action claim against any company that self-certifies under a CoC and fails to comply.
The second being the liability of the company under the GDPR. Indeed, the regulation sets clear rules in Chapter VIII regarding remedies. Companies will have to face multiple consequences : the right for a data subject to lodge a complaint with a supervisory authority, the individual right to an effective judicial remedy against a controller or processor, administrative fines may also be imposed by supervisory authorities and penalties adopted by EU Member States.
Let’s recall the infringements to the GDPR are subject to administrative fines up to 20,000,000€ or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher depending on the provision infringed (art.93 Regulation). Non-compliance with a CoC or an approved certification mechanism is an aggravating circumstances allowing for higher penalty.