DIGITALEUROPE response to public consultation on Article 29 Working Party draft guidelines on Article 49 of Regulation 2016-679
DIGITALEUROPE is pleased to provide its comments on the Article 29 Working Party’s (WP29) draft guidelines on derogations for transfers of personal data to third countries or international organisations under Art. 49 of the General Data Protection Regulation (GDPR).
Ensuring the viability of international data transfers in a way that preserves effective protection of fundamental rights under EU law is a top priority of DIGITALEUROPE members. In line with the current Directive, the GDPR sets out a strict set of conditions for such transfers, but also a number of instruments to enable them. It is vital that these instruments remain effective as established by law and that organisations can rely on sufficient flexibility to implement them subject to the relevant legal safeguards.
In this vein, we would like to submit our comments in areas where we feel the draft guidelines go beyond the letter of the GDPR or where we’d like to put forward different interpretations of the text.
General framework and consistent interpretation
As an overarching comment, we believe that the draft guidelines incorrectly identify some general principles applicable to all international data transfers based on Art. 49. They do so by extending principles and conditions that are applicable only to specific derogations to all derogations.
For instance, p. 4 of the draft guidelines is devoted to the occasional and not repetitive nature of the transfers, implying this is one essential principle that should apply throughout Art. 49. However, the term ‘occasional’ (closely linked to the term ‘necessary’, which is the term used in Art. 49(1)(b), (c), (d), (e) and (f)) is only used in Recital 111 in relation to the contract and legal claim derogations; similarly, the term ‘not repetitive’ is used in Art. 49(1)(2) specifically in relation to the compelling legitimate interest derogation. We are concerned that this approach will unduly restrict organisations’ ability to use some of the instruments made available by the GDPR.
The GDPR sets out various ways in which organisations can transfer personal data outside the Union. These comprise: adequate level of protection under adequacy decisions (Art. 45); the provision of appropriate safeguards, including binding corporate rules (BCRs), standard contractual clauses (SCCs) and approved codes of conducts or certification mechanisms (Arts. 46-47); and derogations including explicit consent, performance of a contract, important reasons of public interest and compelling legitimate interests (Art. 49).
As stated in the draft guidelines (p. 3), the GDPR provides for a ‘layered approach’ to transfers whereby adequacy should be preferred to appropriate safeguards, which in turn should be preferred to derogations. However, within this matrix and the general principles of Art. 44, each of the derogations is subject to specific conditions that should be considered individually. From this perspective, the statement in the draft guidelines (p. 4) that derogations should be an exception applicable when adequacy or appropriate safeguards are not in place should not be linked to the occasional or not repetitive nature of the transfer – a derogation acts as an exception when
the other two mechanisms are not available, and only when the conditions for the specific derogation require transfers to happen occasionally and not repetitively should such conditions apply.
Derogations and level of protection
Although Recital 101 and Art. 44 enshrine the general principle that the Chapter V provisions should be applied in a manner that ensures the GDPR’s level of protection is not undermined, the derogations from letter (a) to letter (g) in Art. 49(1) always refer to situations where appropriate protection cannot be guaranteed, given the lack of an adequacy decision or appropriate safeguards, but the transfer can nevertheless occur under particular conditions.
The very fact that adequate protection cannot be guaranteed informs the structure and elements of Art. 49 so that appropriate counterbalances are in place to minimise negative impacts on the data subject’s fundamental rights, in line with Art. 44. Such counterbalances normally consist in the fact that the transfer is related to specific purposes that are deemed to be worthy of consideration, including: the fact that the data is necessary for a contract (letters b and c); the existence of important reasons of public interest (letter d); the relevance of the data to legal claims (letter e); the protection of vital interests (letter f); or providing information to the public under conditions laid down in EU or Member State law (letter g).
In other words, as a rule Art. 49 ensures GDPR protections are not undermined by attaching strict conditions to the derogations, so that these are only available in cases when risks for data subjects are minimal or justified by specific purposes. In those circumstances where this is not possible, because the derogation is less specific as to the nature of the data at hand, Art. 49 ensures coherence with the rest of the GDPR by: 1) specifying a duty of transparency about the potential risks of the transfer necessary to receive an informed, explicit consent from the data subject (letter a); and 2) setting stricter conditions around non-repetitiveness, limited number of data subjects and the provision of ‘suitable’ (not ‘appropriate’) safeguards for compelling legitimate interests, including an obligation to inform the supervisory authority (second subparagraph of Art. 49(1)).
The above structure and conditions are put in place to ensure that risks to fundamental rights are mitigated and the GDPR protections are not undermined. However, given the rationale and purpose of the derogations, in no way can this guarantee that data subjects will continue to benefit from the same safeguards to which they are entitled under Arts. 45-47.
The extension of specific requirements to all instruments is particularly problematic when it comes to the explicit consent derogation. While we agree that organisations will as a rule want to rely on adequacy, SCCs or BCRs, in some cases consent may be the only viable instrument for transfers; therefore, it is important that the rationale for consent and its specific meaning under Art. 49(1) be correctly interpreted.
In addition to the general conditions for consent, the only (albeit fundamental and rigorous) condition attached to such derogation under Art. 49(1)(a) is that the data subject be informed of the possible risks of transfers based on explicit consent, given that: a) the data will be moved to a third country or organisation that does not ensure an adequate level of protection; and b) no appropriate safeguards are in place.
The specific language for the explicit consent derogation is clear on the fact that this derogation applies to transfers that by their very nature do not provide an adequate level of protection nor appropriate safeguards. In light of the inherent risk posed by such transfers, Art. 49(1)(a) requires additional transparency for the data subject on such possible risks and the data subject’s explicit informed consent to the transfer to occur in spite of such risks.
Put differently, the explicit consent derogation aims to give data subjects the option of consenting to transfers that expose them to risks compared to the level of fundamental rights protection ensured by the GDPR, provided the ‘high threshold’ (p. 8 of the draft guidelines) of being informed of the implications of doing so is met. An interpretation of this derogation that would ‘never lead to a situation where fundamental rights might be breached’ (p. 3 of the draft guidelines) would defeat the very logic of the derogation, which does not seek to eliminate risks but to allow data subjects to make an informed choice.
Information necessary to obtain consent
We welcome the WP29’s clarification concerning the necessary information to be provided to data subjects so as to enable them to express their informed consent. In particular, we welcome the indication that such information could be standardised. It is important that the information provided be clear about the basic implications of the transfer compared to the GDPR provisions, and data controllers or processors should have sufficient flexibility to ensure the right balance is achieved between ensuring transparency and the actual relevance of the information presented.
Compelling legitimate interests
In the context of the compelling legitimate interest derogation, the draft guidelines include the existence of ‘suitable safeguards’ within the balancing test between the controller’s compelling legitimate interests and the interests, rights or freedoms of the data subject. While the existence of suitable safeguards is essential for the derogation to apply, we believe it should be considered as a separate requirement attached to the derogation rather than included in the balancing test itself. While some of the elements may be the same for both, e.g. nature of the data, purpose for processing or situation in the third country, when applied to suitable safeguards they serve the purpose of identifying relevant protective measures for the specific situations; conversely, such elements serve to assess the legitimacy of the controller’s interests in wanting to move the data when applying the balancing test. Although linked, the two levels are logically different and shouldn’t be confused.
Article 48 And Derogations
DIGITALEUROPE welcomes the WP29’s reinstatement of the relationship between Chapter V and requests from foreign law enforcement. Our association has been actively engaged in the defence of transfers based on MLATs or similar international agreements, including in relevant court cases in third-country jurisdictions.