Irish Data Protection Commission imposes fines for transfer of personal data to China

Since the Court of Justice of the EU (CJEU) ruling in the Schrems II case (C-311/18), controllers and processors must conduct a transfer impact assessment (TIA) before transferring personal data to a "third country" that does not offer an adequate level of protection compared to the EU General Data Protection Regulation (GDPR).

The Irish supervisory authority, the Data Protection Commission, has now imposed a total fine of €530 million on the European provider of a social media platform that belongs to a group based in China. The fine is due, among other things, to a faulty TIA.

CJEU decision details

The DPC has based its decision, which has so far only been published as a press release, on two points:

• Transparency deficits: On the one hand, the company did not sufficiently inform European users about a possible transfer of their personal data to China in its privacy notices from 2021, thereby violating article 13 paragraph 1 lit. f) of the GDPR. Neither were third countries such as China mentioned by name nor was it clarified that user data stored in the US and Singapore were subject to possible remote access from China. In December 2022 (during the ongoing proceedings of the DPC), the company revised its privacy notices, thereby remedying the criticised transparency violations.

• International data transfers: On the other hand, the company violated article 46 paragraph 1 of the GDPR because it did not sufficiently examine and ensure whether the EU standard contractual clauses used for the transfer to China were sufficient to subject the personal data of European users stored there to a level of protection equivalent to that in the EU. In particular, the company failed to adequately consider possible access by Chinese security authorities to European user data based on the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law or the Intelligence Law and to compensate for the associated fundamental rights infringements through appropriate guarantees and supplementary measures.

  Note: The DPC’s order to suspend such personal data transfers to China has been challenged in the meantime and the Irish High Court has ordered a stay on this part of the DPC’s decision. This stay will be in place until early October when the court will hear an application by the company seeking a longer stay.

Significance of the decision

Although TIAs have so far played a rather shadowy role in the sanctioning practice of European supervisory authorities, the fine now imposed by the DPC is the third highest fine for a GDPR violation to date. The DPC has already taken into account that the company is currently implementing a multi-billion euro data-protection compliance project. As the DPC clarifies, the above-mentioned violation of the transparency requirements of article 13 of the GDPR accounts for "only" €45 million, while the violation of the requirements for international data transfer was fined €485 million.

Thus, a significantly high fine has now been imposed in one of the EU member states that is strategically most important for the international data and digital economy. The DPC's decision is also particularly relevant because international data transfers are a business necessity.

At the same time, companies are theoretically subject to a high enforcement risk, as European supervisory authorities have formulated specific requirements for TIAs and violations of corresponding requirements that are subject to fines are therefore fundamentally easy to identify. In addition, there are currently only a few adequacy decisions by the European Commission, so the conduct of a TIA should rather be the rule than the exception.

Against this background, companies should implement the necessary processes to ensure that TIAs are part of the data protection risk assessment. Any TIAs already carried out should be reviewed for completeness and adequacy and, if necessary, refined. Where necessary, the necessary additional measures to protect personal data in third countries must be taken.

Previous TIA sanctioning

European supervisory authorities have so far seemed reluctant to sanction violations of legal requirements in connection with the conduct of TIAs. In any case, only isolated decisions have become public.

For example, in Norway, the authority imposed a fine of approximately €500,000, among other things, on the grounds that the company concerned transferred personal data to a processor based in China without sufficient legal basis and did not conduct a TIA in this context.

In Spain, the supervisory authority there imposed a fine of €6.1 million. This decision was partly based on the fact that the company concerned had insufficiently assessed the data protection situation in certain countries and the TIA conducted by the company therefore did not meet the relevant requirements.

What must a TIA include?

Although the requirement to conduct a TIA is largely based on CJ case law, the ECJ has not set specific requirements for the content and scope of a TIA.

Specific requirements for the content and scope of a TIA are instead derived from the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data  published by the European Data Protection Board. According to these, a TIA must essentially consist of the following elements:

Identification and recording of data transfers to third countries, including the respective transfer instruments.

First, data transfers to third countries, including any onward transfers by processors or sub-processors, must be recorded. The transfer purposes must be appropriate and limited to what is necessary. The chosen transfer instrument according to article 46 of the GDPR must also be documented.

Assessment of whether the guarantees of the transfer instrument are likely to be compromised in the third country.

This requires an assessment of the legal situation and legal provisions in the third country. In particular, such provisions must be identified and assessed that require disclosure of data to government authorities. This also includes an examination of the legal practice in the third country, especially if there are obvious practices or legal provisions that are not applied, which are intended to ensure a comparable level of protection to the GDPR and EU or if cor-responding legal provisions or practices are completely lacking. According to the recom-mendations, an impairment generally exists if the essence of European fundamental rights or freedoms is not respected in the third country. This assessment forms the focus of the TIA and usually requires the involvement of qualified legal advisors in the respective jurisdiction.

Selection and application of additional measures.

This is to ensure a level of protection comparable to the EU if local law leads to the under-mining of the level of protection guaranteed by the chosen transfer instrument. Possible measures can be, for example, contractual or technical-organisational in nature and must be selected depending on the type of data and data processing as well as the data protection deficits of the third country.

Ongoing monitoring and, if necessary, reassessment.

This is in case of changes in circumstances in the third country.

Although the creation of a TIA is usually very complex because a large number of factors and criteria are required for the data protection assessment of the third country, the underlying assessment structure is always the same, so that TIAs can be very well integrated into a standardised compliance process. Appropriate tools are available to support the creation of a data protection-compliant TIA.

Consequences for privacy notices

Information on data transfers to third countries is a mandatory part of privacy notices. Article 13 paragraph 1 lit. f) of the GDPR requires controllers to inform about third-country transfers and the existence or absence of an adequacy decision, including the respective appropriate safeguards taken. According to Article 13 paragraphs 1 lit. e) of the GDPR, the recipients of personal data must also be named at least categorically. From the DPC's decision, it can be inferred that privacy notices must also provide the following information:

• specific naming and listing of the third countries to which personal data is transferred, and
• processing activities affected by the transfer to these third countries.

Osborne Clarke comment

Although it cannot yet be said that there is a widespread sanctioning practice for violations of data protection requirements for third-country transfers, the fine now imposed shows that the proper conduct of TIAs and the transparent information of affected individuals about international data transfers are essential duties of controllers that are accordingly severely sanctioned.

Responsible companies should therefore critically review any TIAs already conducted for potential need for adjustment and ensure that a process is established to ensure the conduct of TIAs to the required extent. At the same time, privacy notices should be reviewed for their need for adjustment regarding third country transfers and updated if necessary.

Learn more about tool-based TIA implementation from our Insight on Osborne Clarke Solution's digital Data Transfer Manager tool.