Based on the flood of updated privacy policies that have inundated email boxes throughout the world, it is clear that the European Union's General Data Protection Regulation (GDPR) is now in full effect. The EU's new European Data Protection Board (EDPB) has already provided guidance to one area where member states have the ability to issue additional guidance ("Derogations"): transferring personal data outside of the European Union.
During its first plenary meeting on May 25, 2018 (the same day the GDPR became effective), the EDPB adopted the final version of the Guidelines 2/2018 providing general guidance applicable to international transfers under Article 49. The predecessor to the EDPB, the Article 29 Working Party, conducted a public consultation on a draft of these guidelines. The EDPB took into consideration the replies received and integrated the appropriate changes into this adopted version.
The GDPR states that the data subject must explicitly consent to the proposed transfer. Article (49)(1)(a) GDPR. The adopted general guidelines note that “[s]ince consent must be specific, it is sometimes impossible to obtain the data subject’s prior consent for a future transfer at the time of the collection of the data, e.g. if the occurrence and specific circumstances of a transfer are not known at the time consent is requested, the impact on the data subject cannot be assessed.”
The guidelines provide specific elements required for consent to be considered explicit and valid. In particular, the information provided to data subjects should specify
- all data recipients or categories of recipients;
- all countries to which the personal data are being transferred;
- that the consent is the lawful ground for the transfer; and
- that the third country to which the data will be transferred may not provide for an adequate level of data protection.
The guidelines also provide that data subjects must be advised of the possible risks associated with the lack of adequate protections and absence of appropriate safeguards in the third country. Such notice may be standardized and could include, for example, “in the third country there might not be a supervisory authority and/or data processing principles and/or data subject rights.”
It is important that standardized forms for EU consents disclose the above elements to ensure general compliance with the GDPR. The forms will also need to account for additional consent requirements in the GDPR implementation laws in the various EU member states, such as the BDSG 2018 in Germany and the recent UK 2018 Data Protection Act.
We will continue to monitor the pronouncements from the EDPB and member states and provide updates in future posts at Tech & Sourcing @ Morgan Lewis as companies to continue to create and implement enhanced policies and processes to deal with this new compliance obligation.