The digitalisation of the public sector and its information assets has reduced the barriers and boosted synergies in the public domain. Public authorities, now more innovative and digitalised than ever, are looking into strong synergies to better perform their tasks and execute the administrative roles efficiently. At the international level, cross-border cooperation requires a framework for data transfers between EEA and non-EEA public authorities. Under Regulation (EU) 2016/679 (GDPR), such transfers must rely on a legal basis and meet the conditions of Chapter V on international data transfers.
In particular, in the absence of an adequacy decision issued by the European Commission to enable unconditioned transfers to the recipient’s country, public authorities may rely on two specific safeguards to still share the data:
(i) a legally binding and enforceable instrument, such as an international treaty, public-law treaties or self-executing administrative agreements (Article 46(2)(a) GDPR); or
(ii) provisions to be inserted into administrative arrangements, subject to authorisation from the competent supervisory authority, such as a Memorandum of Understanding (Article 46(3)(b) GDPR).
In this article, we will focus on the recently-published guidance of the European Data Protection Board (EDPB) on data transfers from EEA public authorities or bodies to public bodies in third countries and international organisations when these are not covered by an adequacy decision.
The concept of a public authority under the GDPR
As we have previously explained, the definition of ‘public authority or body’ is not provided for under the GDPR and each Member State’s law must provide for a definition and the defining criteria. The EDPB confirms that this is a broad concept comprising not only government authorities, but other bodies governed by public law as well (e.g. executive agencies). In the UK, public authorities and public bodies are those defined by the Freedom of Information Act 2000 (FOIA) and the Freedom of Information Act (Scotland) 2002. In Ireland, public authorities and bodies are defined under the Freedom of Information Act 2014.
The substantial provisions of the agreements for cross-border data transfers
The EDPB advises on the minimum safeguards to be included in international agreements. In particular, the following elements should be addressed:
- Purpose and scope: These international agreements should clearly define their scope and purposes alongside the concerned categories of personal data and relevant aspects of the data processing in question.
- Definitions: Definitions of the core data protection elements and roles should be included.
- Data protection principles: Adherence to the data protection principles of Article 5 GDPR should be explicitly stated. The mere reference to the data protection principles does not suffice though, and the EDPB advises that they should be specified and particularised under the agreement.
- Transparency: Specific attention should be paid to ensure that such cross-border data transfers are communicated to the concerned data subjects in line with Articles 13 and 14 GDPR. The EDPB also clarifies that a general information notice on the website of the public body will not suffice and care should be taken for genuine transparency.
- Personal data breach mechanisms: This includes mechanisms and controls for ensuring that personal data breaches are dealt in line with the GDPR.
- Enforceable and effective data subject rights: The EDPB points out that international agreements should detail the provisions about data subjects’ rights. The agreement should include information about the applicable data subjects’ rights and the modalities for exercising and replying to them. Moreover, information about the mechanisms for handling these rights, the potential restrictions and exceptions, and the measures for remedying their breach could be included.
- New technology and sensitive data: Where the data processing involves innovative processes and systems of data processing, such as automated individual decision-making and profiling, the agreement should provide for the appropriate measures. The same applies where sensitive data is processed and there is a need for enhanced controls.
- Restrictions on onward transfers and sharing of data: In principle, onward transfers by the receiving public body to recipients not bound by the agreement should not be permitted. Specific exceptions may apply where necessary and justified. In this case, the agreement should stipulate that onward transfers can only take place if the transferring public body has given its prior and express authorisation and the receiving third parties commit to the provisions of the original international agreement. The international agreement could specify exceptional circumstances under which onward transfers may occur even without prior authorisation where required by law.
- Supervision and compliance: The agreement should provide for internal and external mechanisms for ensuring that the agreement is respected, such periodic internal checks and independent supervision.
- Redress mechanisms: Data subjects should enjoy an enforceable and effective right to redress, including the right to compensation and lodge complaints with a supervisory authority or alternative safeguards.
Regarding the option of the legally binding and enforceable instrument, the EDPB suggests that detailed data protection clauses should be provided therein directly. If this is not possible, it is recommended that a general data protection clause should be included, which should be then specified in an annex to this instrument.
This EDPB Opinion covers a wide range of international relations and cooperation between public authorities. Nonetheless, the examined international agreements are not appropriate safeguards in the area of public security, defence or state security. In addition, they do not apply to international data transfers by competent authorities for criminal law enforcement purposes.
On the surface of things, this guidance could help to significantly improve the regime for cross-border cooperation in the public sector and provides clarity on the EDPB’s expectations on the applicable safeguards. This is of particular relevance in the post-Brexit era, wherein the absence of a specific data protection framework could incentivise the adoption of these mechanisms. Furthermore, this Opinion builds on the concept and elements currently used in data processing agreements between data controllers and processors or controllers, enabling alignment at international level as well.
EEA public authorities should review their existing mechanisms for data transfers to non-EEA public authorities and ensure that these are in line with the applicable data protection framework and the EDPB Guidance.
Trilateral’s Data Governance and Cyber Risk Team have significant experience in negotiating and designing such data processing agreements and advising on the appropriate provisions. Feel free to get in touch with our Data Governance and Cyber Risk Team, who would be happy to assist you with your data protection and cybersecurity needs.