Transfers to Third Countries
This position paper can also be downloaded in .pdf format.
POSITION PAPER ON TRANSFERS TO THIRD COUNTRIES
Transfer of data to third countries is a sensitive subject. The Directive is trying to serve two goals that appear to be in conflict: protecting personal data and facilitating the flow of personal data, including in certain cases to third countries outside the EU that may not provide for adequate protection of personal data.
(1) Our analysis:
Chapter V sets out general principles for the transfer of personal data to third countries or international organisations in the field of police and judicial cooperation in criminal matters, including onward transfers. According to the basic principle expressed in Article 33, transfers to third countries may take place only if it is “necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties” and when the controller and processor comply with the conditions specified in the Directive. At the same time, the provisions of Chapter V, in particular Article 35(1)(b) and Article 36, provide for very broad exceptions to this general rule, which may lead to systemic abuses and avoidance of the basic principles expressed in Article 33.
According to Recital 45 and Article 33, Member States should ensure that a transfer to a third country only takes place if it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Furthermore, the controller in the third country or international organisation has to be a “competent authority” in the meaning adopted by the Directive. It should be clarified that transfers may only occur to public authorities competent for law enforcement purposes in third countries and not other recipients. This has also been suggested by the European Data Protection Supervisor (EDPS) and the Article 29 Working Party. Similar changes should also be introduced in all other Articles allowing transfers to third countries and international organisations.
There is currently no specific provision concerning the issue of onward transfers. Therefore, we propose to add a new paragraph in Article 33 to cover this matter; our proposed recital 45a provides additional explanation. In our opinion, onward transfers should only be allowed if they are necessary for the same specific reason that justified the original transfer, for example when they are necessary for investigating the same case that prompted the original transfer, but not for general law-enforcement purposes. Additionally, the competent authority that carried out the original transfer should authorise the onward transfer.
Article 34 regulates the issue of transfers with an adequacy decision. By analogy to the amendments that we suggested to the General Data Protection Regulation, EDRi recommends that the European Data Protection Board (EPDB) should be consulted before issuing (non-)adequacy decisions.
Article 35 regulates the issue of transfers by way of appropriate safeguards. In our opinion, self-assessments of safeguards with respect to data protection by the controller or processor cannot provide a basis for such transfers, especially given that their own interests might influence their judgement as to whether the safeguards are appropriate. Such transfers should always be based on a legally binding instrument. Therefore, we support the EDPS in his opinion that Article 35(1)(b) should be deleted.
Derogations from the preceding provisions are regulated in Article 36. According to this provision, in the absence of an adequacy decision taken pursuant to Article 34 or of appropriate safeguards adduced pursuant to Article 35, transfers of data to third countries or international organisations may still take place only if certain conditions are fulfilled. However, these conditions could be open to wide interpretation and in effect, controllers might often rely on the derogations, even if a transfer of personal data is not strictly necessary. We therefore think that the use of such derogations should be limited to the minimum and that additional safeguards should be put in place. Moreover, all transfers should be properly documented.
(2) OUR RECCOMMENDATIONS
- Specify that transfers should only occur to public authorities competent for law enforcement purposes;
- Introduce specific rules restricting onward transfers, i.e. they should only be allowed if they are necessary for the same specific reason that justified the original transfer, and should be subject to authorisation by the authority that carried out the original transfer;
- The Commission should consult the EDPB before adequacy decisions are issued;
- Remove the possibility of self-assessment by the controller or processor as to whether appropriate safeguards exist (delete Art. 35(1)(b));
- Restrict the use of derogations by introducing a requirement that any transfers under Article 36 have to be subject to a prior authorisation by the supervisory authority and that they have to be duly documented.