Legal challenges facing companies transferring personal data outside the EU

Background and context
It is safe to say that the GDPR has had a significant impact on both EU companies and EU citizens. For many citizens in the EU, the GDPR is a welcome initiative underlining the importance of protecting citizens in relation to the processing of their personal data. On the other hand, the GDPR has forced EU companies to design, or redesign, their business models with a privacy-centred mindset.

The recent Schrems II judgement invalidated the Privacy Shield agreement between the EU and the United States. The judgement shed light on one of the central challenges facing European research-based and personal data-intensive companies operating within the EU: the ever-changing rules and limitations on the transfer of personal data to countries outside the EU. The Schrems II judgement has left a legal void, making it challenging for EU companies to be confident that their transfers of personal data to the United States comply with the GDPR.

Setterwalls wants to highlight another legal void facing personal data-intensive companies operating in the EU: the lack of adequate mechanisms to transfer personal data from an EU-based personal data processor to a non-EU personal data controller.

The mechanisms for transferring personal data between EU and non-EU actors
There are currently three mechanisms available for companies who wish to transfer personal data between EU and non-EU actors:

1. transfers on the basis of an adequacy decision (Art. 45 of the GDPR);
2. transfers subject to appropriate safeguards (Art. 46 of the GDPR); and
3. transfers based on binding corporate rules (Art. 47 of the GDPR). 
    

An adequacy decision is a decision by the EU Commission that the country, territory or one or more specified sectors within a particular third country ensures an adequate level of protection. If there is an adequacy decision, there is no need to ensure specific authorisation for the transfer of personal data to such country or territory.

The EU Commission has currently recognised the following countries and territories as ensuring an adequate level of data protection: Andorra, Argentina, Canada (for commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Before the Schrems II judgement, the EU Commission also recognised the United States as ensuring an adequate level of data protection, provided the company residing in the United States was self-certified under the Privacy Shield.

The second mechanism consists of transfers subject to appropriate safeguards. A controller or processor may transfer personal data to a third country if the controller or processor has provided appropriate safeguards and as long as enforceable data subject rights and effective legal remedies for data subjects are available. The usual way to apply this mechanism in practice is to enter into standard data protection clauses, binding the non-EU party to provide certain rights and legal remedies for the data subjects.

The third mechanism consists of binding corporate rules. Binding corporate rules are rules that international company groups can establish to ensure that the relevant actors within the group adhere to the GDPR. Binding corporate rules must be legally binding and apply to every relevant member of the group which are concerned by the group undertakings.

In addition to these mechanisms, there are certain derogations listed in Art. 49 of the GDPR. However, Art. 49 explicitly states that the listed derogations may only be applied provided that several prerequisites are fulfilled, including that the transfer is not repetitive and concerns only a limited number of data subjects.¹  Due to the nature of these derogations, they are seldom suitable for cross-border research projects.

Small or medium-size actors can rarely transfer personal data based on binding corporate rules, and instead need to rely on either adequacy decisions or transfers subject to standard contractual clauses. As detailed above, most countries (including the United States after the Schrems II judgement) are not recognised as ensuring an adequate level of data protection, leaving standard contractual clauses as the last resort for cross-border transfers of personal data outside the EU/EAA.

Limitation on the application of standard contractual clauses
Standard contractual clauses include obligations for both the personal data controller that intends to transfer personal data to countries outside of the EU/EEA, and personal data controllers or personal data processors that receive such data. Standard contractual clauses also contain other provisions for such transfer, for example around dispute resolution and the rights of data subjects. The parties should not amend standard contractual clauses. If they do, there is a significant risk that the Data Protection Agency would deem the standard contractual clauses invalid.

The Schrems II judgement has shed light on the flaws of using standard contractual clauses as a valid mechanism for the transfer of personal data. In the Schrems II judgement, the Court of Justice of the European Union (CJEU) held, on the one hand, that standard contractual clauses are acceptable transfer mechanisms. On the other hand, the CJEU pointed out that standard contractual clauses need to be supplemented with additional safeguards when transferring personal data to countries where it is doubtful that national law in the receiving country can ensure adequate rights and legal remedies for the data subjects. The CJEU did not clarify what such additional safeguards might consist of, and since the parties cannot amend standard contractual clauses, it is unclear how such additional safeguards should be regulated and what effects adding such additional safeguards would have.

Another important limitation on the application of standard contractual clauses is the lack of suitable transfer mechanisms for data processors based in the EU. The European Commission has drafted sets of standard contractual clauses for two situations:

1. transfers from an EU controller to a non-EU controller
2. transfers from an EU controller to a non-EU processor
    

Thus, standard contractual clauses are aimed at EU controllers. However, there are several cases where an EU processor needs to transfer personal data to a non-EU controller. An example of this is when a non-EU research company wishes to conduct clinical research on non-EU data subjects, and engages an EU-based actor to conduct certain parts of the study. As a part of the study, the EU actor needs to receive certain personal data relating to the study subject, which is then further processed and supplemented within the EU. In such cases, there are no standard contractual clauses available (and it is even unclear whether or not the GDPR is even applicable to the transfer). If the receiving company is not established in a country or region recognised as ensuring an adequate level of data protection, the EU processor is left in a legal void. To date, neither the European Data Protection Board (EDPB) nor the Swedish Data Protection Agency have clarified how to ensure legal transfers of such data and we eagerly await further clarification. 

So what can companies do?
While the lack of legal guidance on the transfers of personal data might seem problematic, there are always solutions. A first step for any company working with US processors or working as processors on behalf of non-EU controllers is to conduct a thorough review of any ongoing agreements and map out what transfer mechanisms are currently used. Each agreement should then be assessed to see how the risk of unlawful transfers or transfers to the detriment of data subjects could be minimised. There are still many approaches available in the GDPR toolbox that can be used to ensure safe, non-intrusive and legal processing of personal data.

You are always welcome to contact Setterwalls to find a solution to your particular problem, whether it stems from transfers to the United States, processor-to-controller transfers or any other GDPR-related issues. Setterwalls has extensive experience of the GDPR, the rules governing processing activities and the rules governing the transfer of personal data outside the EU/EEA.

^{1For the full list of prerequisites, see Art. 49 of the GDPR, second paragraph.}