Some time back, I did a short post on LinkedIn warning my contacts not to rely on consent as a basis for legalizing their data transfers from the EU. The post generated such an overwhelming response – both from those who agreed, and also from a few who disagreed, that I felt it merited slightly longer explanation here. So here goes:
The EU data export prohibition
As all readers of this blog will know, the EU Data Protection Directive prohibits transfers of personal data out of the European Economic Area (Art 25(1)) unless the transferring organization either:
(a) transfers the data to a territory deemed to provide ‘adequate’ protection by the European Commission;
(b) can show that a data export exemption applies, or
(c) puts in place a lawful data export solution with the recipient of the data (i.e. model clauses or BCR).
To date, only a handful of non-EEA countries have been declared adequate by the European Commission (i.e. point (a) above), and a list of those countries is available here.
This means that for most data exporting organizations, they are looking either to show that a data export exemption applies (point (b) above) or that they have a data export solution in place (point (b) above).
Data export ‘exemptions’
Exemptions from the data export prohibition are set out in Article 26(1) of the Directive and – you can probably guess what’s coming – these exemptions include the data subject’s ’unambiguous’ consent. Put another way, if your data subject understands that you are transferring his or her data internationally, the (potential) consequences of this international transfer, and unambiguously indicates his or her agreement, then the transfer is exempt from the data transfer prohibition.
Sounds good, doesn’t it – but hold your horses. The lawyers among you will know that legislative exemptions are, by their nature, meant to be construed very narrowly. That means they should not be ‘the first port of call’ you turn to, but rather applied only when other, more protective, options have been exhausted. (More on this below.)
Data export ‘solutions’
By contrast, model clauses and BCR are data export solutions, enabled by Art 26(2) of the Directive. These solutions are designed to enable data transfers to non-EEA countries by virtue of ensuring “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals”.
What this means is that, unlike consent, they are not simply legal exemptions that effectively disapply the ‘adequacy’ protection the law otherwise would provide individuals. Rather, they work with this adequacy requirement by introducing controls into the relationship between the transferor and recipient to ensure that the data remains protected even when it is outside the EEA.
For this reason, data export solutions, like model clauses and BCR, should always be preferred over Art 26(1) legal exemptions, like consent. Art 26(1) exemptions are meant to be applied only when model clauses and BCR are genuinely inappropriate or unavailable for the particular transfer at hand.
When you stop and think about this, it all makes sense. For very obvious reasons, data protection regulators will always favor solutions that provide an ongoing protection for individuals’ data outside the EEA, as opposed to reliance on consent where the individual is effectively waiving ‘adequate’ protection. That makes model clauses and BCR a much more robust basis for conducting data exports.
What the regulators say
You don’t have to take my word for it though. Here’s what the Article 29 Working Party have to say on the issue in their “Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995” (available here):
“Although the use of the derogations per se does not imply in all cases that the country of destination does not ensure an adequate level of protection, it does not ensure that it does either. As a consequence, for an individual whose data have been transferred, even if he has consented to the transfer, this might imply a total lack of protection in the recipient country, at least in the sense of the provisions of Article 25 or 26(2) of directive 95/46…
Furthermore, in the light of experience, the Working Party suggests that consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question. … Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome…
If the level of protection in the third country is not adequate in the light of all the circumstances surrounding a data transfer, the data controller should consider Article 26(2), i.e., providing adequate safeguards through, for example, the standard contractual clauses or binding corporate rules. Only if this is truly not practical and/or feasible, then the data controller should consider using the derogations of Article 26(1).
Further in line with this logic, the Working Party would recommend that the derogations of Article 26(1) of the Directive should preferably be applied to cases in which it would be genuinely inappropriate, maybe even impossible for the transfer to take place on the basis of Article 26(2).
The Working Party would find it regrettable that a multinational company or a public authority would plan to make significant transfers of data to a third country without providing an appropriate framework for the transfer, when it has the practical means of providing such protection (e.g. a contract, BCR, a convention).
It is in particular for this reason that the Working Party would recommend that transfers of personal data which might be qualified as repeated, mass or structural should, where possible, and precisely because of these characteristics of importance, be carried out within a specific legal framework (i.e. contracts or binding corporate rules).”
And here’s the European Commission echoing that sentiment in their ‘Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries (available here):
“…the derogations in Article 26(1) of the Directive should be interpreted restrictively and preferably be applied to cases in which it would be genuinely inappropriate, or even impossible, for the transfer to take place on the basis of Article 26(2), i.e., providing adequate safeguards through, for example, (the standard) contractual clauses or binding corporate rules. Only if this is truly not practical and/or feasible should the data controller consider using the derogations in Article 26(1).
This is the case in particular for transfers of personal data that might be described as repeated, mass or structural. These transfers should, where possible, and precisely because of their importance, be carried out within a specific legal framework (Article 25 or 26(2)). Only for instance when recourse to such a legal framework is impossible in practice can these mass or repeated transfers be legitimately carried out on the basis of Article 26(1).” (emphasis added)
Why this matters
Ultimately, what this means for your organization is that, if your post-Safe Harbor data export strategy is built around reliance on consent, then you need to take a long, hard look at whether this really is an appropriate mechanism. Often, it won’t be, in which case now is the time to take stock and consider moving to a strategy built around model clauses or BCR instead.