Insight

Appropriate Safeguards in the GDPR

The eData Guide to GDPR

February 14, 2019

To implement GDPR’s policy goal of establishing safety mechanisms to protect the personal data of EU citizens, the regulation requires data processors to provide appropriate safeguards for personal data. Under Article 6, “Lawfulness of Processing,” data controllers are required to evaluate whether appropriate safeguards are in place to protect personal data before further processing (processing for a purpose other than originally collected) is permitted. And Article 46, “Transfers Subject to Appropriate Safeguards,” states that absent an adequacy decision via Article 45, personal data may only be transferred to a country outside of the EU if the data controller or processer has provided “appropriate safeguards” for that data. This installment of The eData Guide to GDPR will explain what safeguards are considered appropriate under Article 6 and Article 46 of the GDPR.

Appropriate Safeguards Under Article 6 – Lawful Processing

Article 5 contains the GDPR’s purpose limitation – one of the regulation’s core principles that personal data may only be collected for a specified, explicit, and legitimate purpose and that data may not be further processed in a manner that is incompatible with that purpose. Article 6 lists five factors that a data controller must take into consideration when determining whether further processing (without the data subject’s consent) is compatible with the original collection purpose. The last of those five factors is “the existence of appropriate safeguards, which may include encryption or pseudonymisation.”

No further guidance is provided in Article 6 regarding methods that would be considered appropriate other than encryption and pseudonymisation. And while pseudonymisation is defined in Article 4[1], the text is silent on a proper method or technique, while commentators have lamented that the use of pseudonyms with a legend or key may be inadequate if applied improperly.[2]

The UK’s Information Commissioner’s Office (ICO) provides a helpful guide on encryption and pseudonymisation as appropriate security safeguards under the GDPR. That guidance states that while the two security measures are not technically required under the regulation, both solutions can be achieved without great cost or difficulty.[3] The ICO specifically recommends encryption due to its widespread availability and its low cost, and has indicated that it will pursue regulatory action under the UK’s data protection laws in the event of a data breach or loss where encryption software was not used[4].

While there may be other safeguards the EU Commission considers appropriate under Article 6, encryption or pseudonymisation are the only two that are specifically named in the text. Furthermore, they are considered widely available and cost effective by European data regulators. Thus, a company that needs to further process data after it was originally collected (without the consent of the data subject) would be wise to encrypt or pseudonymize that data as an appropriate safeguard under Article 6.

Appropriate Safeguards Under Article 46 – International Transfers

The GDPR generally prohibits cross-border transfers of data (i.e., transfers of data from the EU to a non-EU country), unless the transfer falls within certain limited scenarios.[5] Articles 44, 45, and 46 describe the general prohibition against cross-border data transfer and explain the limited scenarios in which this type of transfer is permitted.

Specifically, Article 45(3) states that a company may transfer personal data to a third country if the commission has decided that that country ensures an adequate level of protection. However, the commission has only issued adequacy decisions for a few countries and the United States is not among them[6]. Article 46 provides a limited alternative in those cases, allowing transfers to or from a country where an adequacy decision has not been made if the controller or processor has provided “appropriate safeguards” and the data subjects have available and enforceable rights and effective legal remedies.

Article 46 Requirements

Article 46 explains that, in the absence of an adequacy decision by the EU Commission, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards.

Any one of the following can be an appropriate safeguard, without requiring specific authorization from a supervisory authority:

  • A legally binding and enforceable instrument between public authorities or bodies
  • Binding corporate rules[7]
  • Standard data protection clauses adopted by the EU Commission[8]
  • Standard data protection clauses adopted by a supervisory authority and approved by the commission pursuant to the examination procedure[9]
  • An approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country, that applies appropriate safeguards to protect data subjects' rights[10]
  • An approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country, that applies appropriate safeguards to protect data subjects' rights[11]

In addition, Article 46 provides for two more appropriate safeguards, so long as a competent supervisory authority provides authorization of them. Those two additional appropriate safeguards are

  • contractual clauses between the controller or processor and the controller, processor, or the recipient of the personal data in the third country or international organization; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

The EU Commission, the ICO, and the GDPR’s own Recitals provide helpful guidance on each of these requirements. The remainder of this article will explain each of these safeguards individually, using this guidance.

Appropriate Safeguard 1: A Legally Binding and Enforceable Instrument Between Public Authorities or Bodies

In a very limited scenario, cross-border data transfers to a third country can be made only if both parties are a public authority or public body, and both have signed a legally binding instrument that provides for the enforceable rights of the data subjects.

Recital 108 expands the safeguard, explaining that “public authority or body” can include bodies with public authorities, or “bodies in third countries or with international organizations with corresponding duties or functions,” and that “legally binding or enforceable instrument” can include provisions inserted into administrative arrangements “such as a memorandum of understanding.”

The ICO reiterates, however, that this safeguard is not appropriate if either party is a private entity.[12]

Appropriate Safeguard 2: Binding Corporate Rules

A cross-border data transfer can be made to a third party using this safeguard if both the transferor and the transferee have signed Binding Corporate Rules (BCR) and the BCR were approved by a competent supervisory authority.[13] The ICO explains that the BCR must be submitted to a supervisory authority in the European Economic Area (EEA) country where one of the entities is based.[14] One or more of the supervisory authorities will then need to approve the BCR. Article 47 contains the requirements that must be met in order for the supervisory authority to approve a BCR. Specifically, the BCR must

  1. be legally binding and apply to every member, including their employees;
  2. expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
  3. include very specific content requirements, including all of the following:
    1. The structure and contact details of the group and each of its members
    2. A summary of the data transfer (including categories of personal data, the type of processing and its purposes, the type of data subjects affected, etc.)
    3. A summary of the BCR’s legally binding nature
    4. The application of GDPR principles (in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, etc.)
    5. The rights of data subjects in regard to processing and the means to exercise those rights
    6. The controller’s acceptance of liability for any breaches of the BCR by any non-EU member
    7. Information on the BCR must be provided to the data subjects
    8. The tasks of any data protection officer or any other person or entity in charge of the monitoring compliance BCR
    9. The complaint procedures
    10. The mechanisms for ensuring the verification of compliance with the BCR
    11. Mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority
    12. The cooperation mechanism with the supervisory authority to ensure compliance by any member of the BCR
    13. The mechanisms for reporting to the competent supervisory authority any legal requirements to which a member is likely to have a substantial adverse effect on the guarantees provided by the BCR
    14. The appropriate data protection training to personnel having permanent or regular access to personal data

Appropriate Safeguard 3: Standard Data Protection Clauses Adopted by the EU Commission

If both parties have entered into a contract that includes one of the standard data protection clauses adopted by the EU Commission, data may be transferred outside of the EU.

The commission originally adopted four sets of data protection clauses under the pre-GDPR Data Protection Directive.[15] The commission has thus far issued only three sample contractual clauses: two for data transfers from data controllers in the EU to data controllers outside the EEA, and one for data transfers from controllers in the EU to processors established outside EEA.[16] According to Article 46, these clauses may still be used as an appropriate safeguard under the GDPR unless and until the commission adopts updated GDPR-specific data protection clauses.

The ICO states that the Data Protection Directive model clauses must be used in their entirety and without amendment[17] but the GDPR also encourages (through Recital 109) data controllers to use additional clauses to provide additional safeguards for personal data, so long as they don’t conflict with the model clause.

Appropriate Safeguard 4: Standard Data Protection Clauses Adopted by a Supervisory Authority

Under this safeguard, a cross-border data transfer is appropriate if both parties entered into a contract that includes a standard data protection clause approved by a country’s supervisory authority. However, thus far, no supervisory authority within the EEA has adopted a set of standard data protection clauses to meet this safeguard.[18]

Appropriate Safeguard 5: Approved Code of Conduct and Binding and Enforceable Commitments

If the data receiver signed a code of conduct that had been approved by a supervisory authority, the transfer out of EEA is appropriate. The code of conduct must include appropriate safeguards to protect the data subjects’ rights. Under Article 40, EU member states, supervisory authorities, and the EU Commission must encourage the implementation of codes of conduct intended to contribute to the proper application of this safeguard. However, thus far, we are unaware of any supervisory authority in the EEA that has adopted an approved code of conduct.[19]

Appropriate Safeguard 6: Approved Certification Mechanism

A cross-border data transfer to a third country could be made using this safeguard if the data receiver procures a certification that had been approved by a supervisory authority. As above, the certification mechanism would have to include appropriate safeguards to protect the data subjects’ rights. Article 42 states that EU member states, supervisory authorities, and the EU Commission must encourage the establishment of certification mechanisms (and of data protection seals and marks). Again, no supervisory authority in the EEA has established an approved certification mechanism.[20]

Appropriate Safeguard 7: Contractual Clauses Between the Controller or Processor and the Controller, Processor or the Recipient of the Personal Data in the Third Country (That Must be Approved by a Supervisory Authority)

Parties seeking cross-border data transfers to a third country could utilize this safeguard if there was a contract between the transferor and transferee regarding the specific data transfer, and a competent supervisory authority approved that contract. For its part, the UK’s ICO has stated that it is not yet approving such contracts or clauses.[21] It remains to be seen whether any other supervisory authorities in the EEA will grant approval to such contracts.

Appropriate Safeguard 8: Provisions in Administrative Arrangements Between Public Authorities or Bodies That Include Enforceable and Effective Data Subject Rights

Like the first appropriate safeguard listed under Article 46 regarding transfers between public authorities, the final safeguard applies to a very limited circumstance. A cross-border transfer can be made using this safeguard only if (1) both the transferor and the transferee are public authorities or bodies; (2) both parties enter into an administrative arrangement that provides for the data subjects rights; and (3) the administrative arrangement is approved by a supervisory authority. The ICO again warns that this safeguard is not appropriate for transfers between public and private bodies.[22]

CONCLUSION

The appropriate safeguards outlined under Article 46 provide a limited means of cross-border transfer of personal data between private entities. Binding Corporate Rules and the standard data protection clauses approved by the EU Commission remain the most common safeguards to utilize as a method for transferring data under Article 46. Many of the other safeguards require actions from supervisory authorities in EEA countries before they can be used as a viable method of data transfer. Time will tell if these additional safeguards become a more common method of transfer as EU countries continue to update their data protection guidelines to comply with GDPR.

Contacts

If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
Vincent M. Catanzaro
Sarah Moran



[1] “The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

[2] Tarhonen, Laura (2016). Pseudonymisation of Personal Data According to the General Data Protection Regulation. In Korpisaari, Päivi (ed.), Viestintäoikeuden vuosikirja 2016: Viestinnän muuttuva sääntely, 10–32. Helsinki: University of Helsinki. Faculty of Law.

[3] ICO Guide to General Data Protection Regulation (GDPR).

[4] ICO Guide to Data Protection/Encryption  and Id.

[5] See Transfer of Data in the GDPR: The Definition of Legitimate Interest, The eData Guide to GDPR,

October 02, 2018.

[6] Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the United States (limited to the Privacy Shield framework)

[7] In accordance with GDPR’s Article 47

[8] In accordance with the examination procedure referred to in GDPR’s Article 93 (2)

[9] Referred to in GDPR’s Article 93(2)

[10] Pursuant to GDPR’s Article 40

[11] Pursuant to GDPR’s Article 42

[12] ICO “International Transfers” Guidance.

[13] GDPR, Article 47

[14] ICO “International Transfers” Guidance.

[15] Data Protection Directive 95/46/EC 

[16] European Commission “Model contracts for the transfer of personal data to third countries” Guidance.

[17] ICO “International Transfers” Guidance.

[18] Id.

[19] Id.

[20] Id.

[21] Id.

[22] Id.