I. Overview on the Latest Developments in International Data Transfers
In today’s globalised and digitalised market, the need for organisations to transfer data across borders has become vital. It is essential for conducting and engaging in business activities, collaborating with international partners, accessing global markets, and serving a diverse global customer base. However, data transfers across borders raise not only significant privacy concerns but also significant legal complexities, especially in a regulatory environment which has undergone continuous changes in recent years. 2023 has been marked by two major events in the area of personal data transfers: the largest GDPR fine ever imposed and a new EU-US adequacy decision.
On the verge of the 5th anniversary of the GDPR, the 24th of May 2023 marked a significant turning point for international data transfers, as Meta was ordered to suspend their data transfers to the US and was imposed a staggering fine of EUR 1.2 billion by the Irish Data Protection Authority. This ruling was a consequence of Meta's failure to comply with EU requirements for international data transfers, making it the highest GDPR fine ever imposed. The Court remains on its decision that Meta must suspend EU-US data transfer and storage of user data from Europe to the United States. This suspension is expected to remain until the end of July. Meta had been relying on standard contractual clauses (SCCs) for its international data transfers to the US since July 2020. However, the Court of Justice of the EU (CJEU) deemed in its judgment that SCCs were insufficient to address the identified risks to the fundamental rights and freedoms of data subjects.
This decision sends a powerful reminder to the potentially far-reaching consequences of international transfers infringements, especially when they are systematic, repetitive and continuous as highlighted by the former EDPB chair, Andrea Jelinek. Although the Meta fine does not render all international data transfers to the US illegal, it does indicate that data protection authorities will exercise heightened scrutiny and impose more stringent measures on actors involved in personal data transfers outside the European Economic Area (EEA).
New EU - US Adequacy Decision and Data Privacy Framework
Few months after the Meta fine, on the 10th of July, the European Commission adopted a new adequacy decision for the EU - US Data Privacy Framework which concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. This is a major new development following the two previous EU - US adequacy decisions which were invalidated by the CJEU with the Schrems cases.
In this article, we aim at exposing the legal challenges and complexities that organisations need to understand and consider when transferring personal data from the EU towards third countries in order to avoid compliance risks and fines.
II. Current Challenges for Organisations
The regulatory landscape surrounding international data transfers has been continuously changing in recent years, imposing different requirements for organisations. This resulted in significant legal uncertainties, with the outcome still being subject to further adjustments.
For instance the EU General Data Protection Regulation (hereinafter “GDPR”) allows personal data to be transferred outside the European Economic Community only under specific conditions known as international transfers mechanisms. There a several international transfer mechanisms foreseen under article 44 GDPR:
- Adequacy Decisions: The European Commission may issue adequacy decisions declaring that a particular non-EU/EEA country, territory, or sector ensures an adequate level of data protection. If an adequacy decision is in place, personal data can be transferred to that country without further requirements.
- Standard Contractual Clauses (SCCs): SCCs are model data protection clauses approved by the European Commission. They can be incorporated into contracts between the data exporter (in the EU/EEA) and the data importer (outside the EU/EEA). SCCs provide contractual guarantees to ensure that the data transferred is adequately protected.
- Binding Corporate Rules (BCRs): BCRs are internal rules adopted by multinational companies to enable transfers of personal data within their group of companies, including those outside the EU/EEA. BCRs must be approved by the relevant data protection authorities to ensure they provide sufficient protection for the transferred data.
- Derogations: The GDPR includes specific derogations that allow data transfers without the need for specific safeguards in certain situations. These derogations include obtaining explicit consent from the data subject, the necessity of the transfer for the performance of a contract, or the protection of vital interests, among others. However, these derogations are interpreted narrowly, and organizations should ensure that the transfer meets the specific conditions laid out in the GDPR.
For example, the personal data transfers from the EU to the US used to be facilitated by two “certification-type data protection frameworks” approved by the European Commission: the “EU-US Safe Harbour” and later the “EU -US Privacy Shield”. These frameworks allowed for the transfer of personal data from the EU to the US, based on the assumption that US data protection laws provided adequate protection - adequacy decision. However, as a result of legal actions initiated by privacy activist Max Schrems, the Court of Justice of the EU (hereinafter “CJEU”) made two landmark rulings collectively known as the “Schrems Decisions” which invalidated both frameworks. These decisions had a profound impact on organisations involved in transferring personal data to the US, as the previously accepted legal basis for such transfers was no longer valid. As a result, organisations who were relying on this mechanism had to stop their personal data transfers until implementing a new one - Standard Contractual Clauses (SCCs). The challenge with SCCs is that they require conducting burdensome assessments known as International Transfers Impact Assessments (TIA) to demonstrate that the recipient country ensures an adequate level of personal data protection. Schrems II case took place in 2020 meaning that until now, companies transferring personal data from the EU to the US had to do so using SCCs and TIAs. Of course, the recently adopted third EU - US adequacy decision reestablishes this mechanism for the personal data transfers from the EU to the US. What does this mean in practice? It means that companies willing to transfer personal data from the EU and the US would be able to do so on the basis of this mechanism and thus won’t need to do Transfer Impact Assessments (TIAs). Having said that, this mechanism is not entirely automatic, as it is a certification scheme. Therefore, for a company to be able to rely on the EU-US adequacy decision for its personal data transfers, it is necessary to certify. US companies can certify their participation in the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties. The obvious worry with this is the impending uncertainty around. If and/or for how long is this third EU- US adequacy decision going to remain in place? For how long organisations would be able to rely for their personal data transfers on this mechanism? What are the chances that Schrems attacks the validity of this decision too and that the CJEU invalidates this one too?
The evolving requirements have also introduced an increased administrative burden on organisations. Complying with the new obligations and constantly adapting existing frameworks demands significant time, resources, and expertise. This includes conducting legal research, staying updated on the latest requirements and interpretations, conducting risk assessments on data protection levels in different countries, and implementing necessary safeguards.
The complexity of the legal landscape adds another layer of challenge. Different jurisdictions have their own privacy laws and regulations, each with their own requirements for international data transfers (for example, see the data localisation requirement in Russia or the need for a license in Egypt). Organisations need to navigate and understand the specific legal frameworks applicable to their operations and align their business operations accordingly, which can be daunting and time-consuming. This complexity further emphasises the need for organisations to seek legal counsel, conduct thorough assessments, and ensure compliance with the evolving requirements.
The level of complexity increases for international companies that have to comply not only with GDPR but with other applicable Data Privacy Regulations that require their own personal data transfer mechanisms. Two examples are Brazil with the LGPD ( Lei Geral de Proteção de Dados Pessoais), that entered into force in 2020 and introduced the transfer mechanisms requirement but leaving its definition to the National Data Protection Authority (ANPD); and China with the new Data Privacy Law, PIPL, that was enacted in August 2021 and the recent release by the Cyberspace Administration of China (CAC) of the Standard Contract Measures for the Export of Personal Information. The questions are: how compatible are those transfer mechanisms with the ones established by the GDPR? How can these transfer mechanisms coexist in the same company? International companies will need to have local privacy experts in addition to GDPR experts to ensure compliance with different regulations without falling into breach of one of them to comply with another.
Navigating these challenges requires ongoing diligence, resources, and a proactive approach to ensure compliance with the ever-changing regulatory landscape.
While for third countries with Adequacy Decision such as the recent new one between the EU and US, TIAs might not be relevant anymore, TIAs do remain applicable for any international personal data transfers where there is no Adequacy Decision and the transfer mechanism used is Standard Contractual Clauses (SCCs). To give some examples, such countries would be countries like India, China, Brazil. In the next section, we take a closer look at the what and how of TIAs.
III. Closer Look: Transfer Impact Assessments (TIA)
Transfer Impact Assessments (TIA) have emerged as a mandatory instrument to ensure compliance with international data transfers under the GDPR. These assessments consist of evaluating various components, considering legal requirements, and assessing data privacy risks associated with the transfer in the recipient country. Their ultimate goal is to ensure that the rights and freedoms of the individuals whose personal data is transferred outside the EEA is adequately protected in the importer country as well.
The CJEU, alongside industry leaders, propose a methodology for these assessments that take into account factors like the nature of data being transferred, the purpose of the transfer, the level of data protection in the recipient country, and the presence of any supplementary measures that can enhance data protection.
What does this mean into practice for organisations
Conducting a TIA is a proactive measure that organisations must undertake to comply with data protection regulations and mitigate potential risks. It involves a systematic evaluation of the data transfer processes, recipient countries' data protection laws, and the adequacy of safeguards in place. The TIA helps organisations identify and address potential vulnerabilities, protecting individuals' privacy rights and maintaining compliance.
In practice, this means organisations must scrutinise their data transfers against these factors, requiring a significant investment of time and resources. The assessment process involves examining the data protection laws and practices in the recipient country, evaluating any potential risks, and implementing necessary safeguards to mitigate these risks.
TIA Components and Methodology
During the TIA process, several components are assessed to ensure the adequacy of data protection. These may include:
- Nature and Sensitivity of Data: The assessment considers the type of data being transferred, such as personal, sensitive, or confidential information. The more sensitive the data, the higher the level of protection required.
- Recipient Country's Legal and Jurisdictional Framework: The TIA evaluates if the legal system and data protection laws of the recipient country offer an adequate level of protection of the personal data in scope of the transfer. Adequacy decisions by the European Commission or other regulatory bodies play a crucial role in determining the legal basis for the transfer.
- Safeguards and Transfer Mechanisms: The TIA examines the safeguards and transfer mechanisms in place to protect the data during the transfer. This may include the use of standard contractual clauses, binding corporate rules, encryption, pseudonymisation, or other security measures.
- Security Measures and Technical Standards: The assessment evaluates the technical and organisational security measures implemented to protect the data from unauthorised access, loss, or alteration during the transfer.
- Access and Redress Mechanisms: The TIA examines the availability of effective access and redress mechanisms for individuals whose data is transferred. This includes the ability to exercise their rights, such as the right to access, rectify, or delete their personal data.
While TIAs represent a very burdensome task for many organisations, TIAs do provide a structured approach to assessing and mitigating risks associated with international data transfers to ensure compliance with the GDPR. Furthermore, they can enhance an organisation's reputation for data privacy and security, which is increasingly important in our data-driven world. However, the reality is that these assessments can be complex and burdensome, especially for small to medium-sized enterprises that may lack the necessary resources and might need to externalise it, with the cost that it entails. There's also the question of whether these assessments are truly effective in protecting data privacy during international transfers. While they enhance compliance, the assessments themselves do not necessarily guarantee comprehensive or sufficient data protection, especially in scenarios where the recipient country's laws or practices are deficient or volatile.
Embracing SaaS Solutions and Automation can be a game changer. Automate laborious GDPR compliance tasks saving time, effort and being compliance risk-free. iReina leverages cutting-edge technology and deep regulatory expertise, helping you automate the complex. Contact us if you want to learn more about how iReina can help you with your GDPR compliance in a smart, easy and high quality way.