1. GDPR
The Schrems II ruling of the European Court of Justice of 16 July 2020 has been causing headaches for many organisations for several years now. The ruling once again highlighted the strict regulations on transfers of personal data outside the European Economic Area under Chapter V of the GDPR. The GDPR has a very broad scope: it covers every possible (active or passive) access to personal data in a third country or international organisation. In our digitised world, it is therefore a recurring question.
In particular, the strict rules require that any transfer of personal data outside the European Economic Area be justified by relying on a mechanism under Chapter V of the GDPR. But applying these mechanisms is not always straightforward, and is quite complex. Furthermore, the decision-making practice of the European Data Protection Authority is essential in interpreting the rules. You can find a detailed explanation of the legal framework and background to this subject in our previous newsletters:
https://monardlaw.be/en/stories/informed/revolutie-in-doorgiften-van-persoonsgegevens/
https://monardlaw.be/en/stories/informed/hoogste-gdpr-boete-ooit/
2. Data Governance Act
The European Union believes there are too many obstacles to sharing data held by public sector bodies and businesses securely and reliably within the EU. The European Union wants to address this problem through the Data Governance Act, an EU regulation aimed at facilitating the reuse of data held by public sector bodies, encourage data sharing between companies and enhance trust in voluntary data sharing by individuals and organisations within the EU. The main pillars of the Data Governance Act can be summarised in a few key concepts: the secure reuse of the data of public sector bodies, data altruism, neutral and transparent data intermediation services, and policy structures and bodies put in place to monitor compliance with the Data Governance Act.
The Data Governance Act applies to both non-personal and personal data, but specifically refers to the legal framework relating to privacy and data protection (in particular the GDPR). This legal framework always takes precedence over the provisions of the Data Governance Act as regards the protection of personal data.
The Data Governance Act provides specific rules for international transfers and access by non-EU public sector bodies to non-personal data held in the EU. The aim of this regulation is to counteract unlawful access to non-personal data by non-EU public sector bodies.
In particular, the Data Governance Act imposes an obligation to take all appropriate technical, legal and organisational (including contractual arrangements) measures to prevent such international transfers of, and access by, non-EU public sector bodies to such data, where this would create a conflict with EU or national law. The Data Governance Act imposes this obligation on the following parties:
- The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter II of the Data Governance Act;
- Data intermediation service providers;
- Recognised data altruism organisations.
Where such an international transfer or public sector body access to non-personal data could create a conflict with Union or Member State law, such transfer or access may be made only pursuant to:
- Either a bilateral agreement between the third country and the Union or the Member State concerned; or
- If the third country provides an “adequate level of protection” for the non-personal data.
Transfer or access to the non-personal data made on any of the above-mentioned grounds requires in any case that the public sector body in question to which the government request is addressed provide only the minimum amount of data permissible and that the data holder in question be notified of the request (except if such notification would hinder the effectiveness of a law enforcement activity).
3. Data Act
The Data Act is one of the instruments under the EU Digital Strategy to help strengthen the EU’s independent competitive position in the data economy. The Data Act has a broad scope and provides a framework for the use, collection and transfer of non-personal data. The Data Act aims to “ensure fair value distribution from data to actors in the data economy and promote access and use.” The Data Act aims to achieve these objectives through its broad scope and harmonised rules across the EU. In other words, the European Union wants to obtain a more important position with respect to data, the so-called new gold.
The Data Act provides for almost identical rules regarding international data transfers as provided for in the Data Governance Act. However, the obligations in the Data Act are imposed on “data processing service providers,” i.e., providers which offer “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.” A “data processing service provider” therefore largely means cloud service providers.
In addition to these almost identical rules, the Data Act also stipulates that data processing service providers must seek the opinion of a national agency or authority to determine whether the request of a non-EU government entity is consistent with the provisions of the Data Act. This possibility could significantly enhance legal certainty for data processing service providers.
We can summarise the rules on international data transfers under the GDPR, the Data Governance Act and the Data Act as follows:
4. Conclusion
The introduction of the Data Governance Act and the Data Act add to the already complicated framework regarding international data transfers under the GDPR. Although the rules in the different legal instruments pursue similar aims, they have a different scope and different obligations and exceptions. It is therefore essential for any organisation to map out their international transfers and analyse whether they are in compliance.
The Monard Law Tech, Digital & Data team is here to assist you with all your questions regarding the GDPR, the Data Governance Act, the Data Act and other questions related to innovative technologies, the EU Digital Strategy and privacy and data protection.
