GDPR – Transfer of personal data from the European Union to Third Countries.

The transfer of personal data from European Union to Foreign Countries. The European Union General Data Protection Regulation (“GDPR”) by virtue of its extraterritorial applicability brings within its ambit entities located outside the European Economic Area (“EEA”) but dealing with personal data of EEA data subjects. For example, GDPR is applicable to Indian airlines operating services to European destinations, Indian tourist operators serving digital ads in EEA targeting European citizens, etc. 

The transfer of personal data from the EEA to third countries and permits such transfer only on three exemptions namely:

1. An adequacy decision by the European Commission (Art 45);
2. The transfer takes place after having appropriate safeguards (Art 46 and 47);
3. Derogations apply (Art 49)

Two general examples of restricted cross border data transfers under GDPR:

1. A European entity transfers data to an HR outsourcing firm located in India; 
2. A European subsidiary of Indian software services firm transfers data of customers in Europe to the Indian holding company. 

Transfer on the basis of an Adequacy Decision:

Under Art. 45, the European Commission is empowered to recognise a third country, a territory or one or more specific sectors within that third country, or the international organisation in question as offering an adequate level of protection comparable with protection available under GDPR (“Adequacy Decision”). The impact of an Adequacy Decision is that the personal data can be freely transferred from the EU to that third country without any further safeguard being necessary.

An  Adequacy Decision is based on the presence of GDPR equivalent data protection laws, the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data in the third country. The Adequacy Decisions are monitored and reviewed at least every four years. 

The countries/territories currently recognised as adequate are Andorra, Argentina, Canada (commercial organisations covered under Canada’s Personal Information Protection and Electronic Documents Act), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework transfers) as providing adequate protection.

Transfer of personal data takes place after having appropriate safeguards

In alternative to Article 45, data transfers can take place after complying with the safeguards specified under Article 46 that are as follows:

1. Transfer between public institutions legally binding and enforceable instrument;
2. Binding Corporate Rules under Article 47 i.e, a group of undertakings, or a group of enterprises engaged in a joint economic activity based on an approval from a competent supervisory authority can undertake international transfers from the EU to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
3. Standard data protection clauses adopted by the European Commission; 
4. Standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
5. An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
6. Certification under an approved certification mechanism together with binding and enforceable commitments of the data importer. 

Transfer of Personal Data under Derogations:

Where the options under Article 45, 46 are not available, data transfers can take place under derogations specified under Article 49. The derogations are as follows:

1. 49(1)(a): The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. 
2. 49(1)(b): Transfer necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request. In relation to this derogation, the EDPB guidance states that although the derogations relating to the performance of a contract may appear to be potentially rather broad, they are being limited by the criterion of “necessity” and of “occasional transfers”.
3. 49(1)(c): Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and other natural or legal person. Such transfers in the interests of data subjects can only be occasional and not repetitive. The example provided in EDPB guidance on derogations states that for outsourcing activities such as payroll management to service providers outside the EU, this derogation will not provide a basis for data transfers for such purposes, since no close and substantial link between the transfer and a contract concluded in the data subject’s interest can be established even if the end purpose of the transfer is the management of the pay of the employee.
4. 49(1)(d): Transfer is necessary for important reasons of public interest. This derogation applies when it can be deduced from EU law or the law of the member state to which the controller is subject that such data transfers are permitted for important public interest purposes including in the spirit of reciprocity for international cooperation. 
5. 49(1)(e): The transfer is necessary for the establishment, exercise or defence of legal claims. Subject national law of the member states, the activities that can be covered include criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in antitrust investigations.
6. 49(1)(f): The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. This derogations applies when the data subject is in unconscious state and is in need of medical care, for rescue operations in the event of natural disasters.  
7. 49(1)(g): The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
8. 49(2): Where the data cannot be transferred under Article 45, 47 or under derogations specified under Article 49(1), the data can be transferred if it is necessary for the purposes of compelling legitimate interests pursued by the data exporter. The compelling legitimate interests of the data controller cannot be overridden by the interests or rights and freedoms of the data subject and the data transfer under this derogations are not repetitive and limited to the number of specific data subjects.

Given that derogations under Article 49 does not guarantee the level of protection under Article 45 and 46, it is recommended that the data exporters must rely on Article 49 only in specific situations only. For the transfer to India, in the absence of a robust personal data protection framework, transfer under Adequacy Decision may not be available in the near future. In each of the options available for data transfers, the data controller or/and the processor needs to comply with other requirements of GDPR i.e., the principles of processing personal data, conditions of consent, complying with responsibilities of the data controller and the processor.