International Data Transfer Mechanisms

November 29, 2022 Özgün Hukuk & Danışmanlık 0 Comments

International Data Transfer Mechanisms

The various legal procedures are available under the GDPR to secure such transfers in light of the overarching goal of ensuring a specific level of protection. Controllers or processors wanting to transfer personal data outside of the EU (‘data exporter’) have to follow a ‘two-step’ approach for data transfers, as highlighted by the EDPB.[1] First, data exporters must comply with all GDPR obligations for personal data processing, such as complying with Article 5 GDPR’s basic data protection principles and having a legal basis in accordance with Article 6 GDPR. The second phase covers the GDPR’s transfers regime’s special standards, which a data exporter also has to follow. These essentially require data exporters to select one of the several transfer mechanisms available and to ensure that fundamental rights are protected to the highest level possible. Within the different legal transfer mechanisms available, the GDPR provides a multi-tiered framework.[2]

Chapter V of the GDPR offers three basic pathways for a legal international transfer of data.[3] These include:

1- Transfers on the basis of an ‘adequacy decision’ by the European Commission (EC) (GDPR Article 45);

2- Transfers subject to ‘appropriate safeguards’ by the controller/processor on condition that enforceable data subject rights and effective legal remedies for data subjects are available. (GDPR Article 46&47)

3- Derogations for specific situations. (Article 49)

1. Adequacy Decisions

“‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU.

An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.”[4]

Adequacy decisions are adopted by the Commission and declare a ‘third country, a territory or one or more specified sectors within that third country or the international organisation in question as adequate from the perspective of the GDPR.[5] Under the GDPR, the European Commission is the only authority to decide on the adequacy of third country regulations. The Commission may declare, with effect for the entire Union, that a third country provides an adequate level of data protection, ensuring legal certainty and uniformity throughout the Union in relation to the third country. In such situations, personal data transfers to that third country may be conducted without any other requirement for additional authorization.[6] In other words, the result of the adequacy decision is that personal data can flow freely from the EU (as well as Norway, Liechtenstein, and Iceland) to that third country without any additional safeguards.

The adoption of an adequacy decision involves[7]:

a proposal from the European Commission
an opinion of the European Data Protection Board
an approval from representatives of EU countries
the adoption of the decision by the European Commission

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR, and Uruguay as providing adequate protection. The United States was one of these countries until July 16, 2020. The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield. In its judgment of 16 July 2020, the Court of Justice of the European Union invalidated the adequacy decision.[8] The European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II).[9] The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law.

When assessing the adequacy of the level of protection, the European Commission should follow certain criteria set out in Article 45 of the GDPR. Under the Union’s fundamental values, including the protection of human rights, the Commission should consider how a third country respects the rule of law, access to justice, international human rights norms and standards, and its general and sectoral law, including legislation concerning public security, defence, and national security, when assessing the third country. The other criteria is the existence and effective functioning of independent supervisory authorities in the third country, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights. The third nation should provide guarantees that ensure an adequate level of protection that is basically similar to EEA’s level, particularly if personal data is processed in one or more specific sectors. The Commission should also take into account any other obligations arising from international commitments or legally binding agreements made by the third country, in particular concerning the protection of personal data.

The European Commission may decide to repeal, amend or suspend the adequacy decision if a third country or an international organisation no longer ensures an adequate level of protection. The Commission should include a mechanism for frequent review of their effectiveness in its adequacy judgments. This periodic review should be carried out in conjunction with the third country in question, and it should take into consideration all relevant developments in that country.[10]

2. Appropriate Safeguards

“Recital 108 and Article 46 (1) GDPR provide that in the absence of an EU adequacy decision, a controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. A controller or processor may provide appropriate safeguards, without requiring any specific authorisation from a supervisory authority, through its use of one of the transfer tools listed under Article 46 (2) GDPR, such as standard data protection clauses.”[11]

Article 6 identifies five factors that a data controller must evaluate when deciding whether data processing (without the agreement of the data subject) is identical to the original collection purpose. “The existence of appropriate safeguards, which may include encryption or pseudonymization,” is the fifth of those five factors. Article 46 explains these international data transfer limitations specified in Article 6 and clarifies which limited scenarios are possible.

Using binding corporate policies, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses adopted by a supervisory body are all examples of appropriate safeguards.

a) Standard Contractual Clauses (SCCs)

Standard Contractual Clauses (SCCs) are one of the safeguards which help ensure continued compliance with GDPR requirements for the international transfer of data and help ensure the free flow of personal data.SCCs are standard sets of contractual terms and conditions that both the sender and the receiver of personal data agree to, ensuring that the individual’s rights and protections are protected. Standard Contractual Clauses are designed to protect personal data that is being transferred outside of the European Economic Area (EEA) to countries that do not have an adequacy decision and hence may not provide the same degree of protection. SCCs that have been “pre-approved” by the European Commission ensure that data is protected to the level required by the GDPR through contractual obligations.

“On 4 June 2021, the European Commission adopted two sets of standard contractual clauses, one for the use between controllers and processors within the European Economic Area (EEA) and one for the transfer of personal data to countries outside of the EEA.” [12] “These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs. Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021 ”[13] These new SSCs provides a high level of data protection for individuals by reflecting new requirements under GDPR and taking into account the Schrems II judgement of the Court of Justice.

To put it simply, SSCs are fixed (ready-made) contracts approved by the European Commission or, whose parties are data exporter (sender) and data importer (receiver), in which the parties undertake to provide the necessary level of protection under GDPR. There are also some other SCCs which is adopted by national data protection authorities. Article 28(8) of the GDPR empowers national data protection authorities to adopt SCCs for the relationship between controllers and processors. However, these SCCs apply only within the territory where that authority exercises its powers. These SCCs can only be used between parties if both parties’ data protection authorities have deemed these SCCs safe and approved.

Data transfers between the EU and the United States of America (hereafter: US) constitute an important part of international data transfers. After the invalidation of the Privacy Shield adequacy decision between the EU and US; global companies and organizations such as Amazon, Facebook(Meta), and Google can not transfer EU customers’ data to the US freely. Companies that cannot use the adequacy decision mechanism see SCCs as the most convenient mechanism for international data transfer. Therefore, Standard Data Protection Clauses are more critical than before. SCCs are by far the most used data transfer instrument for European companies. According to the IAPP-EY Annual Privacy Governance Report 2019, “the most popular of these [transfer] tools – year over year – are overwhelmingly standard contractual contracts: 88% of respondents in this year’s survey reported SCCs as their top method for extraterritorial data transfers”. This is because SCCs do not require prior authorisation by a national data protection authority as other compliance mechanisms. Also, the other mechanisms are typically more costly to implement compared to SCCs. The parties(data importers and data exporters) may add additional clauses to the SCCs or include them in a larger commercial contract, as long as the other contractual clauses do not directly or indirectly contradict the SCCs or jeopardize data subjects’ rights. Likewise, parties can delete modules and/or options that do not apply to their situation.

“In Standart Contractual Clauses, the data importer agrees and warrants:

to process the personal data only in compliance with the exporter’s instructions
to submit its data-processing facilities for audit by the exporter or another body
to implement the agreed technical and organisational security measures
to obtain prior consent from the exporter in the event of sub-processing”

In July 2020, the ECJ not only decided that the Privacy Shield adequacy decision is invalid, but also there were a couple of crucial strings attached about SCCs in that decision.[14] The ECJ decided that all transfer mechanisms listed in Article 46 GDPR must provide a level of protection “essentially equivalent”. The ECJ further concluded that if the required level of protection cannot be ensured, the competent supervisory authority must suspend or prohibit a third country transfer by SCC.

The updated clauses have kept the basic features that were already in the SCCs approved under the previous Data Protection Directive. Simultaneously, significant revisions have been implemented. Unlike prior SCCs, which were limited to data transfers from controllers to controllers and controllers to processors, the modernized SCCs can be applied in all of the following scenarios: Controller to Controller (Module 1), Controller to Processor (Module 2), Processor to Processor (Module 3), and Processor to Controller (Module 4). A docking clause now permits new parties to join the SCCs throughout the lifecycle of the contract. Following the modification, the parties to the SCCs must conduct a “transfer impact assessment,” which documents the specific circumstances of their transfer, the regulations of the destination country, and the additional protections they put in place to protect personal data. Another important change is that data exporters now have obligations to provide information and object to illegal requests if public authorities have access to the transferred data.[15]

b) Binding Corporate Rules (BCRs)

Binding corporate rules (BCR) are another international data protection mechanism followed by EU-based companies when transferring personal data outside the EU within a group of organizations or companies. To ensure appropriate safeguards for data transfers, such policies must contain all general data protection principles.[16] They must be legally binding and enforced by all group members. “Binding Corporate Rules can be defined as ‘internal rules (such as a Code of Practice) followed by a multinational group of corporations for international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.”[17]

Companies must submit binding corporate rules to the EU’s data protection authority for approval. The BCRs will be approved by the authorities in accordance with Article 63 of the GDPR’s consistency mechanism. As the group of companies applying for approval of their BCRs may have legal entities in more than one member state, more than one supervisory authority may be required for this approval. The group of companies that choose the BCR mechanism for international data transfers submit the draft contracts they have prepared for their own needs to the competent authorities. The lead authority will review the application and sends its draft decision to the European Data Protection Board, which will provide an opinion on the binding corporate regulations. This step is likely the most extensive and requires close cooperation with the lead authority. After these steps, the competent authority will approve the BCRs once they have been finalized in accordance with the EDPB opinion.

When companies or organizations choose SCCs as the data transfer mechanism, the burden to prove the local importer materially complies with the SCC obligations is put on the exporting data controller. This implies that the data exporter must assess the risk that its data recipients may be forced to surrender personal data to national security agencies.[18] Therefore, although standard contractual clauses are the most commonly used mechanism because of their ease of implementation, binding corporate rules may be a more robust alternative. In the BCR mechanism, the data protection assessment is carried out by supervisory authorities. Companies choosing the BCR mechanism can rely on an adequacy confirmation issued by the competent authority in consultation with the EDPB, while those using the SCC can only rely on their own (self-) assessment.

The BCR mechanism so-called “gold standard” is a convenient option that increases operational efficiency for corporate groups. However, they are not applicable to international transfers of personal data for companies outside the corporate group. That means, BCRs are not the right solution for all companies, especially small non-transnational companies. The other disadvantage of BCR is that the approval procedure can be complex and time-consuming.

3. Derogations

Companies or organizations have to choose one of the data transfer mechanisms for international data transfer. However, GDPR Article 49 has set some exceptions for certain situations. In the absence of an adequacy decision or an appropriate safeguard (standard contractual clauses or binding corporate rules), the transfer of personal data to a third country shall take place only on one of these conditions that were settled in GDPR Article 49.

“When applying Article 49 one must bear in mind that according to Article 44 the data exporter transferring personal data to third countries or international organizations must also meet the conditions of the other provisions of the GDPR. Each processing activity must comply with the relevant data protection provisions, in particular with Articles 5 and 6. Hence, a two-step test must be applied: first, a legal basis must apply to the data processing as such together with all relevant provisions of the GDPR; and as a second step, the provisions of Chapter V must be complied with.”[19] Data exporters should first endeavour possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49. Due to the rule of Restrictive interpretation of exceptions, which is one of the general principles of the law, these exceptional cases are limited only to those listed in Article 49. The wording of Article 49’s title, which indicates that derogations are to be applied for certain circumstances, endorses this argument.

The specific conditions under which the derogation mechanism takes place are as follows: (1) explicit consent of data subjects (possible risks of the transfer should be explained), (2) necessary for the performance of a contract between the data subject and the controller, (3) necessary for the performance of a contract concluded in the interest of the data subject between the controller and another natural/legal person, (4) necessary for important reasons of public interest, (5) necessary for the establishment/exercise/defence of legal claims, (6) necessary in order to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent, (7) transfers made from a public register.[20]

In absence of other international data transfer mechanisms, a third country transfer may take place only if:

the transfer is not repetitive,
concerns only a limited number of data subjects,
is necessary for the controller’s compelling legitimate interests to be pursued, which are not outweighed by the data subject’s rights and freedoms,
the controller has assessed all the circumstances surrounding the data transfer and has based on that assessment provided suitable safeguards with regard to the protection of personal data.

Besides, if the derogations mechanism will be followed, the controller shall fulfil the following responsibilities:

inform the supervisory authority of the transfer,
in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.[21]

[1] EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’ (25 May 2018), p. 3.

[2] Christopher Kuner, ‘Article 45’, in Kuner/Bygrave/Docksey (eds.), The General Data Protection Regulation (GDPR): A commentary (OUP 2020), p. 774.

[3] Bradford, Laura, Aboy, Mateo, Liddell, Kathleen; International transfers of health data between the EU and USA: a sector-specific approach for the USA to ensure an adequate level of protection; Journal of Law and the Biosciences; October, 2020; Page 6.

[4] ICO Official Website – What is Adequacy.

[5] Article 46 GDPR.

[6] Recital 103, GDPR.

[7] Official website of the European Union, Adequacy decisions

How the EU determines if a non-EU country has an adequate level of data protection.

[8] Official website of the European Union, EU-US data transfers.

[9] C-311/18 – Facebook Ireland and Schrems (Schrems II), ECLI:EU:C:2020:559.

[10] GDPR, Recital 106 – Monitoring and Periodic Review of the Level of Data Protection.

[11] European Data Protection Board, Recommendations 01/2020 on measures that