In today’s world, it is hard to imagine that any organisation might use personal data without transferring it, and commonly used cloud applications can serve as an illustrative example. Most organizations use at least one of them in every day's work, which implies transferring personal data across the globe, as clouds are hosted in different countries. Moreover, in some jurisdictions, remote access to personal data counts as a transfer as well, meaning that if an IT support department is located in one country, while having access to personal data of the organization’s office in another country, that constitutes a transfer of personal data.
Cross-border transfer of personal data
As the name suggests, the term implies a transfer of personal data from one jurisdiction to another. It can also take place within the boundaries of one country, as long as the transfer happens between multiple jurisdictions, which is usually the case in countries with free zones and similar “pockets” with different legislation.
Cross-border transfers of personal data are often regulated by data privacy laws. The need for such regulation lies in the fact that an individual whose personal data is transferred may enjoy a different level of protection between jurisdictions, and might not have all the rights in the importing country as they do in the jurisdiction where the data is transferred from. This can potentially affect their rights under data protection laws and infringe their rights to privacy and protection of personal data, guaranteed by the European Convention on Human Rights, Convention 108, Charter of Fundamental Rights of the European Union, GDPR and other instruments, treaties and laws. Therefore, it is crucial that the importing country guarantees certain level of protection.
GDPR and Cross-border Transfers
The GDPR is a European Union (‘EU’) regulation on data protection that covers European Economic Area (‘EEA’) countries as well. It contains principles and rules for processing of personal data, sets forth certain rights of individuals and safeguards the right to the protection of personal data. It is often regarded as the most comprehensive piece of privacy legislation.
Among other things, it also regulates cross-border transfers, namely transfers from the EU and EEA to third countries, which are the focus of this essay. The GDPR has an extraterritorial effect, meaning that under certain conditions it also obliges organizations outside the EU that process personal data of EU citizens.
The lawmaker’s intention was to ensure the level of protection provided by this Regulation to natural persons in the EEA is not undermined. Essentially, the GDPR stipulates that a transfer of personal data to a third country (non-EEA country) may occur only if the European Commission has decided that the third country provides an adequate level of protection; if the organization that exports data has provided appropriate safeguard prescribed by the GDPR; as well as in specific cases where certain conditions are met (a very narrow scope of cases that are considered derogations from the general rules).
If a country is deemed adequate by the Commission, a transfer may happen without any additional safeguards or conditions having to be met. For a country to be deemed adequate, the Commission will take into consideration rule of law, respect for human rights and freedoms, relevant legislation, national security and criminal laws, access of public authorities to personal data, implementation of such legislation, case law, effective and enforceable data subject rights, and effective administrative and judicial redress for the data subjects whose personal data are being transferred etc. In addition, the existence and effective functioning of one or more independent supervisory authorities is taken into consideration when deciding on the adequacy status. Lastly, the Commission also examines and takes into consideration international commitments the third country or international organisation has entered into, or other obligations arising from legally binding conventions or instruments, as well as participation in multilateral or regional systems, especially with regards to the protection of personal data.
So far, only 12 countries have been deemed adequate by the Commission. If the number of adequate countries had been higher, it would ease the movement of personal data as organisations from those countries could move data within their jurisdictions in a more convenient manner, and transfer data to other adequate countries knowing that human rights will be safeguarded under the laws of those countries.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
Council of Europe (‘Council’) aims to protect individual freedoms, political liberty and the rule of law, and it pays particular attention to the protection of personal data and right to privacy, as these rights are prone to infringements due to rapid technological developments. With that in mind, on 28 January 1981 the Council opened for signature the first legally binding international instrument for the protection of individuals’ personal data – the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Under the Convention, the parties are required to take all necessary steps to adapt their domestic legislation to the principles prescribed by the treaty, as well as guarantee fundamental human rights of all individuals with regard to processing of personal data in their territory.
It further lays down principles for processing of personal data, pertinent individual rights, appropriate security measures, rules surrounding international data transfers etc. It has been modernised and it now includes:
· Stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing
· Extension of the types of sensitive data, which now include genetic and biometric data, trade union membership and ethnic origin
· Obligation to declare data breaches
· Greater transparency of data processing
· New rights for persons in an algorithmic decision-making context, which are particularly relevant in connection with the development of artificial intelligence
· Stronger accountability of data controllers
· Requirement that the “privacy by design” principle is applied
· Application of the data protection principles to all processing activities, including processing for national security reasons, with possible exceptions and restrictions only under the conditions set by the Convention, alongside independent and effective review and supervision
· Clear regime of transborder data flow
· Reinforced powers and independence of the data protection authorities and enhanced legal basis for international cooperation.
As evident from the changes mentioned above, the Convention has been modernised to reflect new technologies and address challenges individuals may face when their personal data is processed by using such technologies. It also focuses on protecting individual rights, especially the right to the protection of personal data. Parties to the Convention have onerous responsibilities to incorporate principles from the Convention into their legislation, and those who succeed are considered to have a comprehensive privacy legislation in place.
“Extending” Adequacy under the GDPR
As elaborated before, in order for a transfer to a third country to be compliant with the GDPR, one of the following conditions has to be met: the third country has to be deemed adequate by the Commission; the transfer has to be subject to appropriate safeguards; or the transfer has to be based on one of the derogations from the general rule. Relying on the safeguards is a complicated process, since it implies that an organisation has to conduct a transfer impact assessment to determine whether the laws and practices of a third country provide an equivalent level of protection under the GDPR. This can prove onerous, as it requires a lot of resources to be invested. On the other hand, if a transfer impact assessment is not conducted, individual rights might not be properly safeguarded – in cases where personal data is transferred to a country that doesn’t guarantee an equivalent level of protection. Since many organisations cannot afford a proper transfer impact assessment, the Commission could accelerate the process of assessing countries by deeming adequate the signatories to the Convention. By signing the Convention, they have already been bound to protect individuals in the context of processing of their personal data, and more broadly, bound to protect human rights and fundamental freedoms.
If we examine the requirements under the GDPR for a country to be deemed adequate, we notice that signatories of the Council’s Convention already satisfy a number of those requirements. According to the GDPR the following areas are considered: the rule of law, respect for human rights and fundamental freedoms, relevant legislation including laws around public security, defence, national security and criminal law, as well as access to personal data by public authorities. The Council’s aim, on the other hand, is to “bring closer its members for the purpose of safeguarding and realising the ideals and principles which are their common heritage and facilitating their economic and social progress”. Common heritage is described as amalgamating freedom, political liberties and the rule of law – in other words, the principles which form the basis of all genuine democracies. All of Council’s member states should work together towards achieving the proclaimed aims, which implies incorporating the common heritage into their legislation. Therefore, their laws should reflect freedom, political liberties and the rule of law, thus making them good candidates to be deemed adequate.
It is also important to remember that the material scope of Article 2 of the GDPR prescribes that the Regulation does not apply to the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security in relation to the EU’s common foreign and security policy. Therefore, rights guaranteed by the GDPR are not absolute. Similarly, the Convention prescribes that any “exclusion must be provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society”. It continues by listing examples such as protection of national security, defence, investigation and prosecution of criminal offences, protection of individuals’ rights and fundamental freedoms.
Furthermore, when deciding on the adequacy status under the GDPR, the Commission must take into account “data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.” The Convention requirements match the ones prescribed by the GDPR since their core principles – rights of individuals and obligations of the persons processing personal data, as well as rules around supervisory authorities and transfers – are closely aligned. For instance, the Convention requires employing appropriate safeguards when personal data is transferred to a country, non-signatory to the Convention. The only requirement that might have to be assessed in more detail is the existing case-law and how effective and enforceable data subject rights are.
Moreover, the GDPR requirements on having effective and independent supervisory authorities are aligned with the requirement in the Convention which compel signatories to establish one or more supervisory authorities for ensuring compliance with its provisions. The Convention further stipulates the supervisory authority should have investigative and enforcement powers and be able to impose administrative fines, oversee cross-border transfers and approve transfer safeguards.
Lastly, an assessment of a country’s obligation under international treaties or other legally binding instruments should provide an answer whether a country can be deemed adequate or not. If a country is a signatory to the Convention, that should certainly be taken as a positive aspect when assessing the adequacy level, but obligations stemming from being a party to another convention should be assessed further.
To conclude, the author does not suggest that the signatories to the Convention 108+ should automatically receive an adequacy status, but rather that these countries are candidates with a good baseline, since their privacy legislation is closely aligned with the GDPR. It is with that in mind, that the state of privacy in those countries should be assessed by the Commission. This would bring much needed clarity to organisations regarding data transfers to those countries. Furthermore, it would ease cross-border transfers of personal data, and confirm that rights of individuals in those countries can be guaranteed as required by the GDPR.