24/02/2021
Briefing

This article was updated May 2022.

Big Picture Issue

The CJEU’s decision on data transfer mechanisms in Schrems II created a turbulent landscape for organisations that transfer data outside of the EEA.  The key ruling in the Schrems II decision was the immediate invalidation of the EU-US Privacy Shield (the replacement for the Safe Harbour mechanism invalidated by the CJEU in the earlier Schrems I case), which facilitated data transfers to US companies on the basis that GDPR-level protection would be guaranteed for EU data subjects.  While agreement on the Trans-Atlantic Data Privacy Framework, the replacement for the EU-US Privacy Shield, was announced on 25 March 2022, adoption and implementation are still several months away.

The other key ruling was a requirement that organisations relying on SCCs to transfer data ensure the effective protection of personal data, particularly where the law of a third country allows for public authorities to interfere with data subjects rights.  This has caused significant difficulty and uncertainty for international businesses engaging in cross-border data transfers, as evidenced by a series of data transfer decisions across Europe concerning Google Analytics and, in particular, the reported preliminary cease processing order issued by the Irish Data Protection Commission against Meta. Therefore, while the new model SCCs will likely remain the mechanism of choice for most organisations for their data transfer operations, the decision in Schrems II, as reflected in the new SCCs, places a significant administrative and compliance burden on organisations, not least the obligation to carry out transfer impact assessments for their data flows and put in place additional safeguards or supplementary measures to mitigate privacy risks. (For more information, see our briefing on the new SCCs here).

Following the upheaval caused by the Schrems II decision, there has been an increasing focus on finding practical solutions for organisations to comply with GDPR in relation to their data transfer operations.  One of the least-utilised mechanisms for transfers is the Article 49 derogations, which, to date, have largely been viewed as unviable due to the strict guidance issued by the EDPB in 2018 (the “2018 Guidance”), and remain largely unexplored.  However, comments made by Prof. Dr. von Danwitz last year, the judge-rapporteur in both the Schrems I and Schrems II decisions, have provided a renewed optimism in the extent to which these derogations can be relied on.

Overview of Article 49 Derogations

In the first instance, Article 49 can only be relied on in the absence of an adequacy decision for the third country to which the data is to be transferred.  The 2018 Guidance states that the next port-of-call for data exporters is to frame the transfer within one of the mechanisms included in Article 46 (i.e. appropriate safeguards such as SCCs or binding corporate rules).  Notably, the more recent Recommendations on measures that supplement transfer tools adopted by the EDPB on 18 June 2021 states: “If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation”, the organisation must proceed to consider whether the Article 46 mechanism being relied on is effective.  This suggests that Article 49 can be relied on without the need to resort to Article 46 and consider supplementary measures, provided the strict conditions of Article 49 are met.  This is further supported by the description of the Article 49 derogations in the Recommendations as a “third avenue [to adequacy decisions and Article 46 transfer tools] allowing transfer of personal data in certain situations”.  If this is the case, the administrative and financial consequences of the Schrems II decision may be avoided, at least with regards to some transfers.

As a general principle, reliance on Article 49 is limited to transfers that are occasional and not repetitive.  The 2018 Guidance is clear that transfers that occur regularly within the context of a stable contractual relationship do not meet this standard.  For example, if a data importer is granted direct access to a database controlled by the data exporter, this will be considered non-occasional and repetitive, even if the actual transfers are sporadic.

The most common derogations for organisations to consider will be:

  1. Transfers based on the data subject’s explicit consent, having been informed of the possible risks of the transfer;
  2. Transfers necessary for the performance of a contract with the data subject;
  3. Transfers necessary for important reasons of public interest; and
  4. You are making a one-off transfer and it is in your compelling legitimate interests.

In relation to the first derogation listed, the level of consent required is even greater than in relation to standard GDPR processing, as data exporters must make additional efforts to make data subjects aware of the risks of transferring to third countries.  This high threshold, combined with the risk that consent could be withdrawn at any time, resulted in the EDPB concluding that it “might prove not to be a feasible long term solution for transfers to third countries”.

For transfers based on a necessity to perform a contract, the 2018 Guidance notes that the necessity test requires a “close and substantial connection between the data transfer and the purposes of the contract”.  So, for example, a decision by a company to outsource its HR functions to a third country would not be sufficiently “necessary” because there is an insufficient link between the performance of the employment contract with the data subject and the transfer.  Guidance published by the UK ICO states that necessity here means “that you cannot perform the core purpose of the contract or the core purpose of the steps needed to enter into the contract, without making the restricted transfer”.

In terms of transfers necessary for important reasons of public interests, in September 2020 the UK ICO (in the context of the post-Brexit UK GDPR regime) ruled that transfers by UK-based firms to the Securities and Exchange Commission in the US for regulatory compliance purposes would meet the standard of a transfer for an important reason of public interests.  While the ICO noted that this decision would remain under review, it does open up the possibility that more regulatory authorities could take this approach to facilitate regulatory oversight in other jurisdictions, particularly while the GDPR and UK GDPR regimes remain aligned and this decision may be persuasive to EU regulators.

Finally, there is an exception for organisations to make one-off transfers that are in their compelling legitimate interest.  According to the ICO, this exception is strictly limited by virtue of it being available only in “truly exceptional circumstances”, and a data exporter must first rule out the application of all other exceptions under Article 49.  It is not sufficient to merely give the other exceptions due consideration. So if, for example, a data exporter could obtain consent instead with some additional effort or investment, then that option must be pursued.  The legitimate interest relied on must be compelling – a higher standard than for ordinary data processing, and data exporters must carry out a balancing exercise to weigh their interests against the impact on the rights and freedoms of data subjects.  There is also an obligation to inform the relevant supervisory authority, which may deter organisations from relying on this exception.

A New Interpretation for Article 49?

While made in his personal capacity, the recent comments of Prof. Dr. von Danwitz have shed doubt on the perceived limitations of relying on Article 49, and suggest there may be a more expansive approach taken by the CJEU in the future.  Speaking at an event organised by the German Federal Ministry of the Interior for Data Protection Day last year, von Danwitz noted that the reason for the immediate invalidation of the EU-US Privacy Shield in Schrems II was because there were Article 46 safeguards and Article 49 derogations to “cover the absence of an adequacy decision”.

Von Danwitz went on to suggest that Article 49 may be relied on when SCCs are not possible because a processing operation in a third country cannot comply with the clauses under applicable national law.  He noted that reliance on Article 49 may be particularly convenient for intra-group transfers, and that even with the limitations of necessity in Article 49, there is “sufficient scope for action”.  He did not expand any further on his views, noting that the issue may come before the CJEU in the future.  However, the comments made should add support to an assessment that Article 49 is not as narrow as previously thought, particularly when dealing with transfers within a company or group of companies.

Key Takeaways

Due to a heavy reliance on SCCs and transfer mechanisms such as the former EU-US Privacy Shield, little attention has been given to Article 49 derogations and how they may be properly harnessed by organisations.  While the new model SCCs will likely remain the mechanism of choice for most organisations for their data transfer operations, consideration should be given to whether any transfer operations could be covered by an Article 49 derogation.  If so, this could save organisations a significant amount in financial and administrative costs, particularly as it seems the EDPB have taken the approach that Article 49 derogations, like adequacy decisions, pre-empt the need to implement supplementary measures.