Slide 1
Article 26(1) derogations under EC Directive 95/46
How may companies use them ?
What is Art.29WP guidance on the issue?
Clarisse GIROT
Department of European and international affairs
Commission Nationale de l’Informatique et des Libertés (CNIL)
Safe Harbor Workshop – Washington D.C. – Wednesday December 7th, 2005
Background: provisions of Dir.95/46 relating to international transfers
Background: provisions of Dir.95/46 relating to international transfers
3 options to transfer data outside EU:
 | 1 : Adequacy in recipient country |
By default:
| 2: Adequate safeguards put in place by the recipient (contracts, BCRs) |
| 3: « Article 26-1 derogations » |
Use of Art.26(1) derogations in practice
Use of Art.26(1) derogations in practice
| Tempting for data controllers : no contract, no BCRs, no Safe Harbor, no authorization or prior opinions from DPAs : “cheap and easy” |
| Tempting for DPAs too : no procedure, no assessment … “cheap and easy” for us too! |
=> derogations too widely applied in practice
But: EC report on the implementation of Directive 95/46 (2003)
But: EC report on the implementation of Directive 95/46 (2003)
| “Significant divergences” observed in implementation of Articles 25 and 26 of the Directive in the MS |
| Risk that this could ultimately lead to forum shopping among the Member States, depending how loosely these provisions are interpreted |
Quote from EC report
Quote from EC report
“An overly lax attitude in some Member States – in addition to being in contravention of the Directive – risks weakening protection in the EU as a whole, because with the free movement guaranteed by the Directive, data flows are likely to switch to the “least burdensome” point of export”
=> Article 26(1) derogations clearly aimed at
Recent adoption of WP29 working document on Article 26(1) (Nov.25th)
Recent adoption of WP29 working document on Article 26(1) (Nov.25th)
“Working document on a common interpretation of Art. 26(1) of Directive 95/46/EC of 24 October 1995”
| Reasons for issuing the working document: |
– Need to follow up on EC’s conclusions
– Experience from DPAs showed that derogations often misapplied
– But also need to ensure consistency with the work done on other legal bases for international transfers (adequacy findings, Safe Harbor, contracts, BCRs)
General philosophy of working document
General philosophy of working document
Two-fold acknowledgement :
| The expansion of international trade requires flexibility of international data transfers, including transfers of personal data, in certain occasions |
| But Article 26(1) was designed to deal with a limited number of situations : |
– Where risks to the data subject are relatively small, or
– Where other interests (public interests or those of the data subject himself) override the data subject’s right to privacy
1. The position of Art.26(1) in the system of the Directive
1. The position of Art.26(1) in the system of the Directive
| Art.26(1) derogations must be interpreted strictly |
| Cf. principle inherent in European law that exception clauses must be interpreted restrictively so that the exception does not become the rule (additional Protocol to Convention 108) |
| Cf. ECJ case law |
| In any case, all the other rules of DP Directive must be applied (ex: sensitive data; fair and lawful use; compatible use, etc.) |
2. Art.29WP recommendations on using Art.26(1) derogations
2. Art.29WP recommendations on using Art.26(1) derogations
| Data controllers should favor Safe Harbor or Art.26(2) tools over Art.26(1) derogations (“best practice” approach) |
| Art.26(1) derogations should be applied when it would be genuinely inappropriate, maybe even impossible for the transfer to take place on the basis of Art.26(2) |
| Transfers which might be qualified as repeated, mass or structural should be carried out within a specific legal framework (SH, SCCs, BCRs) |
3. Interpretation of “consent”& recommendations (Art.26(1)(a))
3. Interpretation of “consent”& recommendations (Art.26(1)(a))
| Consent must be a clear and unambiguous indication of wishes |
Ex: if consent requested online, using pre-ticked boxes fails to fulfil the condition that consent must be a clear and unambiguous indication of wishes
“Consent” (cont’d)
“Consent” (cont’d)
| Consent must be given freely |
“ Specific difficulties might occur to qualify a data subject’s consent as freely given in an employment context, due to the relationship of subordination between employer and employee”
“ Consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question”
“Consent” (cont’d)
“Consent” (cont’d)
| Consent must be specific |
“ Consent must be specifically given for the particular transfer or a particular category of transfers in question”
| Consent must be informed |
“ Data subject must be properly informed in advance of the specific circumstances of the transfer (its purpose, the identity and details of the recipient(s), etc.) in accordance with the general fairness principle”
4. Transfer necessary to the realization of certain conditions (Art.26(1) (b) to (e))
4. Transfer necessary to the realization of certain conditions (Art.26(1) (b) to (e))
| Transfer necessary for performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken in response to the data subject’s request |
| Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party |
| Transfer necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims |
| Transfer necessary in order to protect the vital interests of the data subject |
Application of a new “necessity test”
Application of a new “necessity test”
| This “necessity test” requires a close and substantial connection between : |
– The data subject and the purposes of the contract (Art.26(1)(b));
– The data subject’s interest and the purposes of the contract (Art.26(1)(c));
– The transfer and the establishment, exercise or defence of a legal claim (Art.26(1)(d));
– The transfer and the protection of the vital interests of the data subject (Art.06(1)(e))
Slide 15
| Consequences of this necessity test: |
Example 1 :
Art.26(1)(b) is no legal basis for transferring employee data from a subsidiary to the parent company, e.g. (centralization of the group’s payment and HR management functions) : the concept of an employment contract cannot be interpreted so broadly, as there is no direct and objective link between performance of an employment contract and such a transfer of data.
Example 2 :
Art.26(1)(c) is no legal basis to outsource payroll management to a processor “in the interest of the data subject since the purpose of the transfer is the management of the pay of the employee” : no close and substantial link between the data subject’s interest and the purposes of the contract
Conclusions
Conclusions
| Need to interpret Art.26(1) derogations strictly : it is possible to rely on them, but in limited cases |
| Art.29WP careful to maintain consistency between the different legal grounds for international data transfers and not to undermine the principle of adequate protection |
| This document must be read in conjunction with other Art.29WP documents (BCRs, Safe Harbor, etc.) |
| What next? : promote Art.26(2) tools, promote Safe Harbor, together with companies concerned |
Commission nationale de l’informatique et des libertés
Commission nationale de l’informatique et des libertés
| 21 RUE SAINT GUILLAUME |
75340 PARIS CEDEX 07
| TEL 00 33 1 53 73 22 22 |
| www.cnil.fr |