Vulnerability in International Data Transfer

compliance-insider.com/2021/07/16/vulnerability-in-international-data-transfer/

16. Juli 2021

Introduction

Within the European Economic Area (that is, the EU member states plus Iceland,
Liechtenstein and Norway; hereinafter EEA or Europe), data protection is appreciated as
both a right and a freedom: a right to protection from risks emanating from processing
personal data and a freedom of the processors of personal data – both fall within the
scope of protection by the EU General Data Protection Regulation (GDPR) – however,
within the territory and jurisdiction of the EU (Ntouvas, 2019). This means that within
Europe, the GDPR permits for a free flow of personal data, also placing an obligation on
all EEA member states to be bound to the protection standards set by the GDPR
(Wagner, 2018). However, the application of the GDPR reaches also beyond the
jurisdictional borders of the EEA in that the processing of personal data of EEA citizens
and residents must abide by GDPR prescripts even when such processing occurs outside
Europe1. This is evidence that the application of the GDPR focuses on the individual
rights of European citizens and residents, which, in the case of data protection and
information security, supersede countervailing interests like the free flow of information
(Ryngaert & Taylor, 2020).

E-commerce and online transactions across the globe have very quickly become the
norm. While the GDPR has been criticised for hampering international trade outside of
the EU, surveys conducted in Europe show the already high importance placed on the
protection of personal data – by both the private and public sectors (Yakovleva & Irion,

1/7
2020): reality is that individuals and businesses pay the price for the disregard of data
privacy, which can ultimately result in identity theft, extensive revenue losses as well as
the infringement of individual and societal values (Yakovleva & Irion, 2020).

Adequacy Decision and Appropriate Safeguards

The GDPR allows the transfer of personal data of EEA citizens and residents outside of
Europe provided (a) the destination country has been subject to an adequacy decision
and (b) appropriate safeguards to protect the said personal data have been put in place
(EU IT Governance Privacy Team, 2019). Put differently, the adequacy principle is
encapsulated in Article 45 of the GDPR and broadly requires that, before personal
information of European citizens and residents is transferred outside of Europe, approval
must be sought in advance from the European Commission to ensure that such personal
data is duly protected, in the relevant foreign jurisdiction, at the same level as in Europe
(Phillips, 2018). Article 46 of the GDPR prescribes that, in the absence of an adequate
decision (as per Article 45), a controller [1] or processor [2] may permit a transfer of
personal data to third countries (i.e. countries outside the Union), subject to appropriate
safeguards [3][4].

Safeguards for international data transfers set out in the GDPR

Distinction between “adequate” and “non-adequate” countries outside the EEA

for the purpose of determining the adequacy of safeguards for the protection of
personal data. To arrive at adequacy decisions, the European Commission takes
into consideration factors like the rule of law, the existence legislation pertaining to
criminal law, defence, public security as well as manifest respect for human rights
and fundamental freedoms (EU IT Governance Privacy Team, 2019). The European
Commission publishes the complete list of adequate countries on its website.

Binding Corporate Rules (BCRs) allow for company groups (or groups of
companies) with group companies outside the EEA to set out their own global policy
pertaining to the transfer of personal data, which would apply within such group.
Such BCRs, however, are subject to prescribed content requirements, an approval
process coordinated by one Data Protection Authority (DPA) in Europe and due
compliance once approval is obtained (for example, data protection audits,
prescribed training for personnel with access to personal data). It is important to
note that the BCRs cover only the transfer of personal data intra-group (and, as
such, excludes third parties). Company groups most likely to benefit from BCRs are
those with a complicated internal network of processing activities.

Also, the following additional benefits are derived from large corporate groups with
global presence [5]:

Gold standard: BCRs based on GDPR are perceived as the “gold standard” for data
protection compliance. The commercial and reputation values also lie in the fact that not
many companies world-wide have these,

2/7
Regulator approved: tied to the above, BCRs are vetted and audited via GDPR
certification mechanisms,

Compliance effectiveness: BCRs are binding on all group companies “by design” (unlike
standard model clauses, which are bilateral instruments between all group companies
involved),

Agility & efficiency: approved BCRs imply the introduction of a company (and group) wide
data privacy governance and policy framework that are easier transferable in the event of
M&As, divestments and de-mergers.

Standard Contractual Clauses (SCCs): these are drafted by the European

Commission and can also be drafted by the local Data Protection Authority (DPA).
Required here is the signature of the company exporting the personal data (data
exporter) and the company receiving the same (data importer) – provided the data
exporter is able to comply with the Standard Model Clauses in the agreement.
These clauses incorporate contractual duties on the data exporter and the data
importer [6]. SCCs are currently the most utilised method by commercial entities, for
lawful cross-border transfers of personal data (Bradford, Aboy, & Liddell, 2021).
SMEs favour this method too and it is imperative that they keep abreast of any
amendments subsequently enforced by the European Commission: the data
exporter is more likely to be targeted for regulatory scrutiny and should, as such,
take precautions such as remaining knowledgable of the jurisdictions, where to
personal data was transferred in the past, regularly reviewing the international data
transfer mechanism (e.g. BCRs) to ascertain if these are still appropriate for the
business, and having mechanisms in place to ensure compliance on the part of the
data importer [7]. As at the publication of this article, the European Commission
published the final version of the new SCCs on 4 June 2021 (Blaney, Shankar, &
McMullon, 2021).

Approved certification mechanism: here, compliance with GDPR is shown via

certification, data protection seals and marks, plus binding and enforceable
commitments.

Approved Code of Conduct: it includes provisions on the international transfer of

personal data together with binding and enforceable commitments on the
application of the Code.

Ad-hoc contracts: these must be approved by a competent Supervisory Authority.

Derogations: where there are neither adequacy decisions nor appropriate

safeguards, the GDPR permits the transfer of personal data – provided the data
subject has been informed of the possible risks pertaining to the imminent transfer
and has expressly consented thereto. Data transfer is also allowed where the
transfer is necessary for the conclusion or performance of an agreement with or in
the interest of the data subject or to protect vital interests of the data subject.
Alternatively, also for the ascertainment, processing or defence of legal claims.

3/7
It is important to keep in mind that the above appropriate safeguards (as per Article 46
GDPR), collectively and individually, constitute multi-tiered alternatives for data protection,
duly relying on the law, technology and organisational commitments (Bradford, Aboy, &
Liddell, 2021).

Recommendation 01/2020 on measures that supplement transfer tools to

ensure compliance with the EU level of protection of personal data
(version 2.0)
On 18 June 2021, the European Data Protection Board (edpb) adopted an updated
version of its recommendation 01/2020 (after public consultation), which it had adopted
on 10 November 2020 for public consultation [9]. The central focus of this edpb
recommendation relates to the principle of accountability, which is deemed as “necessary
to ensure the effective application of the level of protection conferred by the GDPR also
applies to data transfers to third countries since they are a form of data processing in
themselves” (para. 1.4 of the edpb recommendation). Therefore, controllers and
processors are obliged to remain accountable, at all times, when processing and
transferring the personal data impacted by the GDPR (para. 1.5 of the edpb
recommendation).

edpb Roadmap to Apply the Principle of Accountability to Data Transfers in

Practice

The roadmap devised by the edpb serves to guide controllers and processors through the
processing and international transfer of personal data that falls within the scope of the
GDPR.

At the same time, the steps contained in this roadmap also illustrates the centrality of the
principle of accountability as well as the vulnerability of the said personal data in the
context of international transfer that has grown to become an integral part of our lives:

1. Know your transfers

This step requires controllers and processors to be intimately familiar with all transfers
and includes appreciating the complexity. When duly recording and mapping all transfers,
due consideration must be paid to the entire personal data processing value chain, the
GDPR principle of data minimisation and the wide definition of the notion of “transfer”
applicable especially to international cloud infrastructures [10].

2. Identifying the transfer tools relied upon

This next step requires of controllers and processors to select the transfer tools, as listed
in Chapter V of the GDPR [11]. The edpb recommendation, in this part, sets out practical
guidelines pertaining to adequacy decisions, Article 46 transfer tools (being the
appropriate safeguards) and derogations [12].

3. Assessment whether the Article 46 transfer tool selected is effective considering

all circumstances of the transfer

4/7
The controllers and processors are accountable to ensure that the selected Article 46 tool
is, in fact, effective in duly safeguarding the level of protection guaranteed by the GDPR.
The requisite assessment includes that of the third country where the said personal data
is intended to be transferred to and, more specifically, the laws and practices of such
country, as relevant to the said transfer, as applicable to human rights and other rights
and freedoms guaranteed in Europe. Also, matters such as the purpose of the sought
transfer, the format of the said data and the types of entities involved will need to be
considered. The assessment process to be undertaken by controllers and processors is
rigorous and the documentation hereof possibly subject to scrutiny by the relevant
supervisory and / or judicial authorities [13].

4. Adoption of supplementary measures

This step requires of controllers and processors to visit the outcome of the assessment
conducted in step 3 above. If the outcome of the assessment is that the selected GDPR
transfer tool is not effective, then it may be necessary to ascertain if supplementary
measures [14] exist. Just like with the transfer tools, controllers and processors are
required to assess which of the contractual, technical or organisational supplementary
measures are most effective for the different third countries. This assessment also
requires due consideration of factors like the format of the data, the length and complexity
of the data processing workflow as well as the possibility that the said data could be
subject to onward transfer [15]. Examples of supplementary measures (along with use
cases and examples) are set out in Annex 2 of this edpb recommendation, and constitute
technical measures, additional contractual measures and organisational measures.

5. Procedural steps where effective supplementary measures have been identified

Subject to effectiveness, the selected supplementary measures to be implemented by the

controllers and processors have been listed as follows:

Standard protection clauses (SCCs);

Binding corporate rules (BCRs); and
Ad hoc contractual clauses [16].

6. Ongoing re-evaluation

Showing accountability also means that controllers and processors must, on a regular
basis and when appropriate, monitor all relevant developments in the third countries,
where the transfer of relevant personal data has occurred. This step also requires the
introduction and maintenance of reliable mechanisms, which ensure the immediate
suspension or termination of transfers where there has been a breach of Article 46 GDPR
tools or where the implemented supplementary measures are no effective in the said third
countries [17].

Closing Remarks

5/7
The regulation of international data transfer by the GDPR is multi-layered and complex,
especially in the absence of an “adequacy decision” by the European Commission: in
terms of the latest provisions pertaining to SCCs, for example, affected controllers and
processors are required to adopt SCCs in relation to their customers, affiliates and
suppliers by December 2022 (Blaney, Shankar, & McMullon, 2021). The GDPR along with
binding judgements by the Court of Justice of the European Union (CJEU) and the
publications by the edpb will continue to be tested, streamlined and, in some cases even
invalidated (Ktenas, 2021), leaving companies vulnerable. For the controllers and
processors of the personal data of EU citizens and residents this means acquiring reliable
advisory services and keeping a close ear to the ground for the many new developments,
in this regard.

Bibliography
Blaney, R. P., Shankar, V. V., & McMullon, K. (2021, June 7). Navigating the New
Standard Contractual Clauses for International Data Transfers under the GDPR. National
Law Review, XI(158).
Bradford, L., Aboy, M., & Liddell, K. (2021). Standard contractual clauses for cross-
border transfers of health data after Schrems II. Journal of Law and the Biosciences, 8(1),
pp. 1-36.
IT Governance Privacy Team. (2019). EU General Data Protection Regulation (GDPR):
An Implementation and Compliance Guide (Vol. 3). Cambridgeshire: IT Governance Ltd.
Ktenas, N. (2021). European Union: International Data Transfers Under The GDPR:
From Schrems To The New Standard Contractual Clauses And The EDPB
Recommendations. mondaq.
Ntouvas, I. (2019). Exporting personal data to EU-based international organizations
under the GDPR. International Data Privacy Law, 9(4), pp. 272-284.
Phillips, M. (2018). International data-sharing norms: from the OECD to the General
Data Protection Regulation (GDPR). Human Genetics, 137, pp. 575-582.
Ryngaert, C., & Taylor, M. (2020). The GDPR as Global Data Protection Regulation?
AJIL Unbound, 114, 5-9. doi:10.1017/aju.2019.80
Wagner, J. (2018). The transfer of personal data to third countries under the GDPR:
when does a recipient country provide an adequate level of protection? International Data
Privacy Law, 8(4), pp. 318-337.
Yakovleva, S., & Irion, K. (2020). Pitching trade against privacy: reconciling EU
governance of personal data flows with external trade. International Data Privacy Law,
10(3), pp. 201-221.

Notes

[1] A data controller determines the purpose for which and the means by which personal
data is processed. So, if a company/ organisation decides ‘why’ and ‘how’ the personal
data should be processed it is the data controller. Employees processing personal data in
such a company / an organisation do so to fulfil its tasks as data controller.
[2] The data processor processes personal data only on behalf of the controller. The

6/7
data processor is usually a third party external to the company. However, in the case of
groups of undertakings, one undertaking may act as processor for another undertaking.
[3] https://www.dataprotection.ie/en/organisations/international-transfers/transfers-
personal-data-third-countries-or-international-organisations
[4] https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-the-future-of-international-
data-transfer.html
[5] https://www.bakermckenzie.com/-/media/files/insight/publications/2020/01/binding-
corporate-rules.pdf
[6] https://www.dataprotection.ie/en/organisations/international-transfers/transfers-
personal-data-third-countries-or-international-organisations
[7] https://www.bakermckenzie.com/-/media/files/insight/publications/2019/12/sccs-are-
under-scrutiny.pdf
[8] https://bg.schindhelm.com/en/news-jusful/news/new-eu-data-protection-law-data-
transfer-to-third-countries
[9] https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
[10] Paras. 8 – 13
[11] Chapter V (Arts. 44 – 50) regulates the transfer of personal data to third countries or
international organisations and, more specifically, outlines the requirements pertaining to
adequacy decisions (Art. 45), appropriate safeguards (Art. 46), binding corporate rules
(Art. 47), transfers or disclosures not authorized by Union law (Art. 48), derogations for
specific situations (Art. 49) and international cooperation for the protection of personal
data (Art. 50).
[12] Paras. 14 – 27
[13] Paras. 28 – 49
[14] Supplementary measures are supplementary to the safeguards entailed in Article 46
and to any other tools (for example, technical security measures) that are provided for in
the GDPR.
[15] Paras. 50 – 58
[16] Paras. 59 – 66
[17] Paras. 67 – 68

Other Sources

7/7