What you should know about international transfers
In their daily activities, EU institutions and bodies may need to transfer personal data to recipients outside the European Union; these activities can include dealings with foreign public entities (for anti-fraud or competition investigations, for example), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, web-services), or when arranging staff work trips to non-EU countries.
Transfers of personal data (or personal information) from institutions and bodies of the European Union (EU) to countries that are not members of the European Economic Area (EEA), i.e EU Member States plus Norway, Iceland and Lichtenstein are regulated under Chapter V of Regulation EU 2018/1725.
According to Regulation EU 2018/1725, international transfers may take place when there is an adequate level of protection to the fundamental right of individuals (data subjects) to data protection. Adequacy assessments may be carried out by those wishing to transfer data outside the EEA themselves, or by the European Commission. The Commission has determined that several countries ensure an adequate level of protection by reason of their domestic law or of the international commitments they have entered into. Transfers to US organisations that signed up to the Safe Harbor scheme were considered adequate pursuant to the European Commission Decision 2000/520/EC of 20 July 2000; however this adequacy decision was invalidated by the Court of Justice of the EU on 6 October 2015 (1) and as a result transfers to the U.S. can no longer take place on that basis. On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers: "the EU-U.S. Privacy Shield", replacing the Safe Harbor scheme, which has led to the adoption of a new adequacy decision by the European Commission, officially adopted on 12 July 2016, for transfers to U.S. organisations subscribing to the Privacy Shield.
In the absence of an adequacy decision, personal data may still be transferred by an EU institution to a non-EEA country under certain conditions:
(1) Judgement of the European Court of Justice of 6 October 2015 in Case C-362/14 (Schrems).
(2) Amongst other additional safeguards, we also note that Binding Corporate Rules (BCRs) is a mechanism for transfer that has been developed by national DPAs, which can be relied upon by private organisations in the context of their exchanges of personal data between entities that are part of the same organisation. It is a sort of internal code of conduct to which entities of a same organisation may subscribe. BCRs are not e mechanism that can be entered into by public entities, such as the EU institutions and bodies, for their own transfers and the EDPS therefore cannot authorise them. However, EU institutions and bodies may validly choose a private service provider that has entered into BCRs for safeguarding transfers within its group of entities.
What are the main data protection issues?
Lawfulness - The collection, storage and use (processing) of personal information by any organisation must be compliant with data protection legislation. Furthermore, any transfer of such data must also have a proper legal basis (for EU institutions, this is Regulation EU 2018/1725) and be consistent with the original purpose of the processing.
Data quality - Organisations wishing to transfer data outside the EEA must respect the principles of purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimisation and ensure the accuracy of the data transferred and time limits for retaining the data.
Right of information - Individuals (data subjects) must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.
Rights of access and rectification - Individuals have a right to access the personal information being processed about them and to rectify any inaccurate or incomplete information. Exceptions may apply, for example, investigations into criminal offences. Deferral of information should be decided on a case by case basis and the reasons for any restriction should be documented. Individuals must also be informed on how they may exercise their rights.
Processing of special categories of personal data - Processing of special categories of data, such as data relating to health or revealing racial or ethnic origin, is in principle prohibited under data protection laws, except in specific circumstances. For example, it is possible to process sensitive data if the processing is necessary for the purpose of a medical diagnosis, or with specific safeguards for employment purposes.
Safeguards for transferring personal data to non-adequate countries
Adequate safeguards are data protection guarantees specifically for transfers of personal data to a recipient in a non-EEA country that is not deemed adequate. The safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties. They should clearly describe the data protection principles that have to be respected, in particular:
Furthermore, a description of the details of the transfer, such as the categories of data, purposes, retention periods, detailed security measures, information to be provided to the individuals (data subjects) concerned and how they can exercise their rights must also be provided.
The following non-exhaustive list is a selection of documents for further reading:
On Safe Harbor and EU-U.S. Privacy Shield: