Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?
Rules on international transfer under GDPR
Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:
- The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
- The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
- The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.
Consent can be used after endeavors to implement safeguards
The European Data Protection Board (“EDPB”), which replaced the Article 29 Working Party (“WP 29 ”) on May 25, 2018 endorsed WP 29’s guidelines in relation to GDPR, including “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679” (“EDPB Guidelines”).The EDPB Guidelines provide: “the derogations must be interpreted restrictively so that the exception does not become the rule.” This is also supported by the wording of the title of Article 49, which states that derogations are to be used for specific situations (“Derogations for specific situations”). EDPB recalls that WP 29 has long advocated “as best practice a layered approach to transfers”. Thus, data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49(1)”.
Interpretation of Article 44 GDPR by EDPB: no additional safeguards required
Article 44 “General principle for transfers” of GDPR regulates international transfers generally and, as a result, includes transfers pursuant to Article 49(1) of GDPR.
It stipulates that the transfer is made “subject to the other provisions of these regulations”, referring to the obligations to abide by. – the rights of data subjects (information, right of access, right of opposition, etc.) and the obligations imposed on data controllers and processors in the collection and processing of data, the transfer being only one aspect of the processing. These other provisions may add additional constraints.
Article 44 further provides that “all provisions in this Chapter [V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. This could be interpreted as meaning that, even in the absence of appropriate safeguards, a certain level of protection must be guaranteed by other means.
This is not the position of the EDPB Guidelines. Referring to Article 44, EDPB considers “that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached”. However, it draws no other conclusion than the exceptional nature of the derogations from Article 49(1). Referring to WP 114, the derogations from Article 49(1) “are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards.”
Consent may now be used even in case of repeated, massive or structural transfers
Interpretation by WP 29 under Directive 95/46
Under Directive 95/46, WP 29 recommended in its WP 114 opinion of 1995 “that transfers of personal data which might be qualified as repeated, mass or structural should, where possible, and precisely because of these characteristics of importance, be carried out within a specific legal framework (i.e. contracts or binding corporate rules)”. It did however acknowledge that there are cases where even such transfers can be carried out on the basis of the derogations “when recourse to such a legal framework is impossible in practice, where the risks to the data subject are small […]“.
By way of example, based on these guidelines, the French data protection authority, the CNIL, did not permit use of the derogations, including consent, in cases of repeated, massive or structural transfers
Rules under GDPR
The EU legislator had many opportunities to include the above limitation in the text or the recitals of GDPR, but it did not do so. The only references to such limitations are:
- In the articles of the GDPR: restricting transfers necessary for the purposes of “compelling legitimate interests pursued by the controller” (Article 49(1)) to cases where the transfer is “not repetitive, [and] concerns only a limited number of data subjects”.
- In the recitals of GDPR: Recital 113 incorporates what is provided for in Article 49(1) second paragraph, and Recital 111 restricts transfers necessary for a “contract or legal action” (Article 49(1) subpar. 1(b),(c) and (e)) to cases where the transfer is “occasional”.
Therefore, a contrario, the restriction of the non-massive, non-repeated or non-structural nature no longer applies to the transfer on the basis of the consent of the data subject. The EDPB Guidelines confirm this but wishes to highlight “that even those derogations which are not expressly limited to “occasional” or “not repetitive” transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule […]”.
This seems to be a potentially very important liberalization for consent-based transfers.
Rules on consent under GDPR
Conditions for consent
The general conditions for consent to be considered as valid are defined in Article 4(11) pursuant to which consent has to be freely given, specific, informed and unambiguous, and in Article 7 specifying the request for consent shall be clearly distinguishable from other matters and unbundled.
The EDPB Guidelines note that “since consent must be specific information about the transfer should be provided “before it takes place so as to collect |..] explicit consent to the “proposed” transfer”.
Under Article 49(1)(a), there are additional elements required for consent to be considered a valid legal ground for international data transfers:
- Consent must be “explicit”, which is required under the GDPR in situations where particular data protection risks may emerge, and so, a high individual level of control over personal data is required, as is the case for the processing of special category data (Article 9(2)(a)) and automated individual decisions (Article 22 (2)(c)).
- Consent must be informed particularly as to the possible risks of the transfer. Pursuant to the EDPB Guidelines the information provided to data subjects “should also specify all data recipients or categories of recipients, all countries to which the personal data are being transferred to, that the consent is the lawful ground for the transfer, and that the third country to which the data will be transferred does not provide for an adequate level of data protection […]” as well as information “as to the possible risks for the data subject arising from the absence of adequate protection in the third country and the absence of appropriate safeguards”. […] for example information that in the third country there might not be a supervisory authority and/or data processing principles and/or data subject rights might not be provided for in the third country.”
Right to withdraw consent
Under Article 7(3) “the data subject shall have the right to withdraw his or her consent at any time […] It shall be as easy to withdraw as to give consent.” This seems to be a far more effective limitation than the conditions of non-repeated, non-massive or non-structural transfers. In this respect WP 114 suggested “that consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question. In fact, particularly if the transfer forms an intrinsic part of the main processing (e.g. centralisation of a world database of human resources, which needs to be fed by continual and systematic data transfers to be operational), the data controllers could find themselves in insoluble situations if just one data subject subsequently decided to withdraw his consent.”
The GDPR is more liberal than the Directive 95/46 as it pertains to situations where consent can be used as legal basis for international data transfers. However, the requirements for valid consent for this purpose and, more importantly, right to withdraw consent, under the GDPR create a complex and cumbersome situation. Data controllers and processors therefore should proceed with caution before turning to a “false good solution” by relying on consent for international transfers.