In the July issue of the legal bulletin, we informed you about the decision of the Court of Justice of the European Union of 16 July 2020, which invalidated the Commission’s decision regarding the EU-USA Privacy Shield. This decision did little to help the already rather unclear area of the transfer of personal data to third countries. In this issue, we would like to acquaint you with the newly published document of the European Data Protection Board (hereinafter referred to as the “Board”), which, in connection with this decision, advises how to currently transfer personal data to countries outside the European Economic Area.

Meeting the legal requirements for the transfer of data to third countries can be complicated for traders, if only because it may not always be entirely clear whether personal data are being transferred outside the EEA at all. A number of popular services that are used in practice originate in the United States; however, some of them may have infrastructure established in the EU that should comply with the requirements in this area (personal data do not leave the EEA territory).

The guidance that the Board has published is divided into six steps. The first recommended step is rather of an analytical-technical nature, as it involves mapping whether the controller transfers personal data to a third country, and consequently what personal data it transfers outside the territory of the European Economic Area. Certain legal complications, however, arise already within the second step.

The second step is verification of the legal basis on which the transfer of personal data takes place. The provisions of Articles 45 and 46 of the GDPR come into consideration. Article 45 of the GDPR regulates “adequacy decisions”. In simplified terms, it can be summarised that an adequacy decision is the positive result of an analysis by the Commission, which examines the level of protection of personal data in a specific country outside the European Economic Area. If this protection is essentially identical to that in the European Union, then personal data may be transferred to that country on the basis of the above-mentioned decision. This was also the case with the “cancelled” Privacy Shield between the USA and the EU. Otherwise, the transfer of personal data must be protected by a so-called “appropriate safeguard” pursuant to Article 46 of the GDPR. An appropriate safeguard may be, for example, an international treaty, an approved code of conduct in combination with binding and enforceable commitments of the controller or processor in the given third country, or binding corporate rules, but these rather concern larger corporate structures.

The third step does not help the already complicated second step very much. It requires that the controller of personal data, after selecting an appropriate safeguard, verify whether in the destination third country the effectiveness of the appropriate safeguard may be reduced in some way. This means in practice that it should be verified whether the third country actually complies with what it commits to through its legal system, i.e. whether such a country does not require unreasonably broad access to personal data, whether it does not send obtained personal data to other countries, or even whether data cannot be extracted or copied by public authorities during data transmission (also with regard to previously known cases). The Board thus essentially proposes that you check not only the laws of the third country, but also the consistency of their observance and the overall practice in relation to personal data in the given state. It can thus be noted that the Board anticipates that some countries, whilst having rigorous protection of personal data “on paper”, do not comply with it in practice or directly abuse it.

The fourth step is strengthening the protection of transferred data through technical, organisational or contractual solutions. If, according to the third step, the final country is assessed as risky, there should be, for example, encryption or pseudonymisation of the data. However, if even after the application of these additional measures the controller is not able to ensure adequate protection of the transferred personal data, they should terminate this transfer, or rather not begin it at all.

The fifth step is already rather of a procedural nature, whereby the Board specifies what formal procedural matters are needed to ensure the functioning of the additional measures pursuant to the fourth step. In the sixth step, the Data Protection Board then reminds that it is necessary to monitor the effectiveness of the chosen solution at regular intervals.

In conclusion, it can be said that whilst from a formal point of view the Data Protection Board brings quite specific information to this issue as a whole, from a practical point of view the situation is still very complicated. It can thus be recommended to monitor developments in this area and at least rigorously check whether there is unintended or inadvertent transfer of personal data to a third country through the platforms used. If so, then it is worth considering whether to use rather services located within the EEA.

Jiří Moravec, JD

Mašek, Kočí, Aujezdský Law Firm

This text was originally prepared by Mašek, Kočí, Aujezdský Law Firm in cooperation with the Association for Electronic Commerce (APEK) as legal bulletin No. 11/2020 intended for members of this association.

This text was translated from Czech to English using an AI translator.