What the EDPB Says about Art. 49 Derogations for EU-U.S. Data Transfers
Sep 1, 2020 by BBB National Programs
Following the Schrems II decision, all businesses that rely on EU-U.S. transfers of personal data are waiting on further guidance to determine how to meet new EU standards. Ensuring the continuity of data flows from Europe to the U.S. is not an abstract question for businesses, given the billions of dollars of digital trade between the EU and U.S. economies.
As explored in our earlier post, Privacy Shield businesses are recognizing the value of continuing to follow the Privacy Shield Principles to demonstrate compliance and accountability and retain the trust of their European partners and customers. Though Schrems II makes it clear that Privacy Shield is no longer a valid transfer mechanism, responsible businesses are returning to first principles, documenting efforts to maintain appropriate internal privacy practices as they wait for further clarity from EU regulators.
There is currently no cookie cutter solution for receiving EU personal data in the U.S. Instead, individual privacy practitioners are verifying that they understand their data flows and legal commitments. Business leaders are examining their individual situations and talking to counsel about which transfer mechanism—or combination of mechanisms—is best suited to demonstrate compliance at a time when nearly all EU-U.S. transfers are on thin ice.
One piece of this puzzle is the single transfer mechanism that has not been called into question at this time: derogations under Article 49 of the General Data Protection Regulation (GDPR).
Derogations: An Exception, a Supplement, or a Stopgap?
Derogation means “an exemption from or relaxation of a rule or law.” GDPR Article 49 is titled “Derogations for specific situations” and it describes a legal approach to transferring personal data outside of the EU when all the other legal mechanisms (described in Arts. 45-48) are unavailable.
Toward the end of the Schrems II opinion, the Court states that its decision to invalidate Privacy Shield won’t create a “legal vacuum” for data transfers because organizations can still turn to Art. 49 derogations. Similarly, in its guidance on the decision, the European Data Protection Board (EDPB) points to derogations as an available mechanism for continuing to transfer data to the U.S. “provided the conditions set forth in [Art. 49] apply.”
The EDPB refers businesses that wish to rely on derogations to its 2018 guidelines on Art. 49 derogations. To use any of these derogations, a business must be mindful of the details and document its decision. Each derogation comes with its own set of administrative and technical requirements.
Read on for our summary of the EDPB’s guidelines on a few of the derogations relevant to commercial transfers: consent, contract, and compelling legitimate interests.
1. Explicit consent.
The first derogation can be used for EU-U.S. transfers if the business obtains consent from the data subject to transfer their personal data to the United States. The EDPB is careful to point out that this requires all the elements of any other consent under GDPR. For a full analysis of these requirements, see the EDPB’s guidelines on consent.
For a business to rely on the derogation of consent, the consent must be:
- Explicit. Explicit consent is the highest tier of consent under the GDPR, the same as required in the rules governing automated processing and special categories of personal data. Since regular (non-explicit) consent under the GDPR already requires a “statement or clear affirmative action,” explicit consent must require something more than this. In its consent guidance, the EDPB clarifies, “The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.” The examples provided are collecting the signature of the data subject or implementing two-stage verification of consent.
- Freely given. The EDPB does not elaborate on this requirement in its guidance on derogations, but its guidance on consent states, “The element ‘free’ implies real choice and control for data subjects. As a rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.” It goes on to remind data controllers that they must be able to demonstrate that “it was possible to withdraw consent without detriment.”
- Specific. In the context of data transfers, specific consent means that the data subject explicitly consented to the specific transfer (or set of transfers) in question before the transfer occurred. The data subject must be told about the transfer (with enough detail and in a form that meets the other requirements) at the time that consent is given.
- Unambiguous. Again, the EDPB’s guidance on consent provides further guidance on this requirement, specifically, “It must be obvious that the data subject has consented to the particular processing.”
- Informed. In the context of data transfers, the EDPB spells out the many details that individuals should be informed of at the time they are asked for their consent, "particularly as to the possible risk of the transfer” in question. The information provided to the data subject when obtaining consent should include “the specific circumstances of the transfer,” including:
- the data controller’s identity,
- the purpose of the transfer,
- the type of data,
- the existence of the right to withdraw consent,
- the identity or the categories of recipients,
- the country being transferred to, and
- the fact that consent is the lawful grounds of the transfer.
Importantly, this derogation “requires data subjects to be also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.”
2. Necessary for the performance of a contract.
There are two derogations related to the terms of a contract.
a. The first applies if there is a direct relationship between the data controller and the data subject. It also allows the business to transfer data for “pre-contractual measures taken at the data subject's request.”
b. The second contract derogation envisions a contract between the controller and “another natural or legal person” (including a business) that is “in the interest of the data subject.”
Each of the contract derogations requires that data transfers are both necessary under the contract and occasional in nature. To pass the test of necessity, there must be a “close and substantial connection between the data transfer and the terms of the contract.” The EDPB provides an example of such a close connection: "the transfer by travel agents of personal data concerning their individual clients to hotels or to other commercial partners that would be called upon in the organization of these clients’ stay abroad."
To pass the occasional test, the EDPB recommends a case-by-case analysis but notes that "Data transfers regularly occurring within a stable relationship would be deemed as systematic and repeated, hence exceeding an ‘occasional’ character." As one example, the EDPB describes a situation where “a bank in the EU transfers personal data to a bank in a third country in order to execute a client’s request for making a payment, as long as this transfer does not occur in the framework of a stable cooperation relationship between the two banks.”
3. Compelling legitimate interests.
This final derogation is a last resort for cases when no other derogations or other legal transfer mechanisms are available. Transfers under this derogation must not be repetitive and must concern a “limited number of data subjects.”
This derogation comes with a serious list of administrative requirements, including a requirement to notify both the data subject and the supervisory authority (the relevant DPA) about the transfer. The decision to rely on this derogation should be documented with an assessment showing why no other mechanism is available. The EDPB believes that this requirement “implies that the data exporter can demonstrate serious attempts in this regard, taking into account the circumstances of the transfer.”
The EDPB recognizes that practical realities may play a role in this assessment, such as the difficulty for small and medium businesses to secure Binding Corporate Rules as a transfer mechanism or in a case where “the data importer has expressly refused to enter into a data transfer contract on the basis of standard data protection clauses and no other option is available (including, depending on the case, the choice of a different data importer).”
Having documented that no other mechanism is available, a data controller that wishes to rely on this derogation must also show that the transfer meets the standard for “compelling” legitimate interests. This is a higher standard than just legitimate interests. As the EDPB notes, “a certain higher threshold will apply, requiring the compelling legitimate interest to be essential for the data controller. For example, this might be the case if a data controller is compelled to transfer the personal data in order to protect its organization or systems from serious immediate harm or from a severe penalty which would seriously affect its business.”
Finally, the EDPB advises companies to apply a balancing test, analyzing the identified compelling legitimate interests in relation to the rights of data subjects. Where there are risks to data subjects identified, the controller should provide and document “suitable safeguards” around the protection of data concerned. As the EDPB explains, “this requirement highlights the special role that safeguards may play in reducing the undue impact of the data transfer on the data subjects and thereby in possibly influencing the balance of rights and interests to the extent that the data controller’s interests will not be overridden.”
A Limited but Available Mechanism
During this uncertain time for EU-U.S. transfers of personal data, Art. 49 derogations remain a legitimate, if limited, option for Privacy Shield businesses. Each derogation requires the business relying on it to make its own assessment of the circumstances of the transfer, to ensure that the conditions for use of the derogation can be met—likely through a combination of administrative, legal, and technical measures. A prudent business would also want to keep a written record of this analysis and of all actions taken to ensure compliance.
Although Art. 49 derogations are a relatively unstudied aspect of the GDPR, other commentators have examined some of the issues raised by this mechanism. For further analysis of how derogations relate to other approved transfer mechanisms under GDPR see Elisabeth Dehareng’s post in Lexology. For more on the “occasional” requirement for the contract derogations, see the analysis by Stevan Stanojevic in IAPP Privacy Perspectives. And for more on why derogations are not affected by the Schrems II decision, see this post by Brandon Moseberry and Florian Tannen in IAPP Privacy Advisor.
This post is part of a series about the implications of the Schrems II decision on EU-U.S. data transfers. BBB National Programs will continue to share the latest updates as they become available.