Article 49 Derogations and GDPR

As I write this I am listening to an IAPP webinar on LinkedIn Live discussing Article 49 derogations for data transfers outside the EU.

There is some consternation in the discussion about the narrow interpretations that are applied in relation the derogations under Article 49. It’s great to see the IAPP discussing the limitations of these derogations. A few key points jumped out at me…

  1. Ruth Boardman was very clear that the “compelling legitimate interest” basis could not be relied upon for repetitive transfers and was really something you looked to if nothing else could be identified. “This is likely to be fairly limited”.
  2. Consent as a basis for transfer was generally viewed as a challenge as it pushed the issue onto the data subject, and it also raised issues of the elements of consent having to be met. In addition, Recital 111 of GDPR was identified as a challenge given it requires transfers to be “occasional and necessary” for both consent based transfers and transfers on the basis of contractual necessity.
  3. For “direct collection” of information by organisations based outside the EU/EEA (the example given on the webinar was a podcast subscription service), the point was made (by Omer) that this wouldn’t necessarily be a transfer as the Controller is targetting data subjects in the EU for products and services directly and is collecting the data directly and must comply with GDPR, but the situation is very unclear. However, Ruth Boardman pointed out that, even if the direct collection argument stacks up, this just defers the problem as the organisation then has to deal with any transfers of data to 3rd party hosting, payment processors, contract administrative staff etc. Personally… I still think this raises a challenge for organisational and technical controls to ensure compliance with GDPR under Article 5(2) and Article 24 where the 3rd country doesn’t offer essentially equivalent protections for personal data as per the line of jurisprudence in the Schrems cases.

Omer Tene discussed the how the question of ‘direct collection’ has rattled around the EDBP agenda for a while now, and notwithstanding the view of the EU Commission that this wouldn’t be a transfer outside the EU/EEA, the important decision rested with the Supervisory Authorities. Also, Recital 114 can’t be ignored: there remains a requirement for a controller to make use of solutions that provide data subjects with enforceable and effective rights regarding the processing of their data once it has been transferred.

A Key Takeaway

The key takeaway is that the question of derogations is both straightforward (they are limited scope exceptions to the norm) and complicated (those exceptions have to be interpreted narrowly, because they are exceptions). Much of the coverage on the IAPP website of derogations makes this very point, particularly in the wake of DPC v Facebook & Schrems. Even the reported remarks of AG von Danwitz, the rapporteur on the Schrems II case at the CJEU, that indicate Article 49 derogations might be an option worth considering are not entirely without caveat (particularly as he didn’t want to prejudge any cases that might arise on this topic).

An Action

As this is a key issue that requires clarification from the EDPB, and as it seems that something needs to be done to move the discussion from an abstract agenda item at the EDPB to a more tangible decision making process that has a consistency and co-operation mechanism where each Supervisory Authority can submit their reasoned opinions on interpretation.

Therefore, back in January I filed a complaint with the Irish Data Protection Commission about transfers of data to a 3rd country (the US) by an organisation that has its headquarters in the United States but operates an EMEA headquarters in Brussels and has market presence in many of the EU member states. I am a customer of this organisation. They rely on consent, contractual necessity, or compelling legitimate interests (all of which were discussed on the IAPP’s webinar and all of which have ‘issues’ that need to be addressed).

Interestingly, this organisation (at the time I submitted the complaint) was referencing Article 41 and Article 44 of GDPR as the basis for their transfers. This has now been amended to correctly identify Article 49 GDPR as the basis for transfer. But… AT THE TIME OF MY compliant they had it arse ways. So it’s a good job I saved the version of the data protection notice for posterity to the Internet Archive and included a screenshot in my complaint.

I thought this provided a good live case to test a number of the issues which might be relevant in this context, including questions of establishment, the appropriate lead supervisory authority when the organisation has a nominated establishment in an EU member state but has a point of presence in others, as well as providing a real scenario to test the specific guidance of the EDPB on the interpretation of and application of the Article 49 derogations.

My complaint specifically addresses many of the points that the IAPP raised on the webinar today, for which no easy answers were put forward. That means we need a DECISION!!

My complaint is attached below for anyone to read.

But well done to the organisation in question for taking the time in the last two and a half months to correct the reference to Article 44 in respect of derogations relied upon and correctly referencing Article 49. It’s a pity that they continue to reference Article 41 GDPR in the context of adequacy. Article 41 GDPR deals with Monitoring bodies for Codes of Conduct. I assume they meant Article 45.

Oh… and the organisation I complained about is the IAPP.

I’m sure they’ll agree that anything that moves this to a formal decision within a framework where each Supervisory Authority can make formal reasoned submissions to achieve a consensus on enforcement is important.