Article 46 GDPR: Difference between revisions

From GDPRhub
Line 218: Line 218:


== Commentary ==
== Commentary ==
Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the hypotheses regulated by Article 46 are very important since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. In the absence of such instruments, therefore, data transfer would be precluded to a large part of the planet.
=== (1) Scope ===
Article 46(1) allows the transfer of personal data to a third country or an international organisation by means of appropriate safeguards and in the absence of an adequacy decision. The provision seems to limit its scope to cases where there is no adequacy decision. However, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and are therefore additional to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of the data subject.<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (Beck 2019, 1st ed.)(accessed 3 March 2022).</ref>
==== Appropriate Safeguards ====
According to Recital 108 appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.
==== Enforceable Data Subject Rights ====
Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes in particular. the right of access (Article 15), rectification (Article 16), deletion (Article 17), restriction of processing (Article 18), objection (Article 21) and the right to claim ''damages'' in the EU or in the third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce it, it must also have effective remedies at its disposal. Since there are no legal provisions to which the data subject can refer if he or she wishes to enforce his or her rights, a different legal basis is required. This can only be based on a voluntary commitment of the data processing body in the third country. This voluntary commitment can be expressed in a construction such as a contract for the benefit of third parties.
==== Effective Legal Remedies ====
A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (Beck 2019, 1st ed.)(accessed 3 March 2022).</ref>
==== Article 46 and Schrems II ====
In Schrems II, the CJEU found that the notions of appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted in light of Article 44 GDPR, which states that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. Thus, the Court continued, ‘that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out’.
The Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs.<ref>For further details on the decision, please refer to the summary provided under Article 45 GDPR.</ref> According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide ''essentially equivalent'' protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide ''essentially equivalent'' protection with respect to the data importer’s country, the data transfer must be suspended.
In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions. This applies in particular with regard to the aspect of possible data access by authorities in the third country. This is because contractual guarantees such as the standard data protection clauses agreed between the data exporter and the data importer naturally have no binding effect vis-à-vis authorities.
As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not study the entire legal system of the third country but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines where relevant to the specific processing. Once the relevant laws have been identified, it should be verified whether the law of the third country complies with the essential elements of clarity and predictability. Finally, it should be verified whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety.
The mere existence of such provisions should lead to the blocking of transfers to the third country. At this point, however, the EDPB introduces a new element - not actually required by Schrems II - which consists in the likelihood that the interception (theoretically) envisaged by the law will also happen in practice, or at least that it is likely to happen. In this sense, the Board refers to the 'practical experience' of the data importer. In this respect, any past experience where the importer has received requests for disclosure from local authorities, or where it is known that a certain type of transaction is subject to interception, is relevant. In addition, it is clear from the Schrems II judgment that the data exporter must also check whether legal remedies are available for data subjects. For example, in the specific case, following the bulk surveillance under the so-called Section 702 FISA and Executive Order 12.333, non-US persons were not entitled to judicial legal protection options vis-à-vis the US authorities. More over, the so-called ombudsperson mechanism, which was provided for in the EU-U.S. Privacy Shield, was also not considered by the ECJ to be a sufficient legal protection mechanism.
The Court held that the standard of essential equivalence with EU law which it had found to apply to adequacy decisions in its first Schrems judgment also applies to data transfers under appropriate guarantees. It confirmed that the standards for determining the level of protection must be based on EU law, particularly the Charter.Within these parameters, the Court upheld the use per se of SCCs as a data transfer mechanism. However, it also found that since SCCs do not bind public authorities (such as law enforcement or security authorities) in third countries, they cannot restrain such authorities from accessing data transferred under them.
Therefore, the Court held, the contracting parties should make use of ‘additional safeguards’ to protect the data in addition to those provided under the SCCs, though it did not provide details as to what such additional safeguards should be. The EDPB, in its Recommendations 1/2020 paper, the EDPB sees only ''encryption'' and ''pseudonymisation'' as measures to be taken in the case of transfers of data that → Paragraph 2d) of a third country, it is capable of effectively preventing the effects of the 'problematic law', subject to certain requirements for encryption or pseudonymisation, which are described in more detail in the og Paper (see EDPB Recommendations 1/2020, paragraphs 84, 85). However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.
In conclusion, personal data may not be used solely on the basis of guarantee instruments according to Article 46 are transferred to the ''USA'', but at most if a level of protection comparable to that of the EU can be guaranteed with the help of ''addit''ional measures. The ECJ has hereby imposed a considerable burden on data exporters who wish to transfer personal data to a third country. They must actively deal with the legal situation in the third country on an ongoing basis From this point of view, the Schrems II ruling of the ECJ could initiate a ''trend towards the retrieval'' of data processing processes from third countries to the European Union combined with the conversion of business processes both for data protection controllers and for providers of processing services, such as servers and storage space.
Important Incidentally, this statement of the ECJ will also be used for the other guarantee instruments within the meaning of the Kind. 46 since all these instruments are of a contractual or quasi-contractual nature and therefore cannot bind third-country authorities.
=== (2) Appropriate Safeguards ===
=== (3) Other Safeguards Approved by the DPA ===
=== (4) Consistency Mechanism in case Paragraph 3 Applies ===
=== (5) Continuous Validity ===
Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.


== Decisions ==
== Decisions ==

Revision as of 13:34, 3 March 2022

Article 46 - Transfers subject to appropriate safeguards
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 46 - Transfers subject to appropriate safeguards


1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Recital 108: Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

Recital 109: Standard Data-Protection Clauses
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

Commentary

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the hypotheses regulated by Article 46 are very important since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. In the absence of such instruments, therefore, data transfer would be precluded to a large part of the planet.

(1) Scope

Article 46(1) allows the transfer of personal data to a third country or an international organisation by means of appropriate safeguards and in the absence of an adequacy decision. The provision seems to limit its scope to cases where there is no adequacy decision. However, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and are therefore additional to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of the data subject.[1]

Appropriate Safeguards

According to Recital 108 appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.

Enforceable Data Subject Rights

Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes in particular. the right of access (Article 15), rectification (Article 16), deletion (Article 17), restriction of processing (Article 18), objection (Article 21) and the right to claim damages in the EU or in the third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce it, it must also have effective remedies at its disposal. Since there are no legal provisions to which the data subject can refer if he or she wishes to enforce his or her rights, a different legal basis is required. This can only be based on a voluntary commitment of the data processing body in the third country. This voluntary commitment can be expressed in a construction such as a contract for the benefit of third parties.

Effective Legal Remedies

A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".[2]

Article 46 and Schrems II

In Schrems II, the CJEU found that the notions of appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted in light of Article 44 GDPR, which states that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. Thus, the Court continued, ‘that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out’.

The Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs.[3] According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide essentially equivalent protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide essentially equivalent protection with respect to the data importer’s country, the data transfer must be suspended.

In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions. This applies in particular with regard to the aspect of possible data access by authorities in the third country. This is because contractual guarantees such as the standard data protection clauses agreed between the data exporter and the data importer naturally have no binding effect vis-à-vis authorities.

As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not study the entire legal system of the third country but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines where relevant to the specific processing. Once the relevant laws have been identified, it should be verified whether the law of the third country complies with the essential elements of clarity and predictability. Finally, it should be verified whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety.

The mere existence of such provisions should lead to the blocking of transfers to the third country. At this point, however, the EDPB introduces a new element - not actually required by Schrems II - which consists in the likelihood that the interception (theoretically) envisaged by the law will also happen in practice, or at least that it is likely to happen. In this sense, the Board refers to the 'practical experience' of the data importer. In this respect, any past experience where the importer has received requests for disclosure from local authorities, or where it is known that a certain type of transaction is subject to interception, is relevant. In addition, it is clear from the Schrems II judgment that the data exporter must also check whether legal remedies are available for data subjects. For example, in the specific case, following the bulk surveillance under the so-called Section 702 FISA and Executive Order 12.333, non-US persons were not entitled to judicial legal protection options vis-à-vis the US authorities. More over, the so-called ombudsperson mechanism, which was provided for in the EU-U.S. Privacy Shield, was also not considered by the ECJ to be a sufficient legal protection mechanism.

The Court held that the standard of essential equivalence with EU law which it had found to apply to adequacy decisions in its first Schrems judgment also applies to data transfers under appropriate guarantees. It confirmed that the standards for determining the level of protection must be based on EU law, particularly the Charter.Within these parameters, the Court upheld the use per se of SCCs as a data transfer mechanism. However, it also found that since SCCs do not bind public authorities (such as law enforcement or security authorities) in third countries, they cannot restrain such authorities from accessing data transferred under them.

Therefore, the Court held, the contracting parties should make use of ‘additional safeguards’ to protect the data in addition to those provided under the SCCs, though it did not provide details as to what such additional safeguards should be. The EDPB, in its Recommendations 1/2020 paper, the EDPB sees only encryption and pseudonymisation as measures to be taken in the case of transfers of data that → Paragraph 2d) of a third country, it is capable of effectively preventing the effects of the 'problematic law', subject to certain requirements for encryption or pseudonymisation, which are described in more detail in the og Paper (see EDPB Recommendations 1/2020, paragraphs 84, 85). However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.

In conclusion, personal data may not be used solely on the basis of guarantee instruments according to Article 46 are transferred to the USA, but at most if a level of protection comparable to that of the EU can be guaranteed with the help of additional measures. The ECJ has hereby imposed a considerable burden on data exporters who wish to transfer personal data to a third country. They must actively deal with the legal situation in the third country on an ongoing basis From this point of view, the Schrems II ruling of the ECJ could initiate a trend towards the retrieval of data processing processes from third countries to the European Union combined with the conversion of business processes both for data protection controllers and for providers of processing services, such as servers and storage space.

Important Incidentally, this statement of the ECJ will also be used for the other guarantee instruments within the meaning of the Kind. 46 since all these instruments are of a contractual or quasi-contractual nature and therefore cannot bind third-country authorities.

(2) Appropriate Safeguards

(3) Other Safeguards Approved by the DPA

(4) Consistency Mechanism in case Paragraph 3 Applies

(5) Continuous Validity

Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References

  1. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (Beck 2019, 1st ed.)(accessed 3 March 2022).
  2. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (Beck 2019, 1st ed.)(accessed 3 March 2022).
  3. For further details on the decision, please refer to the summary provided under Article 45 GDPR.