What you should know about international transfers
In their daily activities, EU institutions and bodies may need to transfer personal data to recipients outside the European Union; these activities can include dealings with foreign public entities (for anti-fraud or competition investigations, for example), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, web-services), or when arranging staff work trips to non-EU countries.
Transfers of personal data (or personal information) from institutions and bodies of the European Union (EU) to countries that are not members of the European Economic Area (EEA), i.e EU Member States plus Norway, Iceland and Lichtenstein are regulated under Chapter V of Regulation EU 2018/1725.
According to Regulation EU 2018/1725, international transfers may take place when there is an adequate level of protection to the fundamental right of individuals (data subjects) to data protection. Adequacy assessments may be carried out by those wishing to transfer data outside the EEA themselves, or by the European Commission. The Commission has determined that several countries ensure an adequate level of protection by reason of their domestic law or of the international commitments they have entered into. Transfers to US organisations that signed up to the Safe Harbor scheme were considered adequate pursuant to the European Commission Decision 2000/520/EC of 20 July 2000; however this adequacy decision was invalidated by the Court of Justice of the EU on 6 October 2015 (1) and as a result transfers to the U.S. can no longer take place on that basis. On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers: "the EU-U.S. Privacy Shield", replacing the Safe Harbor scheme, which has led to the adoption of a new adequacy decision by the European Commission, officially adopted on 12 July 2016, for transfers to U.S. organisations subscribing to the Privacy Shield.
In the absence of an adequacy decision, personal data may still be transferred by an EU institution to a non-EEA country under certain conditions:
- if the organisation wishing to transfer data outside the EEA can provide adequate safeguards, for example by adopting the Commission's standard contractual clauses, or other binding safeguards authorised by the European Data Protection Supervisor (EDPS); (2)
- the organisation wishing to transfer data outside the EEA can refer to one of the derogations listed in the Regulation provided that the transfer is not repeated, massive or structural, and no other legal framework can be used. Examples of derogations include, an individual giving her consent for her data to be transferred; if a transfer is necessary for the conclusion or performance of a contract; or for exercising defence in legal proceedings.
(1) Judgement of the European Court of Justice of 6 October 2015 in Case C-362/14 (Schrems).
(2) Amongst other additional safeguards, we also note that Binding Corporate Rules (BCRs) is a mechanism for transfer that has been developed by national DPAs, which can be relied upon by private organisations in the context of their exchanges of personal data between entities that are part of the same organisation. It is a sort of internal code of conduct to which entities of a same organisation may subscribe. BCRs are not e mechanism that can be entered into by public entities, such as the EU institutions and bodies, for their own transfers and the EDPS therefore cannot authorise them. However, EU institutions and bodies may validly choose a private service provider that has entered into BCRs for safeguarding transfers within its group of entities.
What are the main data protection issues?
Lawfulness - The collection, storage and use (processing) of personal information by any organisation must be compliant with data protection legislation. Furthermore, any transfer of such data must also have a proper legal basis (for EU institutions, this is Regulation EU 2018/1725) and be consistent with the original purpose of the processing.
Data quality - Organisations wishing to transfer data outside the EEA must respect the principles of purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimisation and ensure the accuracy of the data transferred and time limits for retaining the data.
Right of information - Individuals (data subjects) must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.
Rights of access and rectification - Individuals have a right to access the personal information being processed about them and to rectify any inaccurate or incomplete information. Exceptions may apply, for example, investigations into criminal offences. Deferral of information should be decided on a case by case basis and the reasons for any restriction should be documented. Individuals must also be informed on how they may exercise their rights.
Processing of special categories of personal data - Processing of special categories of data, such as data relating to health or revealing racial or ethnic origin, is in principle prohibited under data protection laws, except in specific circumstances. For example, it is possible to process sensitive data if the processing is necessary for the purpose of a medical diagnosis, or with specific safeguards for employment purposes.
Safeguards for transferring personal data to non-adequate countries
Adequate safeguards are data protection guarantees specifically for transfers of personal data to a recipient in a non-EEA country that is not deemed adequate. The safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties. They should clearly describe the data protection principles that have to be respected, in particular:
- data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
- data quality and proportionality;
- information of individuals concerned;
- security measures;
- possibility for the individuals involved to exercise their rights of access, rectification and opposition,
- restrictions on onward transfers by the data recipient;
- effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.
Furthermore, a description of the details of the transfer, such as the categories of data, purposes, retention periods, detailed security measures, information to be provided to the individuals (data subjects) concerned and how they can exercise their rights must also be provided.
The following non-exhaustive list is a selection of documents for further reading:
- EDPS position paper on transfers with relevant prior-checks Opinions and consultations
- EDPS Consultation on the impact of the Safe Harbour ruling on the transfer of personal data carried out by DG MARE (Commission) in the framework of '306° Feedback leadership Circle' (Case 2015-0924)
- EDPS Decision on transfers of personal data carried out by OLAF though the Investigative Data Consultation Platform (Case 2012-0280)
- EDPS Prior-check Opinion on the European's Parliament "Safe Mission Data" system providing support to external missions in case of medical emergencies (2012-0105)
- EDPS Letter to the European Aviation Safety Agency on international transfers (case 2010-0614)
- EDPS Consultation on transfer of personal data to American Express Corporate Travel SA (AMEX) (Case 2009-0390)
- Working document of the Article 29 Working Party on a common interpretation of Article 26(1) of Directive 95/46/EC on derogations
- Webpage of the Commission (DG JUST) on transfers:
On Safe Harbor and EU-U.S. Privacy Shield:
- Judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 (Schrems)
- Communication from the Commission on the transfers of personal data from the EU to the USA under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems)
- Statement of the Article 29 Working Party on the consequences of the Schrems judgement
- EU-U.S. Privacy Shield (website of DG Just)
- Opinion 01-2016 of the Article 29 Working Party on the EU-US Privacy Shield
- EDPS Opinion 04-2016 on the EU-US Privacy Shield draft adequacy decision