Data transfers released but regulated

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

As surprising as it may seem in a globalized economy where the notion of borders seems incompatible with transactions via the internet, the transfer of personal data for further processing was prohibited by the EU to a third country, i.e. located outside the Union, without authorization issued by a supervisory authority.

The GDPR abolishes the prior authorization regime. However, certain conditions are necessary for the transfer to take place. The Commission must have established, by decision, that the non-EU recipient (country, territory or sector of a country, international organization) "ensures an adequate level of protection" (Article 45-1). 

The 2nd^e The first paragraph of Article 45 lists the criteria corresponding to this adequate level of protection, including the rule of law, respect for human rights and fundamental freedoms, legislation, the effective existence of an independent supervisory authority, international commitments, etc. If the examination of these criteria leads to the conclusion that the measure is in line with European rules, the Commission adopts an "implementing act", subject to periodic review at least every four years (Art. 45-3). It is further specified that the Commission shall constantly monitor developments in third countries (Art. 45-4).

However, the transfer is possible, always without prior authorization, to a destination that has not been the subject of an implementing act. Indeed, Article 46 provides that a data controller or a processor may transfer "if it has provided appropriate guarantees and on condition that the data subjects have enforceable rights and effective legal remedies" (Art. 46-1).

These appropriate guarantees can be provided by different means, some of which we have already mentioned:

•  A legally binding and enforceable instrument between public authorities or bodies;
•  Binding corporate rules (for groups of companies, the terms of these rules, which must be approved by the supervisory authority, are specified in Article 47);
• Standard clauses approved by the Commission, either directly or via a supervisory authority;
•  A code of conduct or certification mechanism “accompanied by a binding and enforceable commitment made by the controller or processor in the third country to apply appropriate safeguards” (art. 46-2).

Appropriate safeguards for the transfer can be provided, this time after authorization from the supervisory authority, by two other means:

– A contract between the data controller or the subcontractor with their counterparts in the third country;

– “Provisions to be included in administrative arrangements between public authorities or public bodies” (art. 46-3).

Any transfer is therefore prohibited outside of an implementing act guaranteeing an adequate level of protection or specific guarantees. Exceptions are, however, provided for specific situations listed in Article 49. A transfer is notably possible:

– When the person concerned has given their explicit consent after having been informed of the risks involved; 

– In the context of the performance of a contract between the data subject and the controller (or in his interest with another natural or legal person);

– When the transfer is in the public interest, or related to the enforcement of legal rights, or necessary to safeguard the vital interests of the data subject.

These numerous provisions concerning transfer possibilities show that the initiators of the GDPR want to guarantee the protection of personal data, without hindering the activity of companies and administrations. By removing prior authorization in the vast majority of cases, they are betting on the responsibility of the actors, whose work must be able to be verified, according to the famous principle of accountability.