Transferring data outside the European Union cannot be improvised and meets a number of conditions. The GDPR provides for many scenarios, depending on the country concerned and the commitments made by the organizations concerned.

In companies, data controllers (and their subcontractors) may transfer data outside the European Union provided that they ensure a sufficient and appropriate level of data protection. To do so, they must regulate these operations using the various legal tools defined in Chapter V of the GDPR.

In order to ensure a high level of protection of data transferred from European territory to third countries, organisations wishing to transfer data can use the following tools:

• The adequacy decision (Art. 45 GDPR), which is the first legal framework tool, insofar as it is taken on the basis of an overall review of the legislation in force in a State, in a territory or applicable to one or more specific sectors within that State
• In the absence of such a decision, “appropriate safeguards” (Art. 46 GDPR), the majority of which are decisions of the supervisory authorities and which are taken in the light of the commitments of the bodies concerned

Article 45 of the GDPR: transfers based on an adequacy decision

A transfer of personal data to a third country or to an international organisation may take place where the European Commission has established by decision that the third country, a territory or one or more specific sectors in that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer does not require specific authorization.

To date, the European Commission has recognised the adequacy of the level of protection of the following countries: Andorra, Argentina, Canada (for processing subject to the Canadian Personal Information Protection and Electronic Documentation Act), South Korea, Isle of Man, Faroe Islands, Israel, Japan, Jersey, Guernsey, New Zealand, Switzerland, United Kingdom and Uruguay.

Regarding the United States, the European Commission adopted a new adequacy decision on 10 July 2023. With this decision, the Commission decides that the changes made by the United States to its national legislation now ensure an adequate level of protection for personal data transferred from the EU to organisations located in the United States when they take steps to comply with this new “data protection framework”. The list of these organizations is maintained and published by the U.S. Department of Commerce.

Transfers of personal data from the European Union to the entities on this list can therefore be carried out freely, without specific framework by “standard contractual clauses” or another transfer instrument. This decision follows the invalidation by the Court of Justice of the European Union of the previous adequacy decision (Privacy Shield).

Article 46 of the GDPR: the appropriate guarantees in the spotlight

In the absence of an adequacy decision pursuant to Article 45 of the GDPR, the controller or processor may only transfer personal data to a third country or to an international organisation if they have provided for appropriate safeguards and provided that the data subjects have enforceable rights and effective legal remedies.

Appropriate safeguards may be provided, without requiring special authorisation from a supervisory authority, by:

• a legally binding and enforceable instrument between public authorities or bodies
• Binding corporate rules
• standard data protection clauses adopted by the Commission
• standard data protection clauses adopted by a supervisory authority and approved by the Commission
• an approved code of conduct, together with the binding and enforceable commitment made by the controller or processor in the third country to apply appropriate safeguards, including with regard to the rights of data subjects
• an approved certification mechanism, together with the binding and enforceable commitment made by the controller or processor in the third country to apply appropriate safeguards, including with regard to the rights of data subjects

Since May 2018, a significant reduction in formalities with the CNIL

Since 25 May 2018, it is not necessary to obtain authorisation from the CNIL if the transfer is based on:

• standard contractual data protection clauses adopted by the European Commission or by a supervisory authority with the approval of the European Commission
• Corporate Bindings Rules (BCRs)
• a code of conduct approved by a supervisory authority
• a certification mechanism by a supervisory authority or by a certification body approved by a supervisory authority or a national accreditation body
• Binding legal instruments between public authorities (such as an international convention)

On the other hand, an authorization from the CNIL is required if the transfer is based on:

• specific contractual clauses between the controller of a file or a processor and another file controller, processor or recipient of the data in the third country or international organisation
• provisions to be incorporated into administrative arrangements between public authorities or public bodies that provide for enforceable and effective rights for data subjects

It should be noted that the EDPS (European Data Protection Board) has updated several documents adopted by the G29 to take into account the GDPR and the rulings that have taken place since then. The work focused on:

• BCRs responsible for processing
• BCRs subcontractors
• The reference framework for the adoption of adequacy decisions
• the EDPS’ recommendations on additional measures for transfers by means of appropriate safeguards.