Out-Law News 5 min. read
10 Nov 2015, 10:20 am
The guidance on data transfers (16-page / 379KB PDF), issued by the European Commission, sets out how businesses can transfer personal data outside of the EU in ways that adhere to EU data protection laws.
The Commission confirmed that businesses can rely on the consent of data subjects to transfer personal data outside of the EU. However, it said that consent needs to be "freely given, specific and informed" and obtained in advance of transfers taking place.
Companies that seek consent to data transfers online should not rely on consent from "pre-ticked boxes", it said.
"Where [consent] is requested online, the Article 29 Working Party has recommended the use of boxes to be ticked (rather than pre-ticked boxes)," the Commission said. "Because the consent must be unambiguous, any doubt about whether it actually has been given would render the derogation inapplicable. This will likely mean that many situations where consent is at best implied (for example, because an individual has been made aware of a transfer and has not objected) would not qualify."
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that businesses will want to "review closely" their privacy notices in light of the Commission's guidance. He said companies may find their consent mechanisms are "not effective" now and that a review is necessary given that there is likely to be "greater scrutiny" of data transfer arrangements by data protection authorities following an EU court ruling last month.
In its guidance, the Commission advised businesses to use mechanisms other than consent to transfer personal data outside of the EU where transfers are made on a "repeated, mass or structural" basis. It also said that consent would not be an appropriate method to rely on for data transfers where there is pressure on data subjects to agree to the data transfer arrangements, it said.
"This is particularly relevant in the employment context, where the relationship of subordination and inherent dependency of employees will normally call into question reliance on consent." the Commission said.
"More generally, consent given by a data subject who has not had the opportunity to make a genuine choice or has been presented with a fait accompli cannot be considered valid," it said. "Of significant importance is that the data subjects are properly informed in advance that the data may be transferred outside the EU, to which third country and under which conditions (its purpose, the identity and details of the recipient(s), etc.). This information should address the specific risk that their data will be transferred to a third country lacking adequate protection. Furthermore … withdrawal of a data subject's consent, while not retroactive, should, as a principle, prevent any further processing of personal data."
The Commission also said that businesses are responsible for assessing whether local laws present a risk that personal data transferred to those countries may not be adequately protected, the European Commission has said. That obligation exists where the Commission has not deemed the country to which personal data is being sent as providing adequate data protection, it said.
The Commission's guidance follows a ruling last month by the Court of Justice of the EU (CJEU). The CJEU ruled as "invalid" a Commission decision that recognised a privacy framework in the US as providing for adequate data protection when personal data was transferred to the US from the EU. Concerns about the regard given to privacy in US legislation on communications surveillance were highlighted in the CJEU's judgment.
The ability to transfer personal data outside the European Economic Area is restricted under the EU's Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.
In its guidance, the Commission said that data controllers must "ensure that their data transfers take place with sufficient safeguards in accordance with … the Directive" when transferring personal data to countries that are not the subject of "a Commission finding of adequacy".
"This assessment needs to be carried out in the light of all the circumstances surrounding the transfer at issue," the Commission said.
It said that Commission-approved model contract clauses and binding corporate rules (BRCs), both mechanisms that facilitate data transfers, require data importers to "promptly inform" data exporters in the EU if they have "reasons to believe that the legislation applicable in the recipient country may prevent it from fulfilling its obligations" to safeguard personal data in line with the standards required under EU law.
"In such a situation, it is up to the exporter to consider taking the appropriate measures necessary to ensure the protection of personal data," the Commission said. "These may range from technical, organisational, business-model related or legal or measures to the possibility to suspend the data transfer or to terminate the contract.
The Commission said, therefore, that businesses may not always be able to rely solely on implementing BCRs or model clauses in their contracts as demonstrating their compliance with EU data protection laws on data transfers.
"Taking into account all the circumstances of the transfer, data exporters may thus have to put in place additional safeguards to complement those afforded under the applicable legal basis for transfer to meet the requirements of … the Directive," the Commission's guidance said. It said it is up to national data protection authorities to determine if businesses meet their compliance duties "on a case-by-case basis".
Dautlich has previously identified encryption and anonymisation as examples of methods businesses can deploy to protect privacy when engaging in data transfers.
The Commission said it will move to update "all existing adequacy decisions" to remove restrictions that those decisions put on the powers of national data protection authorities to suspend data flows to countries designated by the Commission as providing adequate data protection. In its October ruling, the CJEU said that the Commission did not have the power to limit data protection authorities' powers to intervene in data transfer arrangements made under the EU-US safe harbour regime.
The Commission also said it plans to "engage in a regular assessment of existing and future adequacy decisions, including through the periodic joint review of their functioning together with the competent authorities of the third country in question".
Only a small number of countries outside of the EU have been designated as providing for adequate data protection by the Commission to-date, including Canada, New Zealand and Switzerland.
The Commission said it hopes to agree a replacement 'safe harbour' framework for EU-US data transfers within three months.
Safe Harbour 2.0, as it has been dubbed by some, would be "the most comprehensive solution for ensuring effective continuity of the protection of personal data of European citizens when they are transferred to the United States", the Commission said. The planned new framework "also provides the best solution for transatlantic trade as it offers a simpler, less burdensome and therefore less costly transfer mechanism, in particular for SMEs", it said.