Personal data transfers to third countries

• Author: Michèle Finck
• Pages: 89-90

Blockchain and the General Data Protection Regulation

89

10. Personal data transfers to third countries

Chapter V of the GDPR limits the circumstances under which personal data can be transferred

from the European Union to third countries. It clarifies that personal data can only be transferred

to third countries where these (i) benefit from adequacy decisions, (ii) appropriate safeguards are

offered, or (iii) on the basis of a derogation.537 The examination of these provisions in relation to

blockchain technology is important as the multiple nodes on which the ledger is kept can be located

in various jurisdictions, both inside and outside the European Union. Whereas the location of the

nodes can be controlled in a permissioned network, this is impossible in a permissionless system as

anyone may access the network without the need for prior authorisation by a central gatekeeper.

Pursuant to Article 45 G DPR, transfers of personal data to third countries are possible on the basis

of an adequacy decision. Where the European Commission has decided that a third country,

territory538 or specific sector in a third country (or an international organisation) ensure an adequate

level of protection, such data transfers do not require any specific authorisation.539 The European

Commission has the ability to issue adequacy decisions taking into account factors such as the

respect for the rule of law, human rights and fundamental freedoms as well as relevant legislation

and practices540, whether there is an independent supervisory authority that ensures and enforces

compliance with data protection rights541 and the relevant third country or international

organisation's international commitments regarding data protection.542 If the Commission reaches

the conclusion that that jurisdiction provides an adequate level of protection, it can issue an

implementing act that recognises this (the adequacy decision) which provides for periodic review

(at least every four years).543

Adequacy is defined as a level of protection that is 'essentially equivalent to that ensured

within the Union'.544 This has been interpreted by the Article 29 Working Party as requiring that

these foreign rules comply with a 'core' of GDPR principles, the Charter of Fundamental Rights as

well as relevant international instruments (including the Council of Europe's Convention 108).545

Where an adequacy decision with a third country exists, personal data can thus flow freely between

these jurisdictions, notwithstanding whether blockchains or another personal data processing

technology are used.

Where personal data is transferred to a jurisdiction that does not benefit from an adequacy decision,

a controller or processor may only transfer personal data to a third country where it is able to provide

appropriate safeguards. Under Article 46 GDPR, transfers to third countries are possible where

the controller or processor 'has provided appropriate safeguards, and on condition that enforceable

data subject rights and effective legal remedies for data subjects are available'.546 Such safeguards

do not require a specific authorisation from a supervisory authority and may include (i) legally

binding and enforceable instruments between public authorities or bodies, (ii) binding corporate

537 Note that there is a hierarchy between these different grounds. Essential equivalence can only be used where there is

no adequacy and derogations can only be used where there is no adequacy decision nor essential safeguards.

538 Territories include the Overseas Countries and Territories that have a special relationship with specific Member States

but to which EU law does not apply such as Greenland or French Polynesia and the Netherlands Antilles, among others.

539 Article 45 (1) GDPR. See als o Recital 103 GDPR.

540 Article 45(2)(a) GDPR.

541 Article 45(2)(b) GDPR.

542 Article 45(2)(c) GDPR.

543 Article 45(3) GDPR.

544 Recital 104 GDPR.

545 WP29 2017: Article 29 Working Party, ‘Adequacy Referential (updated)’ (WP 254, 28 November 2017) 3.

546 Article 46 (1) GDPR.