What is the Communication on international personal data transfers about? Why now?
The reform of EU data protection legislation, adopted in April 2016, puts in place a system that ensures a strong level of protection both inside the EU and for the international exchange of personal data for commercial and law enforcement purposes. The new rules will come into application in May 2018.
They will strengthen consumer trust in the digital economy and make it easier for EU and foreign companies to carry out their business activities in the EU, including through international data exchanges.
Having completed the EU's data protection rules, the Commission is now setting out a strategy on promoting international data protection standards. The Communication presents the different tools to exchange personal data internationally, based on the reformed data protection rules, as well as the Commission's strategy for engaging with selected third countries in the future to reach adequacy decisions and promoting data protection standards through multilateral instruments.
What are the tools available for international personal data transfers?
The 2016 General Data Protection Regulation offers a 'toolkit' of mechanisms to transfer personal data from the EU to third countries: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct. The primary purpose of these mechanisms is to ensure that when the personal data of Europeans is transferred abroad, the protection travels with the data. While the architecture of international personal data transfers is similar to that under the 1995 Data Protection Directive, the reform simplifies and expands their use and introduces new tools for international transfers (e.g. codes of conduct and certification mechanisms).
What is an adequacy decision?
An adequacy decision is a decision taken by the Commission establishing that a third country provides a comparable level of protection of personal data to that in the European Union, through its domestic law or its international commitments. As a result, personal data can flow from the 28 Member States and the three European Economic Area (EEA) member countries (Norway, Liechtenstein and Iceland) to that third country, without being subject to any further safeguards or authorisations. Adequacy decisions have so far been available only to cover personal data transfers for commercial purposes. A novelty of the reformed EU data protection rules is that the Commission can now adopt adequacy decisions also for the law enforcement sector.
With which country does the EU already have adequacy decisions?
The Commission has adopted adequacy decisions for the following countries and Territories: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (Privacy Shield).
The decisions on Canada and the U.S. are "partial" adequacy decisions. The decision on Canada applies only to private entities falling under the scope of the Canadian Personal Information Protection and Electronic Documents Act. The EU-U.S. Privacy Shield framework is a "partial" adequacy decision, as, in the absence of a general data protection law in the U.S., only the companies committing to abiding by the binding Privacy Shield principles benefit from easier data transfers.
What are the criteria to assess adequacy? With which countries will the Commission engage?
Under EU law, an adequacy finding requires the existence of data protection rules comparable to the ones in the EU. It involves a comprehensive assessment of the third country's system, both in terms of the substantive protections applicable to personal data and the relevant oversight and redress mechanisms available in the third country. This also includes the review of the limitations and safeguards applicable to access to personal data by public authorities for law enforcement and national security purposes.
The Communication sets out four key criteria that the Commission should take into account when assessing with which countries a dialogue on adequacy should be pursued:
- the extent of the EU's (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;
- the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
- the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and
- the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.
The Commission will actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea, and, depending on progress towards the modernisation of its data protection laws, with India, and also with countries in Latin America and the European neighbourhood which have expressed an interest in obtaining an “adequacy finding”.
Is adequacy limited in time?
No. Adequacy decisions are "living" documents that need to be closely monitored and adapted in case of developments affecting the level of protection ensured by the third country. Under the General Data Protection Regulation, the Commission will carry out periodic reviews at least every four years, to address emerging issues and exchange best practices between close partners. This dynamic approach applies also to already existing adequacy decisions that will need to be reviewed in case they no longer meet the applicable standard. The EU-U.S. Privacy Shield is subject to an annual joint review.
What are the other tools available for international personal data transfers in the absence of an adequacy decision?
The General Data Protection Regulation offers a 'toolkit' of mechanisms to transfer personal data from the EU to third countries (adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct).
The different mechanisms are flexible enough to adapt to the needs of specific industries or business models.
Standard Contractual Clauses (SCCs) and Binding corporate rules (BCRs)
In the absence of an adequacy decision, transfers between companies can be based on SCCs, while BCRs can be used for transfers within a corporate group. These instruments already exist, but the General Data Protection Regulation simplifies and expands their possible uses. For instance, it will now be possible to use SCCs for "processor-to-processor" transfers. This may be particularly relevant for the processing of personal data by cloud service providers which, for operational reasons, may often transfer personal data outside the EU.
BCRs, which currently are limited to entities within the same corporate group, can now also be used for transfers between different corporate groups engaged in a joint economic activity. This could cover, for example, the transfer of personal data between different flight carriers belonging to the same airline alliance.
These new possibilities should help develop instruments that are better targeted to the needs of particular sectors or industries, business models or operators. In addition, the GDPR further facilitates the use of these mechanisms by abolishing the existing general requirement of notification to and authorisation by national data protection authorities of international transfers based on SCCs and BCRs.
Approved codes of conduct and accredited third-party certifications
New transfer mechanisms such as approved codes of conduct and accredited third-party certifications provide companies with the possibility to introduce tailor-made solutions for international transfers while benefiting from the competitive advantages associated, for example, with a privacy seal or mark.
Transfers can also be based on so-called derogations (e.g. consent, performance of a contract or important reasons of public interest) which entities can use in specific situations. A new derogation has been added by the GDPR for transfers carried out in pursuit of the legitimate interests of a company.
How will the Commission engage with its international partners to promote data protection standards?
The EU data protection legal framework has often served as a point of reference for third countries developing legislation in this field. The EU will continue discussions with its international partners to foster convergence by developing high and interoperable personal data protection standards globally. It will also enhance cooperation with relevant third country privacy enforcement and supervisory authorities to facilitate the effective enforcement of data protection legislation, including through mutual assistance arrangements. This is especially relevant to address common problems of non-compliance with data protection rules or data breaches that affect people in more than one jurisdiction.
- The Commission encourages accession by third countries to the Council of Europe Convention 108 and its additional Protocol. The Convention, which is open to non-members of the Council of Europe and has already been ratified by 50 countries. It is the only binding multilateral instrument in the area of data protection.
- The Commission will engage with important new actors, such as the United Nations Special Rapporteur on the Right to Privacy, and further develop its working relationships with regional organisations such as the Asia-Pacific Economic Cooperation, to foster a worldwide culture of respect for the rights to privacy and personal data protection.
- The Commission will develop international cooperation mechanisms with key international partners to facilitate effective enforcement.
What is the link between the international exchange of personal data and trade agreements?
For the EU privacy is not a commodity to be traded. Dialogues on data protection and trade negotiations with third countries have to follow separate tracks.
At the same time, these can be complementary discussions. In particular, an adequacy decision with a third country guarantees the free flow of personal data thus facilitating commercial exchanges with the third country in question. Adequacy decisions can ease trade negotiations or may complement existing trade agreements thereby amplifying their benefits.
What will the Commission do with respect to personal data exchanges in the law enforcement sector?
The swift exchange of personal data is essential for successful law enforcement cooperation and an effective response to transnational crime. To strengthen legal certainty and build mutual trust amongst law enforcement authorities, these exchanges rely on strong data protection safeguards.
To that end, the Commission will:
- Promote the possibility for adequacy decisions under the Police Directive with qualifying third countries.
- Promote negotiations of agreements in the area of law enforcement with international partners along the model provided by the Umbrella Agreement with the U.S.
- Work to facilitate the cross-border exchange of e-evidence in conformity with data protection rules.
What is the Umbrella Agreement? What are its benefits for international law enforcement cooperation?
The EU-U.S. data protection "Umbrella Agreement" concluded in December 2016 puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-U.S. law enforcement cooperation and restoring trust. It is now important that the U.S. side makes the necessary designations under the Judicial Redress Act, so that the agreement can enter into force as soon as possible.
The Umbrella Agreement is a successful example of how law enforcement cooperation with an important international partner can be enhanced by negotiating a strong set of data protection safeguards. It constitutes the first bilateral international agreement with a comprehensive catalogue of data protection rights and obligations in line with the EU rules. It can therefore serve as a model for the negotiation of similar agreements with third countries not only in the field of judicial and police cooperation, but also in other areas of public enforcement (e.g. competition policy, consumer protection). This would cover both government-to-government exchanges and data transfers between private companies and law enforcement authorities. The Commission will explore the possibility to conclude similar framework agreements with its important law enforcement partners.
For more information