Data Protection Report - Norton Rose Fulbright

On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment.  The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR.  For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework.  However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations.

The February 12 draft guidance for public comment addresses each of the exemptions specified in Article 49.  All corporations that are subject to GDPR should review and digest the draft guidance and consider providing comment.

A brief overview of the draft guidance is detailed below:

  • Article 45 (adequacy findings, such as the EU/US Privacy Shield) and Article 46 (appropriate safeguards, such as Standard Contractual Clauses) should be relied on in preference to the derogations. This is not new, but use of the words “first endeavor possibilities to frame the transfer” through one of these mechanisms acknowledges that this is often not possible in cross border regulatory, law enforcement, or litigation disclosures but does not clarify the lengths to which an exporting controller must go before concluding it is not possible to have a counterparty use one of these tools.
  • Article 48 (transfers not authorized by EU law) must be taken into account. This article appears to discourage relying on a non-EU court judgment as a basis for disclosure unless made pursuant to an international treaty such as a mutual legal assistance treaty. The guidance retains the ambiguity of the provision by not ruling out the ability to make a transfer in such circumstances under the other derogations (although it is clear that this will be a delicate exercise).  However, given the EU Commission’s statements in its amicus brief in the US Supreme Court US v. Microsoft that a treaty is not required if the transfer complies with a derogation under Article 49 and the guidance only requires “referring” requesting parties to applicable treaties, it does not appear that Article 48 mandates the use of treaties in order to comply with GDPR.  See Nowak, Khan and Kessler Article.
  • Consent (Article 49(1)(a)). The conditions for valid consent are defined in Articles 4(11) and 7.  Transfers made pursuant to one of the exceptions in Article 49 must be (1) explicit, (2) specific for the particular data transfer/set of transfers, and (3) informed particularly as to the possible risks of the transfer (going as far as to suggest the wording should explain which rights will not be available in the third country (which must be specifically identified)).  The guidance follows the GDPR’s general goal of imposing a high-threshold in obtaining a valid consent that allows the processing or transfer of Personal Data and will make it much harder to argue that broad general export consents are effective
  • Contractual Necessity (Article 49(1)(b) and (c)). For this exception to apply, the transfer must be both ”occasional” and “necessary” in relation to the contract.  The term occasional is defined on a case-by-case basis but does not include transfers that are ongoing or repetitive.  For the transfer to be “necessary,” the guidelines state that there must be a “close and substantial connection between the data transfer and the purposes of the contract.”  For example, a travel agent may, on a one-off basis, transfer a traveler’s information to an airline or hotel in a third country.
  • Public Interest (Article 49(1)(d)). The guidance explicitly states that private entities can rely on this derogation.  However, although it does not provide a definitive test as to when it would apply, the guidance appears to say that the public interest must be that of the EU or an EU member state and takes a restrictive interpretation (suggesting there must be some form of reciprocity with the importing country in relation to the interest pursued).
  • Establishment of Legal Claims (Article 49(1)(e)). Again, the “occasional” and “necessary” requirements apply.  Transfers may be allowed in connection with the “establishment, exercise or defense of legal claims.”  This exception encompasses where the transfer relates to a legal defense and, importantly, the guidance explicitly incorporates pre-trial discovery procedures in litigation.  In addition, it may also cover transfer in the context of transactions, such as mergers.  However, this exception is limited and cannot be used at the “mere possibility” that litigation or legal proceedings may occur in the future.  Nor can it be used simply to obtain “goodwill” from a regulator.  Further, the transfer of data must be necessary to the legal proceeding and where possible data should be shared in an anonymized or pseudonymized form, and a party should seek to have the requesting party use a treaty where one is available (which has an impact on Art. 49).
  • To Protect the Vital Interests of Persons Incapable of Consent (Article 49(1)(f)). This exception applies in the case of a medical emergency where the transfer is necessary to provide required medical care.  Here, WP29 acknowledges that the risk of serious harm to the individual outweighs data protection concerns.  This derogation does not apply in cases of general medical research, and its applicability is limited to instances where the data subject is incapable of giving consent.
  • Public Register (Article 49(1)(g) and (2)). This exception allows for the transfer of personal data from registers, which are “(written) record[s] containing regular entries of items or details” or official lists or records of names or items (includes information stored in written or electronic form).  The register in question must be intended to provide information to the public and be open to consultation by the public in general or any person who can demonstrate a legitimate interest.  Private registers, which are the responsibility of private bodies, are not covered by this exception.
  • Compelling Legitimate Interests (Article 49(1) and (2)). This permits the transfer of data if it is necessary for the purposes of compelling legitimate interests pursued by the data exporter.  The guidance states that this exemption is intended as a last resort and only where such a transfer could not be based on Articles 45 or 46 or any of the other derogation specified in Article 49.  Further, this derogation only applies to occasional transfers of a limited number of data subjects.  To fall within this derogation, Personal Data exporters are required to balance their compelling interest and the rights of data subjects.  This provision essentially requires data exporters to fully assess the circumstances of the transfer, the nature of the data, and whether the suitable safeguards are in place as they will attenuate the risk to data subject rights.  Finally, the data controller must inform the data subject of the transfer and the compelling interest pursued and notify (but not obtain prior authorization from) its data protection authority that it is relying on the derogation.

The Article 29 Working Party warns that these exceptions will be interpreted narrowly and should only be used for “occasional” transfers of data.  Indeed, the guidance emphasizes that that exporters should rely on an adequacy decision or transfer mechanism recognized under GDPR whenever possible.

As May 25th speeds towards us, organizations that must comply with the GDPR should carefully review this draft guidance as they prepare their compliance programs.  The companies should consider providing comments supporting the guidance where appropriate and asking for clarifications and change where they think it’s needed.

Special thanks to Robert Kantrowitz* for his assistance in drafting this post.

*Law Clerk–not admitted to practice law.