EU Law

Export of personal data outside the EU after C-113/18

In my  post Privacy Shield invalidated – what about EU data now?, I wrote that the invalidation of the Privacy Shield had consequences far beyond only the export of personal data EU personal data to the United States. The Court of Justice of the European Union (CJEU) verdict in case 113/18  imposes certain responsibilities for  personal data exporters and importers in general. And it  will be much easier for you to act in contrary to the GDPR. This has already been confirmed by the  European Data Protection Board (EDPB).





export of personal dat outside EU has just become more difficult













The EDPB is an independent European body that works towards a consistent application of data protection rules across the European Union and promotes cooperation between EU data protection authorities. The Board consists of representatives of member countries data protection authorities and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA States belonging to the European Economic Area (EEA) are also members with regard to issues related to the GDPR,  but do not have the right to vote.

The EDPB is not a super body of some sort for the protection of EU personal data and therefore does not deal with, e.g., appeals against decisions of national authorities.  BUT, the position it takes on a particular data protection case is very important. Why? Well, you can expect that  EU  members national data protection authorities most probably will have a very similar opinion in a given or a similar case.

Significantly, the CJEU’s judgment annulling the Privacy Shield was commented on almost immediately by the EDPB and the Board immediately made available on its website a list of the most frequently asked questions in connection with judgment C-113/18.

Lista is available in English and in EU member countries languages.





EU  has finally started to REALLY protect peronal data











Okay, but what exactly does this judgment C-113/18 and its assessment by the EDPS actually tell?

First of all, the United States have ceased to be recognised by the EU as a country providing sufficient security and protection  for personal data originating from the European Union.

The EU Commission’s Decision on the agreement on the Privacy Shield programme has been declared invalid.  This means that you can no longer send personal information to the US (including even temporary storage on US servers) based on the Privacy Shield principles. The fact that an American company is certified under the Privacy Shield  is no longer relevant. Sending data to the  US ONLY on the basis of this certificate is contrary to the GDPR and if you continue doing  so, then you can expect to be punished for GDPR violation.  And I remind you that the penalties for violating the GDPR are very high.

From now on, you and your counterparty in the United States must independently assess the legal basis for the transfer ofpersonal data. Taking into account the criteria set out by the Court and the EDPS.

These criteria must always be applied when transferring personal data to countries that protect them at a level below the EU level.

Are there any novelties set forth in the EDPS guidelines and the C-113/18 judgement?

Well yes but actually no.

On the one hand, those who have so far transferred personal data outside the EU to countries that do not provide sufficient protection should have been   aware of these criteria for a long time now. The export of personal data outside the EU is regulated in GDPR’s Chapter V titled ” Transfer of Personal Data to Third Countries or International Organisations”. 

On the other hand, the CJEU and the EDPB stress that, in fact, each transfer of personal data outside the EU must be assessed separately with your non-EU partner.

Furthermore, the export of personal data outside the EU on the basis of Standard Contractual Clauses or Biding Corporate Rules may  not protect you from being fined for violating the GDPR.














In the judgment C-113/18, the Court pointed to a certain threshold which must be exceeded in order to speak at all about the lawful export of personal data outside the EU.

This threshold is the provisions of Article 46 of the GDPR in conjunction with Article 44. 

Of course, the CJEU and the EDPB have put this in lengthy statements about the need to maintain “substantive equivalence”,  but the conclusion is simple.

If you transfer personal data outside the EU in any form, you have a responsibility to ensure that, where it goes, it will be protected in the same way as in the Union under the “rules” of the GDPR.    And you and your contractor from outside the Union have to investigate whether such protection will be provided, and if you come out after the examination that it is not, then you have to do everything to ensure the identical protection. Or you need to cease processing personal data.

It is easier said than done, because neither the CJEU  nor the EDPB issued  what specific additional protection measures you have to apply to export data in accordance with the GDPR.

But the Court and the EDPB agree that, quoting the EDPB guidelines:

If you find that, taking into account the circumstances of the transfer and any additional measures – it would not be possible to provide adequate safeguards, you are obliged to suspend or terminate the transfer of personal data. However, if you wish to continue to process  data despite such a negative assessment, you must notify the competent supervisory authority.”


 Of course, the question is, how will the supervisory authority react after such a piece of information, has been received, correct😊?





Data protection costs











Then, what to do?

Well, you  have to examine  each transfer of personal data outside of EU  using the threshold set forth by the CJEU and the EDPB as reference.  

In practice, this means testing  at least 3 levels:

  • Legal side – what do the laws of the data importer’s country say about the level of personal data protection?

Do the laws of the importer’s country ensure that the data is protected at the same level as in the EU ?

 If you find that they don’t, then you have to,  ask yourself what can be done at the level of the agreement in order to provide such a protection which would be  identical to the EU’s protection of personal data.

Keep in  mind the Privacy Shield case.  The CJEU found that the US legislation allows the authorities such access to personal data from the EU, which is not permitted by the GDPR.

The question is whether such access can somehow be legally prevented by introducing appropriate clauses in the contract with the American (or other  “third country” collaborator of yours). Of course, these provisions must be followed by appropriate technical and organisational safeguards for the data .

  • Technical side – will the personal data you provide be adequately protected technically in the country of the data importer? Of course this is mainly regarding the  IT security

  • Organization side – you must also ensure that your third country counterpart provides their protection at a level identical to that of the EU at the organisational   For example, whether personal data is not sent at some point to private e-mail inboxes of the contractor’s employees, or whether only the selected group of employees has access to them, etc.

It sounds time consuming, complicated and, in some cases, such an examination can simply be very expensive.





Privacy of data









Fortunately, there are situations where the GDPR allows to export  personal data outside the EU, even though the country of an importer does not provide the same level of protection as in the EU.

These exceptions are set out in Article 49 of the GDPR. I will cover them I detail  hence it is not  a blog on personal data protection, but please pay attention to two things.

First, the primary exception when you can export data to a country where it will not be protected as in the EU  is  the consent of the persons concerned. Of course, it needs to be obtained and  those people need to be informed accordingly and  in full  in compliance with the GDPR and their  national regulations.

Secondly, the EDPB echoed  after the CJEU, that the other exceptions ( EXCEPT  a personal consent) should be … truly unique.

The transfer of personal data based on other exceptions must be  sporadic.  It can not be permanent, because you will violate the GDPR.

  Interesting, isn’t it ?

Is there a small revolution in the protection of personal data in the EU?

Probably not, but who knows what future brings

However, as for me, it is clear that the European Union has decided to take seriously their citizens’ personal data protection.

Yours, Prawstoria

Powiązane artykuły

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button