Legal Frameworks for International Data Transfer
Outside the scope of the GDPR, senders need to carefully research how to legally share data across borders, explains Astrid Braken from the CSA.
While transfering personal data within the EU is clearly and strictly regulated by the GDPR, senders looking to transfer data to other jurisdictions need to carefully research how they can legally share data across borders.
Cross-border data transfer is subject to data protection regulations; both national and international. Provided a sender is based in a member state of the European Union (EU) and wishes to send e.g. mailings to another EU country, this is simple: the rules of the General Data Protection Regulation (GDPR) apply.
If, however, a sender is located in the EU and wants to send data to a non-European country, they should find out in advance which data protection law applies in the country with which they want to exchange data. In many cases, the EU has built a bridge: here, so-called adequacy decisions apply specifically to the country. With an adequacy decision, the Commission determines that a third country, with its domestic legislation or international obligations, offers a comparable level of protection for personal data as the European Union. If the European Commission has adopted a corresponding adequacy decision, personal data may be transferred to the respective country without further authorization, provided that the other provisions of the GDPR are complied with. In other words, data transfers based on an adequacy decision are privileged: they are treated the same as those within the EU.
Currently, adequacy decisions exist for transfers of personal data to the following third countries:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Soon, South Korea will be added to the list.
For any exchange of personal data between the EU and all other countries, the sender must check on a case-by-case basis whether and how the level of protection can be guaranteed for the data transfer. Two jurisdictions that are of key importance for European businesses are the US and the UK. In 2020, the EU/US Privacy Shield was anulled by the European Court of Justice (EUCJ) and the United Kingdom left the European Union and hence the GDPR. New solutions need to be found for both jurisdictions.
What will replace the EU/US Privacy Shield?
The EU/US Privacy Shield, the last data transfer agreement concluded by Washington and Brussels, was overturned by Europe’s highest court last summer because, in the court’s view, the US intelligence services have surveillance capabilities that are too extensive. (See also the CSA blog article: “What to do after the toppling of the EU-US Privacy Shield?”)
Since the end of 2020, the European Union has been searching for other ways to find a workable basis for data transfers with the US. For example, the EU Commission has drawn up new standard contractual clauses for the transfer of personal data to third countries, the final adoption of which is expected soon. These contain more specific safeguards in the event that the laws of the country of destination (to which the data is sent) allow its authorities to disclose personal data.
However, the Commission has clarified that even when using the new clauses, supplementary measures may be necessary to adequately protect the transferred data from unrestricted access by the security authorities in a specific individual case. In the case of the USA, these measures are necessary in any case, due to the far-reaching access possibilities of the security authorities.
Therefore, even if the new standard contractual clauses are used, an appropriate concept should be coordinated with the data protection authorities in advance of any future data transfers to the USA. So the silver bullet is still a long way off.
In a nutshell: What is certain is that nothing is certain: Until a new data protection pact is agreed between the EU and the US, the transfer of personal data remains legally uncertain.
How does BREXIT impact on international data transfers?
Brexit entails an exit in stages in terms of data protection regulations. It was and is, therefore, characterised by transitional arrangements. The UK continued to be treated as an EU member until the end of 2020, with the result that cross-border data traffic could be handled on the basis of the General Data Protection Regulation (GDPR).
The EU and the United Kingdom have agreed on the ground rules for future cooperation under a Trade and Cooperation Agreement (TCA) for a further transitional period.
The TCA provides that current data transfers will be governed by the Data Protection Act 2018, i.e., national data protection law in the UK, and a new, adapted GDPR, the “UK GDPR”. This largely corresponds to the version of the GDPR that applies within Europe. Data transfers to the UK will therefore continue to be possible during the transition period as if the country were still in the EU.
The application of the transitional regime of the TCA is subject to a number of conditions. The UK must not change its data protection laws or engage in acts that effectively change the level of data protection that currently exists. If the UK were to violate this, data transfers from the EU to the UK would immediately be considered cross-border transfers to an unsafe third country under Art. 44 et seq. GDPR. As a result of this regulation, there is still legal uncertainty for EU data exporters, as the transitional provision could end at any time and without notice for data transmitters and processors.
When do the transitional arrangements end and what comes after that?
The EU’s goal is to present a so-called adequacy decision by the end of June this year at the latest, stating that the level of data protection in the UK is comparable to that in the EU. The decision is currently being negotiated, a first draft from the Commission is already available. Soon the European Data Protection Board EDPB is to issue an opinion.
What happens if the adequacy decision does not come about?
In this case, senders could make use of the so-called Standard Contractual Clauses (“SCCs”) provided by the EU Commission. The problem here, however, is that the SCCs are being revised following the ruling of the European Court of Justice on the EU/US Privacy Shield. (See also Outlook for 2021 – What will keep us busy in the coming year? Part 2: New EU-US data transfer pact? and What to do after the toppling of the EU-US Privacy Shield?)
The draft adequacy decision by the EU Commission can make senders of commercial emails cautiously optimistic. Nevertheless, further developments must be closely monitored so that, if necessary, standard contractual clauses can be used flexibly. Therefore, senders should have a plan B for the implementation of SCCs in their back pockets.
Astrid Braken is an attorney and has been the Legal Counsel for the Certified Senders Alliance (CSA) since 2019. After her legal training, she worked for different representatives of the German Bundestag and for associations in the telecom sector. At the CSA, she is responsible for legal issues at the CSA and does the legal checks during the certification process. She regularly writes legal articles for the CSA on the subject of email marketing and she advises CSA senders on legal matters.