GDPR Evolution Continues: Article 49 Derogations in a Post-Schrems II World

Schrems II Decision

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commission v. Facebook Ireland, Schrems (Schrems II). This decision invalidated the E.U.-U.S. Privacy Shield Framework and cast uncertainty on the use of transfer mechanisms for external data transfers of personal information outside of Europe with regard to European residents.

While the CJEU upheld the use of Standard Contractual Clauses for external transfers of personal information, it required that organizations perform a case-by-case analysis to determine whether the laws in the country to which the data is being transferred ensured adequate protection, under European law, for personal data transferred under Standard Contractual Clauses. For those transfers where the recipient country's protections do not provide adequate protections, the holding required that data exporters provide additional safeguards or suspend transfers. The United States protections continue to be considered inadequate by the E.U. regulators.

For those transfers to jurisdictions that are deemed inadequate, the holding discussed several options from the GDPR that organizations can consider. In addition to Standard Contractual Clauses, data exporters could also consider using binding corporate rules or Article 49 derogations of the GDPR.

Derogations Under Article 49 of the GDPR

Under the GDPR, Article 49 sets out a limited number of derogations which can be used for specific situations involving data transfers to jurisdictions that lack an adequacy finding by the E.U. regulators or that lack appropriate protections for personal data.

The derogations include the following:

• The individual has explicitly consented after being informed of the risks of the transfers due to the absence of an adequacy decision and appropriate safeguards.
• The transfer is necessary for the performance of a contract between the individual and the organization or for pre-contractual steps taken at the individual's request.
• The transfer is necessary for the performance of a contract made in the interests of the individual between the controller and another person.
• The transfer is necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent.
• The transfer is necessary for important reasons of public interest or to establish, exercise or defend legal claims.
• The transfer is made from a public register which is intended to provide information to the public and specific conditions are fulfilled.
• The transfer is in the controller's legitimate interests.

Statement by Judge Von Danwitz

On January 28, 2021, Professor Dr. von Danwitz, the judge-rapporteur in the CJEU Schrems cases spoke at the German celebration of the 40^th Data Protection Day regarding the Schrems II finding and its significance to the fundamental right to personal data protection. His comments were considered newsworthy, as he commented on the possibility to expand reliance on Article 49 GDPR derogations as transfer mechanisms in the absence of an adequacy finding.

Judge von Danwitz explained that the CJEU decided to annul the Privacy Shield without a grace period (as had been permitted after the annulment of the U.S.-E.U. Safe Harbor), because GDPR Article 46 safeguards and Article 49 derogations "cover the absence of an adequacy decision." Subsequent discussions centered around the questions of how to implement data transfer requirements in the case of inadequacy and which mechanisms could be used.

For transfers to countries that do not have an adequacy decision but that are absolutely necessary, Judge von Danwitz stated:

• Standard Contractual Clauses should be the first transfer mechanism contemplated by the data exporter.
• If Standard Contractual Clauses were not possible, dependence on Article 49 derogations could be a possibility.
  • In particular, he stated that Article 49 derogations should be more deeply explored as an option for intra-group transfers. "In my opinion," said Judge von Danwitz, "the opportunities granted by Article 49 have not been fully explored yet. I believe they are not so narrow that they restrict any kind of transfer, especially when we're talking about transfers within one corporation or group of companies."

European Data Protection Board's (EDPB) Guidelines on Use of Article 49 Derogations for External Transfers of Personal Data

In apparent conflict with Judge von Danwitz's statement on the potential for broader of use of Article 49 derogations, the EDPB has stated multiple times that Article 49 derogations must be narrowly interpreted and only used for non-repetitive transfers.

In 2018, EDPB said the following in their guidelines on derogations under Article 49 of the GDPR:

"Therefore, derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule. This is also supported by the wording of the title of Article 49 which states that derogations are to be used for specific situations ("Derogations for specific situations").

[Further], as derogations do not provide adequate protection or appropriate safeguards for the personal data transferred and as transfers based on a derogation are not required to have any kind of prior authorisation from the supervisory authorities, transferring personal data to third countries on the basis of derogations leads to increased risks for the rights and freedoms of the data subjects concerned."

In 2020, in its recommendations on measures that supplement transfer tools post-Schrems II, the EDPB again stated that Article 49 derogations are the exception to the rule, and that they should be used sparingly and only in specific situations.

"…In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers you may be able to rely on one of the derogations provided for in Article 49 GDPR, if you meet the conditions."

It is important to note that while the public consultation period for the recommendations has ended and the recommendations have not been finalized, it is highly unlikely that the EDPB's view on the narrow use of Article 49 derogations will change.

Key Takeaways

Although Judge von Danwitz made his statements as an individual and not as a representative of the CJEU, his remarks about the need to explore a broader use of Article 49 derogations are important as they show just how unsettled the rules are surrounding data transfers under the GDPR post-Schrems II. While it is unlikely that Judge von Danwitz's comments will give rise to the immediate use of derogations, his comments highlight the broader implications on data transfers caused by the Schrems II decision. Businesses transferring data outside of Europe and businesses receiving the data must understand that the rules around data transfers post-Schrems II will continue to evolve and must be prepared to comply with those changes.

What Can Businesses Do?

• Perform a comprehensive review of their data transfer processes, including assessing which transfer mechanisms they depend on; and
• Map where their data is being transferred.

Performing these tasks now will help companies better prepare for compliance with the rules surrounding data transfers under the GDPR post-Schrems II.

If you have any questions regarding the implications of the Schrems II decision on your company or any other aspect of your privacy management program, please contact any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.