On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice (‘CJEU’).
The WP29 Document only deals with Chapter 1 of WP12 and focuses solely on adequacy decisions. Chapters 2 and 3 of WP12 will be updated at a later stage. The WP29 Document is currently open for consultation and comments should be submitted by 17 January 2018.
The updated guidance consists of four chapters, the key points of which are discussed below.
Chapter 1: Some broad information in relation to the concept of adequacy
- Article 45(1) GDPR provides that personal data transfers to a third country shall only take place if the third country ensures an ‘adequate level of protection’. This concept, which already existed under the EU Data Protection Directive 95/46/EC, has been further developed by the CJEU in the Schrems case, namely that the level of protection in the third country must be ‘essentially equivalent’ to that guaranteed in the EU. The WP29 Document further clarifies that the objective is not to replicate the EU data protection legislation but to establish the core requirements of the legislation.
- Whilst adequacy can be achieved through a combination of rights and obligations the WP29 Document highlights that efficient enforcement mechanisms are the key to ensuring the effectiveness of data protection rules.
Chapter 2: Procedural aspects for adequacy findings under the GDPR
- The European Data Protection Board (‘EDPB’), which will replace WP29, must be provided with all relevant documentation to fulfil its task of advising the European Commission under Article 70(1)(s) GDPR. The information supplied needs to be exhaustive and should allow the EDPB to make its own assessment on the level of data protection in the third country.
- The European Commission should monitor developments that could affect the functioning of an adequacy decision on an ongoing basis (Article 45(4) GDPR). A periodic review must take place at least every four years, although this is a general timeframe and should be adjusted as appropriate. For example, incidents or other information about the legal framework in the third country or international organisation might trigger the need for a review ahead of schedule. The WP29 Document also suggests it is appropriate to carry out the first review of a new adequacy decision sooner, and then adjust the review cycle depending on the outcome. The EDPB should be kept informed of any review process.
- Article 45(5) GDPR gives the European Commission the right to repeal, amend or suspend existing adequacy decisions. This process should involve the EDPB by requesting its opinion (Article 70(1)(s) GDPR).
Chapter 3: General Data Protection Principles to ensure the level of protection is essentially equivalent to the one guaranteed by EU legislation
A third country’s or international organisation’s system must contain the following basic content and procedural/enforcement data protection principles and mechanisms:
- Concepts: Basic data protection concepts and/or principles should exist. They do not need to mirror GDPR terminology but should reflect and be consistent with the concepts enshrined in EU data protection law.
- Grounds for lawful and fair processing for legitimate purposes.
- Purpose limitation.
- Data quality and proportionality.
- Data retention.
- Security and confidentiality.
- Right of access, rectification, erasure and objection. (Note: Whilst considered a plus, the WP29 Document states that the lack of data portability or restriction of processing rights should not prevent a country from being recognised as ensuring essential equivalence with the EU framework.)
- Restrictions on onward transfers.
- Specific safeguards for special categories of data.
- Right to object to direct marketing at any time.
- Automated decision-making and profiling that produce legal effects or significantly affect data subjects should only take place under certain conditions (for example. the data subject’s explicit consent or if necessary for the conclusion of a contract).
Although the means to which the third country has recourse for ensuring an adequate level of protection may differ from those used within the EU, a system consistent with the EU one should include the following elements:
- A competent independent supervisory authority.
- The data protection system must ensure a good level of compliance.
- Accountability: Controllers and processors should be obliged to comply with the local data protection framework and be able to demonstrate such compliance to the competent supervisory authority.
- The data protection system must provide support and help to data subjects in the exercise of their rights and appropriate redress mechanisms.
Chapter 4: Essential guarantees in third countries for law enforcement and national security access to limit interference of fundamental rights
- WP29 identified four essential guarantees regarding surveillance in its opinion, WP237, adopted on 13 April 2016. These guarantees need to be respected for access to data, whether for national security or law enforcement purposes, by all third countries to be considered adequate:
- Processing should be based on clear, precise and accessible rules (legal basis).
- Necessity and proportionality with regards to legitimate objectives pursued need to be demonstrated.
- The processing must be subject to independent oversight.
- Effective remedies need to be available to data subjects.
Although the WP29 Document is aimed at providing guidance to the European Commission and EDPB under the GDPR, it will also be useful to those third countries and international organisations interested in obtaining adequacy. Indeed, the UK may find it helpful as it considers its options post-Brexit when it will become a ‘third country’. Given that the government has announced that it will seek a solution based on the adequacy model to ensure free flows of data after the UK leaves the EU, further clarity on how this might be achieved will no doubt be welcomed.