Export of personal data outside the EU after C-113/18
In my post Privacy Shield invalidated – what about EU data now?, I wrote that the invalidation of the Privacy Shield had consequences far beyond only the export of personal data EU personal data to the United States. The Court of Justice of the European Union (CJEU) verdict in case 113/18 imposes certain responsibilities for personal data exporters and importers in general. And it will be much easier for you to act in contrary to the GDPR. This has already been confirmed by the European Data Protection Board (EDPB).
PERSONAL DATA OUTSIDE THE EU AND EDPB
The EDPB is an independent European body that works towards a consistent application of data protection rules across the European Union and promotes cooperation between EU data protection authorities. The Board consists of representatives of member countries data protection authorities and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA States belonging to the European Economic Area (EEA) are also members with regard to issues related to the GDPR, but do not have the right to vote.
The EDPB is not a super body of some sort for the protection of EU personal data and therefore does not deal with, e.g., appeals against decisions of national authorities. BUT, the position it takes on a particular data protection case is very important. Why? Well, you can expect that EU members national data protection authorities most probably will have a very similar opinion in a given or a similar case.
Significantly, the CJEU’s judgment annulling the Privacy Shield was commented on almost immediately by the EDPB and the Board immediately made available on its website a list of the most frequently asked questions in connection with judgment C-113/18.
Lista is available in English and in EU member countries languages.
EXPORT OF PERSONAL DATA TO THE USA: FROM NOW ON YOU HAVE TO ASSESS ITS LEGAL BASIS
Okay, but what exactly does this judgment C-113/18 and its assessment by the EDPS actually tell?
First of all, the United States have ceased to be recognised by the EU as a country providing sufficient security and protection for personal data originating from the European Union.
The EU Commission’s Decision on the agreement on the Privacy Shield programme has been declared invalid. This means that you can no longer send personal information to the US (including even temporary storage on US servers) based on the Privacy Shield principles. The fact that an American company is certified under the Privacy Shield is no longer relevant. Sending data to the US ONLY on the basis of this certificate is contrary to the GDPR and if you continue doing so, then you can expect to be punished for GDPR violation. And I remind you that the penalties for violating the GDPR are very high.
From now on, you and your counterparty in the United States must independently assess the legal basis for the transfer ofpersonal data. Taking into account the criteria set out by the Court and the EDPS.
These criteria must always be applied when transferring personal data to countries that protect them at a level below the EU level.
Are there any novelties set forth in the EDPS guidelines and the C-113/18 judgement?
Well yes but actually no.
On the one hand, those who have so far transferred personal data outside the EU to countries that do not provide sufficient protection should have been aware of these criteria for a long time now. The export of personal data outside the EU is regulated in GDPR’s Chapter V titled ” Transfer of Personal Data to Third Countries or International Organisations”.
On the other hand, the CJEU and the EDPB stress that, in fact, each transfer of personal data outside the EU must be assessed separately with your non-EU partner.
Furthermore, the export of personal data outside the EU on the basis of Standard Contractual Clauses or Biding Corporate Rules may not protect you from being fined for violating the GDPR.
ARTICLE 46 AND 44 GDPR, I.E. DATA IN A THIRD COUNTRY ARE TO BE PROTECTED AS IN THE EU
In the judgment C-113/18, the Court pointed to a certain threshold which must be exceeded in order to speak at all about the lawful export of personal data outside the EU.
This threshold is the provisions of Article 46 of the GDPR in conjunction with Article 44.
Of course, the CJEU and the EDPB have put this in lengthy statements about the need to maintain “substantive equivalence”, but the conclusion is simple.
If you transfer personal data outside the EU in any form, you have a responsibility to ensure that, where it goes, it will be protected in the same way as in the Union under the “rules” of the GDPR. And you and your contractor from outside the Union have to investigate whether such protection will be provided, and if you come out after the examination that it is not, then you have to do everything to ensure the identical protection. Or you need to cease processing personal data.
It is easier said than done, because neither the CJEU nor the EDPB issued what specific additional protection measures you have to apply to export data in accordance with the GDPR.
But the Court and the EDPB agree that, quoting the EDPB guidelines:
“If you find that, taking into account the circumstances of the transfer and any additional measures – it would not be possible to provide adequate safeguards, you are obliged to suspend or terminate the transfer of personal data. However, if you wish to continue to process data despite such a negative assessment, you must notify the competent supervisory authority.”
Of course, the question is, how will the supervisory authority react after such a piece of information, has been received, correct😊?
ADDITIONAL SECURITY MEASURES I.E. COSTS, COSTS AND MONEY AGAIN
Then, what to do?
Well, you have to examine each transfer of personal data outside of EU using the threshold set forth by the CJEU and the EDPB as reference.
In practice, this means testing at least 3 levels:
- Legal side – what do the laws of the data importer’s country say about the level of personal data protection?
Do the laws of the importer’s country ensure that the data is protected at the same level as in the EU ?
If you find that they don’t, then you have to, ask yourself what can be done at the level of the agreement in order to provide such a protection which would be identical to the EU’s protection of personal data.
Keep in mind the Privacy Shield case. The CJEU found that the US legislation allows the authorities such access to personal data from the EU, which is not permitted by the GDPR.
The question is whether such access can somehow be legally prevented by introducing appropriate clauses in the contract with the American (or other “third country” collaborator of yours). Of course, these provisions must be followed by appropriate technical and organisational safeguards for the data .
- Technical side – will the personal data you provide be adequately protected technically in the country of the data importer? Of course this is mainly regarding the IT security
- Organization side – you must also ensure that your third country counterpart provides their protection at a level identical to that of the EU at the organisational For example, whether personal data is not sent at some point to private e-mail inboxes of the contractor’s employees, or whether only the selected group of employees has access to them, etc.
It sounds time consuming, complicated and, in some cases, such an examination can simply be very expensive.
EXCEPTIONS TO ARTICLE 49 OF THE GDPR
Fortunately, there are situations where the GDPR allows to export personal data outside the EU, even though the country of an importer does not provide the same level of protection as in the EU.
These exceptions are set out in Article 49 of the GDPR. I will cover them I detail hence it is not a blog on personal data protection, but please pay attention to two things.
First, the primary exception when you can export data to a country where it will not be protected as in the EU is the consent of the persons concerned. Of course, it needs to be obtained and those people need to be informed accordingly and in full in compliance with the GDPR and their national regulations.
Secondly, the EDPB echoed after the CJEU, that the other exceptions ( EXCEPT a personal consent) should be … truly unique.
The transfer of personal data based on other exceptions must be sporadic. It can not be permanent, because you will violate the GDPR.
Interesting, isn’t it ?
Is there a small revolution in the protection of personal data in the EU?
Probably not, but who knows what future brings
However, as for me, it is clear that the European Union has decided to take seriously their citizens’ personal data protection.