Consent as basis for data transfers to 3rd countries – only “occasional” and “not repetitive”?
After the US Privacy Shield was declared invalid by the EU Court of Justice, the question arose of permissible alternatives to transfer personal data to a third country in a GDPR-compliant way. One possibility is the explicit consent of data subjects according to Art. 49 para. 1 lit. a GDPR. However, the EDPD wants to interpret the derogations in Art. 49 GDPR strictly and wants to see only "occasional" processing operations covered.
Already in the “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679” (Adopted on 25 May 2018), the EDPD noted that “it has to be highlighted that even those derogations which are not expressly limited to “occasional” or “not repetitive” transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.” (p. 5) It “means that consent might not prove to be a feasible long-term solution for transfers to third countries.” (p. 8)
In this context, the EDPD refers to Recital 111 of the GDPR. According to this, “provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim […].” Furthermore, sentence two of Art. 49 para. 1 GDPR refers specifically only to transfers that do not take place repetitively. Although the EDPB itself recognizes that consent is arguably not limited to occasional transfers in Recital 111, it would like to achieve this result via a general strict interpretation of Recital 111 or the GDPR.
Nevertheless, the question arises whether this reasoning is justifiable. In my opinion, it is not. Art. 49 para 1 lit. a GDPR does not contain any restriction to the effect that the processing may not take place repeatedly. According to Art. 49 para 1 lit. a GDPR, a transfer is allowed on the condition that “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.” Although Art. 49 para 1 sentence 2 GDPR mentions the term "not repeatedly", it only refers to the specific derogation of sentence two and not to the derogations under sentence one (like lit. a). Moreover, in my opinion, Recital 111 of the GDPR contains a conceptual separation (“where the data subject has given his or her explicit consent, where the transfer is occasional”) so that consent is to be considered separately from the following mechanisms and occasional transfers.
In addition, according to established case law, "the preamble to a Community act has no binding legal force and cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner clearly contrary to their wording" (ECJ, C-345/13 para. 31). And in my opinion, the wording of Art. 49 para. 1 lit. a GDPR is clear. It doesn't foresee a restriction on occasional transfers.
In the end, the EDPD's reasoning must at least be considered critically. The exceptions mentioned in Art. 49 GDPR are indeed derogations, but derogations for a case where no adequacy exists (via a decision or via safeguards). Therefore, in a situation without an adequacy decision and without appropriate safeguards under Art. 46, Art. 49 actually represents the default case, which is precisely to allow transfers to third countries under certain conditions.
Partner, Rechtsanwalt, Fachanwalt für Arbeitsrecht bei ALTENBURG / Lehrbeauftragter an der Freien Universit?t Berlin / Kurator
4 年Fully agree! Thank you, Carlo, for this insight.
Legal Counsel, Privacy & AI Governance
4 年“Explicit” Consent if I may add. Definitely not a repetitive/usual basis for int’l transfer.
Tech and Data Lawyer / Reed Smith LLP
4 年Great article! I totally agree. Thank you for putting this together so nicely. I hope many DPAs and the EDPB read this!
Managing Partner bei HEUKING, Tech and Data Lawyer
4 年I agree with you, Dr. Carlo Piltz. The wording in Art. 49 does not contain the ?occasional“ limitation for consent. Also, a consent is freely given and under clear explanation what is consented to (otherwise it would be void anyways). Why should then there be restrictions to what can be clnsented to? We still need to consider a data subject ad a thinking, sane and free person. Let them consider their actions. If they do not read what they are consenting to that should be their problem not the controller‘s. As someone who strongly believes in freedom and the individual I take issue in saying that freedom is limited even if there is clear explanation and instructions on what is going on. Data protection is there to protect freedoms, not limit me in my consider as an individual what I want to agree to and what not.
I change how people think about information and data | 3 years' running All-Star Thought Leader Accredited by AIBF | Doctoral Candidate in Data Governance @ UL
4 年I recently filed a complaint regarding a US headquartered organisation and consent as a basis for repetitive and systematic transfers. It also has a multi-supervisory authority aspect to it so would need to go to EDPB. Perhaps a real case rather than a hypothetical scenario will bring some needed clarity