As a non-EU Data Controller and responsible for the data,
what are your options?
April 16, 2020
The use of IOT has facilitated exchanges between organizations worldwide and consequently increased the number of personal data transfers. The entry into force of the General Data Protection Regulation EU n°2016 /679 (‘the GDPR’) created the free flow of data within the European Union and the European Economic Area (GDPR, art. 1). The free flow of data principle is to ensure a fair playing field within all the EU/EEA territory and to promote the creation of an EU single market.
In the opposite, the transfer of personal data outside of the EU/EEA territory is strictly regulated. Data transfers of personal data are allowed only if a sufficient and appropriate level of data protection is ensured.
A controller or a processor which intends to transfer personal data to a third country should use one of the tools provided by the GDPR to ensure such level of data protection (GDPR, art. 44-49). The goal of the rules provided by the Regulation is to enable the data to be still efficiently protected in countries not governed by the GDPR and where the law may be less strict.
What are these tools?
Adequacy decision (GDPR, art. 45)
Some third countries may be considered as “adequate” by the European Commission, meaning that the data protection laws applicable in these countries are equivalent to the one of the EU. By vertue of that, data importers located in an adequate country can receive data from the EU/EEA without any additional action or any approval from a Data Protection Authority. The Privacy Shield is considered as a sectoral adequacy decision.
Appropriate safeguards (GDPR, art. 46-47)
The second tool is akin to the conclusion of a contract between the data sender and the data recipient. In this case, the GDPR provides different types of additional safeguards:
- Contractual Clauses such as the EU Standard Data Protection Clauses (“SCCs”) but also the Data Protection Clauses provided by the Data Protection Authorities themselves or, the Ad-Hoc Clauses which correspond to “tailor-made” clauses;
- Binding Corporate Rules which can be used within a group of companies that conduct a joint economic activity in order to cover all data transfers made within the group; and
- Code of Conduct or Certification mechanism can be used in addition to a binding and enforceable commitment by the Data Importer to put in place appropriate safeguards for the transfer.
Derogations (GDPR, art. 49)
When it is not possible to set up effective additional safeguards, the Data Exporter may apply one of the derogations provided by the GDPR. Amongst them, the data subject’s informed consent. These derogations must be strictly interpreted because they allow a data transfer to countries where the protection of personal data and data subjects cannot be ensured.
The European Data Protection Board recommends using a third step mechanism by checking first if the third country recipient benefit from an adequacy decision and by assessing as a last resort if one of the derogations may apply .
These rules seem simple and quite basic but in practice, things get complicated.
When the country where the Data Importer is located doesn’t benefit from an adequacy decision from the European Commission, what could be the solution?
Some of the tools provided by the GDPR don’t seem available at this moment triggering the compliance with GDPR rules:
- SCCs from the EU Commission are only available when the EU Data Controllers are Data Exporters, which consequently limits the use of these tools.
- In regard to the clinical sector, there is no Code of conduct approved yet, although the European Data Protection Supervisor declared that the creation of such Code of Conduct could be recommended .
- Binding Corporate rules cannot be put in place since it should be very difficult to reach an agreement between all the clinical stakeholders.
From a theorical point of view, it seems that the Ad-Hoc Clauses could be the most appropriate tool.
But is it applicable in practice? It means that for each data transfer, Ad-Hoc Clauses should be submitted before the current Data Protection Authority for approval.
How are the Ad Hoc clauses approved?
When submitted to a Data Protection Authority, the Ad-Hoc Clauses are first reviewed by the European Data Protection Board which provides an opinion regarding the validity of the clauses. Then, the Data Protection Authority takes the decision to approve or not the Clauses.
The consistency mechanism of the GDPR (GDPR, art. 63) provides for Data Protection Authorities to cooperate with each other in order to ensure a consistent enforcement of the GDPR. This means that if a Data Protection Authority receives Ad-Hoc Clauses for approval that have been already reviewed positively by the EDPB, the Data Protection Authority should follow the Board opinion and approve the Ad-Hoc Clauses.
For this reason,
the consistency mechanism would significantly simplify the compliance with data transfers rules. MD-T is of the opinion that Ad-Hoc Clauses would be the appropriate solution to comply with data transfers rules in a clinical trial context, under the condition that the data transfers are perfectly defined and framed in the Ad-Hoc clauses content.