Over the last few years, the challenges for organisations transferring personal data outside of the EEA have become more complicated, and the landmark decision of the CJEU in Schrems II last summer has had significant implications for how data transfers are undertaken. While the EU Commission is likely to sign off on new model standard contractual clauses ("SCCs") in the next few months, we look at how organisations might give greater consideration to the derogations in Article 49, GDPR for certain transfers, and how these derogations may become a more widely used mechanism for transfers in the future.
Big Picture Issue
The CJEU's decision on data transfer mechanisms in Schrems II has created a turbulent landscape for organisations that transfer data outside of the EEA. The key ruling in the Schrems II decision was the immediate invalidation of the EU-US Privacy Shield (the replacement for the Safe Harbour mechanism invalidated by the CJEU in the earlier Schrems I case), which facilitated data transfers to US companies on the basis that GDPR-level protection would be guaranteed for EU data subjects. The other key ruling was a requirement that organisations relying on SCCs to transfer data ensure the effective protection of personal data, particularly where the law of a third country allows for public authorities to interfere with data subjects rights. While SCCs remain the mechanism of choice for most organisations for their data transfer operations, the model SCCs are outdated and the decision in Schrems II places a significant administrative and compliance burden on organisations to carry out transfer impact assessments for their data flows and put in place additional safeguards or supplementary measures to mitigate privacy risks. (For more information, see our briefing on Schrems II here).
Due to the upheaval caused by the Schrems II decision, as well as the uncertainty around the UK's status as a third country post-Brexit, there is an increasing focus on finding practical solutions for organisations to comply with GDPR in relation to their data transfer operations. One of the least-utilised mechanisms for transfers is the Article 49 derogations, which, to date, have largely been viewed as unviable due to the strict guidance issued by the EDPB in 2018 (the "2018 Guidance"), and remain largely unexplored. However, recent comments by Prof. Dr. von Danwitz, the judge-rapporteur in both the Schrems I and Schrems II decisions, may provide a renewed optimism in the extent to which these derogations can be relied on.
Overview of Article 49 Derogations
In the first instance, Article 49 can only be relied on in the absence of an adequacy decision for the third country to which the data is to be transferred. The 2018 Guidance states that the next port-of-call for data exporters is to frame the transfer within one of the mechanisms included in Article 46 (i.e., appropriate safeguards such as SCCs or binding corporate rules). Notably, the more recent Recommendations on measures that supplement transfer tools released by the EDPB for public consultation in November 2020 states: "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation", organisation must proceed to consider whether the Article 46 mechanism being relied on is effective. This suggests that Article 49 can be relied on without the need to resort to Article 46 and consider supplementary measures, provided the strict conditions of Article 49 are met. If this is the case, the administrative and financial consequences of the Schrems II decision may be avoided, at least with regards to some transfers.
As a general principle, reliance on Article 49 is limited to transfers that are occasional and not repetitive. The 2018 Guidance is clear that transfers that occur regularly within the context of a stable contractual relationship do not meet this standard. For example, if a data importer is granted direct access to a database controlled by the data exporter, this will be considered non-occasional and repetitive, even if the actual transfers are sporadic.
The most common derogations for organisations to consider will be:
- Transfers based on the data subject's explicit consent, having been informed of the possible risks of the transfer;
- Transfers necessary for the performance of a contract with the data subject;
- Transfers necessary for important reasons of public interest; and
- You are making a one-off transfer and it is in your compelling legitimate interests.
In relation to the first derogation listed, the level of consent required is even greater than in relation to standard GDPR processing, as data exporters must make additional efforts to make data subjects aware of the risks of transferring to third countries. This high threshold, combined with the risk that consent could be withdrawn at any time, resulted in the EDPB concluding that it "might prove not to be a feasible long term solution for transfers to third countries".
For transfers based on a necessity to perform a contract, the 2018 Guidance notes that the necessity test requires a "close and substantial connection between the data transfer and the purposes of the contract". So, for example, a decision by a company to outsource its HR functions to a third country would not be sufficiently "necessary" because there is an insufficient link between the performance of the employment contract with the data subject and the transfer. The ICO guidance states that necessity here means "that you cannot perform the core purpose of the contract or the core purpose of the steps needed to enter into the contract, without making the restricted transfer".
In terms of transfers necessary for important reasons of public interests, the UK ICO (in the context of the post-Brexit UK GDPR regime) recently ruled that transfers by UK-based firms to the Securities and Exchange Commission in the US for regulatory compliance purposes would meet the standard of a transfer for an important reason of public interests. While the ICO noted that this decision would remain under review, it does open up the possibility that more regulatory authorities could take this approach to facilitate regulatory oversight in other jurisdictions, including the UK in the event that an adequacy decision is not granted by the EU Commission.
Finally, there is an exception for organisations to make one-off transfers that are in their compelling legitimate interest. According to the ICO, this exception is strictly limited by virtue of it being a "last resort", and a data exporter must first rule out the application of all other exceptions under Article 49. It is not sufficient to merely give the other exceptions due consideration. So if, for example, a data exporter could obtain consent instead with some additional effort or investment, then that option must be pursued. The legitimate interest relied on must be compelling – a higher standard than for ordinary data processing, and data exporters must carry out a balancing exercise to weigh their interests against the impact on the rights and freedoms of data subjects. There is also an obligation to inform the relevant supervisory authority, which may deter organisations from relying on this exception.
A New Interpretation for Article 49?
While made in his person capacity, the recent comments of Prof. Dr. von Danwitz have shed doubt on the perceived limitations of relying on Article 49, and suggest there may be a more expansive approach taken by the CJEU in the future. Speaking at an event organised by the German Federal Ministry of the Interior for Data Protection Day, von Danwitz noted that the reason for the immediate invalidation of the EU-US Privacy Shield in Schrems II was because there were Article 46 safeguards and Article 49 derogations to "cover the absence of an adequacy decision".
Von Danwitz went on to suggest that Article 49 may be relied on when SCCs are not possible because a processing operation in a third country cannot comply with the clauses under applicable national law. He noted that reliance on Article 49 may be particularly convenient for intra-group transfers, and that even with the limitations of necessity in Article 49, there is "sufficient scope for action". He did not expand any further on his views, noting that the issue may come before the CJEU in the future. However, the comments made should add support to an assessment that Article 49 is not as narrow as previously thought, particularly when dealing with transfers within a company or group of companies.
Due to a heavy reliance on SCCs and transfer mechanisms such the EU-US Privacy Shield, little attention has been given to Article 49 derogations and how they may be properly harnessed by organisations. While we wait for the new model SCCs to be published and organisations begin to think about how to incorporate them, consideration should be given to whether any transfer operations could be covered by an Article 49 derogation. If so, this could save organisations a significant amount in financial and administrative costs. It seems the EDPB will take the approach that Article 49 derogations, like adequacy decisions, pre-empt the need to implement supplementary measures, although we await final guidance on this following the public consultation.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.