General Principles and Mechanisms of International Data Transfers
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, and consulted and to what extent the personal data will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. [1] Parallel to general data protection norms, the same general rules should be followed when it comes to international data transfers. When personal data are transferred from the Union to controllers, processors or other recipients in third countries, the level of protection of natural persons ensured in the Union by GDPR should not be undermined. In any event, transfers to third countries and international organisations may only be carried out in full compliance with GDPR Chapter V (Article 44-49)
I. Legal Basis
Data protection in Europe began in the 1970s when certain nations (such as France, Germany, the Netherlands, and the United Kingdom) enacted national legislation to regulate personal data collecting. Later, the EU adopted several data protection instruments, the most notable of which being Directive 95/46/EC (European Parliament and The Council of European Union, 1995). In this way, data protection has become a legal requirement. The year 2016 marked a key moment in the EU’s reform of data protection legislation. Various mechanisms that create opportunities for relatively secure data transfer to third parties have been enriched with diversified tools to protect against data transfer misuse: adequate solutions, common contractual clauses, derogations, mandatory company rules, certification mechanisms, codes of conduct, and so on.[2]
The right to data protection is regarded as a fundamental right in EU primary legislation. However, the right to personal data protection is not an absolute right; it must be assessed against other fundamental rights and examined in relation to their purpose in society, according to the concept of proportionality.[3]
GDPR Article 6 “Lawfulness of processing”, GDPR Article 9 “Processing of special categories of personal data”, and GDPR Chapter V (Article 44-49) “Transfers of personal data to third countries or international organizations” are the main regulations to follow for the data transfers to third countries from EEA.
Controllers and processors must examine whether the GDPR’s general requirements for data transfers are met when sending data to a third country or an international organization. Furthermore, the extra criteria outlined in Chapter V of the GDPR must be considered.[4] Controllers and processors must also be able to show data subjects and data protection supervisory bodies that they are implementing these measures. This is the so-called principle of accountability.
1. Lawful Processing
Article 6 of the European Data Protection Directive 95/46/EC provides that personal data must be processed ‘fairly and lawfully’. The concept of fair processing is partially explained in Recital 38 of the Directive:
“(38) Whereas, if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.”
Those that process personal data (data controllers) have the right to do this as long as they do it in accordance with the procedural regulations. Individuals are protected by data-protection laws, not from data processing per se, but from the unjustified collection, storage, use, and distribution of their personal data. Data protection law focuses on the operations of processors and imposes some limitations on their accountability, thereby regulating an acceptable exercise of power. The requirement of individual consent for the processing of data is the cornerstone for compliance with legal obligations in all situations where the processing is not necessary for the performance of a contract to which the data subject is a party.[5] In a nutshell, the lawful data processing means that personal data should be processed based on the data subject’s consent or another legitimate basis set out by law, either in GDPR or in other Union or Member State law as referred to in GDPR Article 6.
2. Lawful Transfer
Lawful transfer means that transfers to third countries and international organisations may only be carried out in full compliance with the GDPR and the level of protection of natural persons should be protected in any transfer. This rule aims to protect the privacy of people in the EEU not only in Europe but all over the world. The concept of lawful transfer is the starting point of the ongoing problems related to data transfer. The main reason for these problems is that the data protection regulations in other countries cannot provide the same level of protection provided by the EU, or that the third countries have some other data protection enforcements contrary to GDPR.
The European Commission has a crucial duty to decide if a third country, a territory or specified sector within a third country, or an international organisation offers an adequate level of data protection or not. The Commission may recognise that a third country no longer ensures an adequate level of data protection. As a responsible authority, the European Commission is the interpreter, controller of the lawful data transfer concept, and the provider of the proportionality of the lawful transfer.
[1] GDPR Recital 39, Principles of Data Processing.
[2] Veronika Stoilov, Regulation of international data transfers under EU data protection law, Centre for European Studies Working Paper Series, 2021, Page 1 (4).
[3] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, EDPB, Page 9.
[4] Federal Commissioner for Data Protection and Freedom of Information, International data transfers.
[5] Directive 95/46/EC of the European Parliament and of the Council, Data Protection Directive, Articles 10 and 11.