Recent developments on international data transfer under GDPR
What do Business aviation operators need to think about when transferring personal data to third parties?
Introduction
May 25th 2021, marked the third anniversary of the EU General Data Protection Regulation (GDPR)[1], the EU’s cornerstone data protection law. One of the keys of GDPR is its extra-territorial effect which affects many organisations which business activities involve an international transfer of personal data. Business operators and their service providers ( such as ground handling companies) routinely process large amounts of personal data: information about passengers, crew and other employees, as well as personal data relating to suppliers and other business contacts. The highly regulated environment in which Business aviation stakeholders operate and the international character of their operations adds another layer of complexity regarding GDPR compliance. In this article, we describe briefly what Business aviation operators need to think about when transferring personal data to third countries in light of the recent development of the applicable regulation concerning the UK and US.
International transfer of personal data means “the act of sending or transmitting or sharing or making personal data available to a third party located in a third country”. Suppose this third party is located within the EEA[2]. In that case, the mere conclusion of a Data Processing/ Sharing agreement between the Operator and the third party containing the mandatory GDPR provisions[3] shall be sufficient to be compliant. But suppose such third party is NOT located within this EEA area. In that case, the Operator will need to verify whether there is an “Adequacy Decision” of the EU Commission (based on a thorough assessment on whether the third country has appropriate legal safeguards for data protection equivalent to those in the EU) and if not, the Operator shall provide additional guarantees by means of specific contractual agreements (such as Standard Contractual Clauses (“SCC’s)).
Recently international transfer of personal data to the UK and US became of concern and triggered some important developments in European data privacy law.
EEA to UK Transfers of Personal Data
Further to Brexit, with the UK leaving the EU, UK became de facto a third country. Thankfully on June 28th 2021, the European Commission adopted two Adequacy Decisions[4] for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. It is important to note that both adequacy decisions include a ‘sunset clause’, which means they will last for four years after entering into force, which is until 2025. During these four years, the Commission will monitor the legal situation in the UK. It could intervene at any time if the UK deviates from the current level of data protection. After this period, adequate findings may be reviewed and renewed if the UK continues to ensure the essentially equivalent level of data protection as the EU
EEA to US Transfers of Personal Data
The July 2020 Schrems II[5] ruling in the European Court of Justice invalidated the EU-U.S. Privacy Shield agreement for lawful transfers of personal data from the EU to the US. But the ruling confirmed standard contractual clauses (“SCCs”) as potentially viable mechanisms for the transfers of personal data to non-EU countries (such as the US). Further to this ruling, a new set of SSC’s was adopted by the European Commission on June 4th 2021 (New SCCs)[6]. Since 27TH September 27th 2021, the existing SCCs have ceased to be valid for future use. This means for new transfer agreements entered into as from 27TH September 2021, the new SCC’s must be used. The existing SCCs currently in effect must be replaced with the New SCCs by late December 2022. Given the limited transition, Operators will need to act quickly to conclude New SCCs for current and ongoing transfers.
Apart from the SCC’s, Operators can also consider Binding Corporate Rules (BCRs), which are legally binding rules approved by the competent supervisory authority, which regulate the transfer and processing of personal data within members of a group of undertakings or group of enterprises, including those located outside of EU territory. Compared to SCC’s, the advantage of the BCRs is that once the approval from the Data Protection Authorities is obtained, this enables all future intra-group transfers regardless of the territory, without any additional requirement.
Finally, it is worth also noted there are also some exemptions where the transfer of personal data can take place in the absence of the abovementioned transfer mechanisms. These are limited circumstances and include cases when:
- explicit consent is given by data subject;
- the transfer is necessary for the conclusion or performance of the contract;
Conclusion
As part of the ongoing GDPR compliancy exercise, it is strongly recommended that Operators regularly identify those processes that involve EU/ non-EU personal data transfers in the course of their activities Adoption of the right transfer mechanism, as described here-above, is crucial given the severity of sanctions in case of breach of data protection rules (up to € 20 million or 4% of the annual global turnover).
******
[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27th 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[2] EU + Norway + Liechtenstein + Iceland
[3] Article 28 GDPR
[4] COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom; COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom
[5] C-311/18 – Judgment of the Court (Grand Chamber) of July 16th 2020 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems
[6] Commission Implementing Decision (EU) 2021/915 of June 4th 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council; Commission Implementing Decision (EU) 2021/914 of June 4th 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council