Chapter V (Articles 44 to 50) of the EU General Data Protection Regulation (the ‘GDPR’) regulates the transfer of personal data of EU data subjects to third countries. An international transfer of personal data must comply with the conditions laid down in various provisions of Chapter V which shall be applied to ensure that the level of protection of natural persons guaranteed under the GDPR is not undermined.
Under the GDPR, an international transfer of personal data may take place based on an adequacy decision adopted by European Commission (Article 45), and in the absence of an adequacy decision, subject to appropriate safeguards (Article 46) to be provided by the data controller or data processor. The appropriate safeguards under Article 46 include binding corporate rules, standard data protection clauses / standard contractual clauses (the ‘SCCs’), codes of conduct, or certification mechanisms adopted and/or approved in the manner laid down in the GDPR.
In the case of an international transfer of personal data subject to an appropriate safeguard, Article 46 of the GDPR imposes another condition i.e., enforceable data subject rights and effective legal remedies for data subjects are available.
Scherms II Judgement
In its judgment of 16 July 2020 in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (the ‘Schrems II Judgment’), the Court of Justice of the European Union (the ‘CJEU’) held that the requirements of appropriate safeguards, enforceable rights, and effective legal remedies under Article 46 of the GDPR meant that the data subjects whose personal data were transferred to a third country were afforded a level of protection essentially equivalent to that guaranteed under the GDPR when read in the light of the Charter of Fundamental Rights of the European Union (the ‘Charter’).
It was widely assumed before the Schrems II Judgment that the execution of the SCCs between the data exporter based in the European Union and the data importer in the relevant third country alone was sufficient for an international transfer of personal data under the GDPR.
However, in the Schrems II Judgment, the CJEU observed that the SCCs were contractual and could not bind the public authorities of third countries. Thus, in certain situations, the SCCs alone might not ensure compliance with the level of protection required under the EU legal order, especially where the law of a third country allowed its public authorities to interfere with the rights of data subjects.
Accordingly, the CJEU held that in case of transfer of personal data from the European Union to a third country under the SCCs, the data exporter based in the European Union must “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”
As regards the scope of such verification or assessment, the CJEU clarified that “[…] the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of [the GDPR].”
Relevant elements for undertaking such assessment or verification as set out in Article 45(2) of the GDPR include the rule of law, respect for human rights and fundamental freedoms, data protection rules, the access of public authorities to personal data, relevant legislation as well as the implementation of such legislation, case-law, effective and enforceable data subject rights, independent supervisory authorities, and effective administrative and judicial redress for data subjects.
Privacy Shield Decision
Through the Scherms II Judgment, the CJEU also invalidated the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 (the ‘Privacy Shield Decision’) issued under Article 45 of the GDPR concerning the adequacy of protection provided by the EU-USA Privacy Shield. The CJEU determined that while making the Privacy Shield Decision the Commission disregarded the requirements of Article 45(1) of the GDPR, read in the light of Articles 7, 8, and 47 of the Charter.
The Privacy Shield Decision was invalidated due to concerns around surveillance by US law enforcement agencies. The CJEU concluded that the relevant US legislation did not: (i) correlate to the minimum safeguards resulting, under EU law, from the principle of proportionality; (ii) indicate any limitations on the power it conferred to implement surveillance programs for foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programs; and (iii) grant data subjects rights actionable in the courts against the US authorities, and that data subjects had no right to an effective remedy.
Foreign Surveillance Laws, Additional Protection
In the Scherms II judgment, the CJEU mainly focused on foreign surveillance laws and in this context, interpreted the obligations of data exporters regarding data transfers outside of the European Union. This is indeed the trickiest area where concerns regarding data protection and privacy may not be fully addressed through a contractual arrangement i.e., by employing the SCCs alone.
To discharge its obligations concerning an international transfer of personal data, the data exporter based in the European Union must interpret the relevant foreign law(s) to assess, inter alia, the circumstances in which it allows access to personal data, the oversight mechanism concerning such access provided therein, and the redress available thereunder to data subjects in respect of such access. Thereafter, based on such interpretation, the data exporter must determine whether the relevant foreign law(s) provides protection essentially equivalent to that guaranteed under the GDPR and whether and, if required, what additional or supplemental safeguards will be needed to achieve the required protection, in addition to the SCCs.
This by no means is an easy task, especially where the relevant foreign law(s) applicable to the data importer is not very transparent, opaque, and requires expert advice to interpret.
Surveillance Laws in Pakistan
For instance, in Pakistan, at least three legal regimes allow public authorities to lawfully intercept and/or access data that may also include personal data of foreign data subjects. Such access may be obtained in transit (i.e., through real-time surveillance, interception, and/or recording of data), or by specifically requiring a person based in Pakistan and having control over the relevant data, to provide access to or copy of such data.
The circumstances in which, and the purpose for which such access may be obtained or required vary depending on the applicable legal regime. Access to data may be lawfully required, in some cases, under a request received from a foreign state. The existence or the extent of independent supervision, and availability of administrative and judicial redress for the protection of rights of data subjects, also depends on the applicable legal regime.
Hence, before undertaking a transfer of personal data of EU data subjects to Pakistan pursuant to the SCCs (or subject to another appropriate safeguard under Article 46 of the GDPR), the data exporter based in the European Union must carefully evaluate the local surveillance and interception laws and supplement the SCCs by providing the necessary additional safeguards to ensure adequate protection of the personal data transferred to Pakistan. For instance, an additional safeguard in the form of encryption of personal data may be required to mitigate the risk of unauthorized surveillance during transit. However, in such a case, the data importer based in Pakistan should be obligated to obtain the required regulatory approval as unauthorized use of encryption technology to avoid monitoring is unlawful under the telecom law.
Additional or supplementary safeguards may also be necessary for the transfer of personal data to Pakistan because, at present, Pakistan does not have comprehensive data protection and privacy legislation.