The opinions and views expressed on this article are the writer’s personal and don’t essentially signify these of the ICRC.
Introduction
Whereas there’s a wealth of literature addressing the challenges confronted by enterprise organisations in implementing the Normal Knowledge Safety Regulation (GDPR), these related to Worldwide Organisation (IOs) are scarce and virtually non-existent concerning non-governmental organisations (NGOs). NGOs primarily based within the European Financial Space (EEA) usually face important challenges when transferring private knowledge to 3rd international locations for emergency aid functions. Aiming to guard the rights of information topics, the GDPR imposes strict necessities on transfers, that will battle with the humanitarian crucial of offering well timed help to susceptible populations.
This writer noticed that many NGOs lack experience in knowledge safety legislation and wrestle to adjust to the GDPR. Confidential interviews performed in July 2024 reveal that EEA-based NGOs might not realise that sharing private knowledge between their headquarters and discipline places of work constitutes a global switch, even when the info stays inside the group. Kuner highlights that many humanitarian organizations urgently search steerage on successfully implementing knowledge safety measures.
For instance, Money and Voucher Help – a key device in humanitarian assist – promotes autonomy by enabling beneficiaries to deal with their particular person wants and priorities, fostering dignity and respect in disaster conditions. Nonetheless, NGOs have raised issues about “over-compliance” and more and more stringent monetary regulatory necessities that demand extreme knowledge assortment. Home banking legal guidelines and Know Your Buyer (KYC) obligations require Monetary Service Suppliers (FSPs) to display screen purchasers towards sanctioned lists and report matches, probably compromising humanitarian efforts to make sure neutral help. Such measures threat exposing people to sanctions or reprisals, turning NGOs into unintended intelligence brokers. Quite the opposite, as pressured by Slim, impartiality requires humanitarian actors to offer assist with out discrimination primarily based on nationality, race, faith, class, or political opinions, focusing solely on assuaging struggling and prioritizing probably the most pressing circumstances.
Making use of GDPR and the rulings of the Court docket of Justice of the European Union (CJEU), NGOs appear unlikely to have the ability to lawfully base any switch of private knowledge on Articles 45, 46 or 47 GDPR because the circumstances beneath which they could switch private knowledge usually battle with the authorized frameworks of recipient international locations. Within the absence of case legislation of the CJEU, the interpretation by the EDPB of the idea of “not repetitive switch” regarding “solely a restricted variety of knowledge topics” (Article 49 GDR) might create challenges.
This evaluation examines the constraints of adequacy choices, the potential for acceptable safeguards, and the interpretation of Article 49.1 GDPR. By exploring these components, this writer hopes to supply steerage for NGOs balancing their humanitarian duties with knowledge safety obligations, making certain compliance whereas navigating conflicting rules.
Switch to a rustic benefiting an adequacy resolution
A European Fee adequacy resolution offers assurance on third-country knowledge safety however could also be inadequate in emergency aid conditions the place humanitarian crises quickly evolve. Such crises can undermine the circumstances that initially justified the adequacy resolution, elevating issues about whether or not knowledge topics nonetheless get pleasure from an ample stage of safety. In keeping with Schrems I (para. 73) and Schrems II (para. 96 and 203), an “basically equal” stage of safety is required, primarily based on home legislation or worldwide commitments. Reasoning by analogy from Schrems, this writer doubts that an adequacy resolution would spare humanitarian NGOs from investigating additional how the implications of a pure or man-made catastrophe might affect the suitable safeguards, enforceable rights and efficient authorized cures that knowledge topics should be afforded (Schrems II, para. 103). In public emergency, the necessity for aid efforts usually coincides with the imposition of outstanding legal guidelines that will briefly droop elementary rights, together with privateness protections.
Switch following secured acceptable safeguards
Within the absence of adequacy choices, NGOs should depend on acceptable safeguards to make sure a excessive stage of information safety when transferring private knowledge to 3rd international locations. In keeping with the CJEU’s Schrems II ruling, these safeguards should be able to making certain a stage of safety “basically equal” to that beneath EU legislation (Case C-101/01 Bodil Lindqvist [2003] ECJ 596).
Nonetheless, the usually unstable and unpredictable circumstances within the context of emergency aid could make it tough to confirm the effectiveness of safeguards and be certain that knowledge topics have enforceable rights and efficient authorized cures. As an illustration, whereas NGOs can negotiate acceptable contractual clauses with FSPs, these contracts should not contradict the authorized obligations that FSPs are required to uphold. Moreover, imposing these clauses can show difficult in international locations with weak authorized techniques or the place humanitarian crises have disrupted the functioning of nationwide establishments. Furthermore, the vulnerability of affected populations can hinder entry to efficient redress mechanisms for people whose privateness rights have been compromised.
Situations for derogations
Within the absence of an adequacy resolution and when NGOs are unable to ascertain acceptable safeguards, they could resort to the derogation provisions outlined Article 49.1 GDPR. This clause is drafted fairly oddly. It opens a door to switch of private knowledge the place the extent of safety within the importing nation shouldn’t be basically equal to that beneath EU legislation, itemizing a sequence of seven exceptions: (a) the specific consent of the info topic; the truth that the switch is important (b) for the efficiency of a contract between the info topic and the controller; (c) for the conclusion or efficiency of a contract concluded within the curiosity of the info topic between the controller and one other pure or authorized particular person; (d) for essential causes of public curiosity; (e) for the institution, train or protection of authorized claims; (f) to be able to defend the very important pursuits of the info topic or of different individuals; or, beneath some situation, that (g) the switch is produced from a register which in response to Union or Member State legislation is meant to offer data to the general public and which is open to session. Then, it presents a sub-paragraph of Article 49.1 which addresses the state of affairs the place controllers might switch private knowledge if essential for the needs of their compelling professional pursuits. This separate paragraph lists extra limits to this final derogation, particularly the truth that the switch shouldn’t be repetitive and issues a restricted variety of knowledge topics.
The European Knowledge Safety Board (EDPB) has issued suggestions that usually help a restrictive interpretation of the derogations, emphasizing that they need to be thought of as exceptions to the rule requiring ample safety or acceptable safeguards. This echoes the standard strategy courts take whereby derogations, by precept, must be interpreted restrictively and used sparingly (Schrems I Para. 92). One of many key restrictions recognized by the EDPB is that transfers beneath derogations shouldn’t be repetitive and may concern solely a restricted variety of knowledge topics. This limitation might pose challenges for NGOs engaged in ongoing emergency aid operations, which regularly contain the switch of information for a number of people over prolonged durations.
Might derogations be potential even when transfers have been repetitive and anxious quite a few knowledge topics?
This writer argues that, within the context of emergency aid operations, Article 49.1 GDPR might be interpreted extra broadly to permit for derogations in conditions involving repetitive transfers of information or for quite a few knowledge topics. Accordingly, Article 49.1 second paragraph GDPR could also be interpreted as creating an extra exception and doesn’t apply to paragraphs (a) to (g). This understanding is additional supported by Recital 113 GDPR that reads: “Transfers which might be certified as not repetitive and that solely concern a restricted variety of knowledge topics, may be potential for the needs of the compelling professional pursuits pursued by the controller” (emphasis added).
As some authors have identified, it’s the criterion of necessity as outlined by the EDPB, fairly than the frequency or quantity of information topics affected, that primarily determines the lawfulness of such derogations. If correct, this angle might introduce a level of flexibility for NGOs responding to pressing humanitarian wants, permitting for knowledge transfers in emergency contexts. Nonetheless, it stays essential to evaluate the specifics of every state of affairs and be certain that any reliance on derogations aligns with core knowledge safety rules, together with accountability and proportionality. Such derogations must be employed with warning to keep away from undermining elementary rights.
It’s submitted that the unnumbered second subparagraph of Article 49(1) GDPR introduces a definite and extra restricted “professional curiosity derogation” for private knowledge transfers to 3rd international locations. This derogation is narrower in scope than others beneath Article 49, making use of solely beneath particular and distinctive circumstances. These circumstances embody: (1) non-repetitive transfers, (2) restricted knowledge topics, (3) compelling professional pursuits of the controller, (4) non-override of information topic rights, (5) thorough evaluation, (6) appropriate safeguards, (7) supervisory authority notification, and (8) knowledge topic data. In contrast to different derogations, this exception applies solely to the controller’s professional pursuits, not these of processors. This clause, absent from Knowledge Safety Directive, was, as pointed by Kuner, a late addition to the GDPR. It must be used as a final resort, because it includes a derogation from elementary rights justified by the controller’s personal pursuits.
This may be attributed to the distinctive nature of the professional curiosity idea and the inherent dangers it poses to knowledge topics. The balancing check between professional curiosity and the info topic’s cheap expectations requires a case-by-case evaluation, additionally contemplating the context and circumstances of information assortment (EDPB, knowledge safety information for small enterprise). This evaluation should respect knowledge safety rights, which can’t be overridden. The burden lies on the controller to show that their curiosity outweighs the info topic’s rights. The CJEU within the Meta case additional underscores that professional curiosity can not function a blanket justification for repetitive or systematic processing. This view is echoed by the EDPB, which highlights that repetitive processing usually fails to satisfy the mandatory legitimacy threshold.
This writer acknowledges that the scope of Article 49.1 GDPR stays considerably unclear. As Choose von Danwitz, the judge-rapporteur in Schrems II, whereas talking in his private capability throughout a keynote deal with for the fortieth Knowledge Safety Day in January 2021, emphasised, it’s essential to additional discover the probabilities provided by the derogation clause.
An strategy confirmed when evaluating the wordings of GDPR and the Regulation Enforcement Directive
Article 38 of the Regulation Enforcement Directive (LED) addresses conditions the place controllers might, within the absence of an adequacy resolution and acceptable safeguards, lawfully and by derogation, switch private knowledge to a 3rd nation. Recital 72 LED clearly contrasts with Recital 113 GDPR. Within the GDPR, as defined, the truth that the switch ought to neither be repetitive nor concern quite a few knowledge topics explicitly applies solely the place the controller claims its professional curiosity. Quite the opposite, the LED expressly limits using all derogations to conditions that don’t enable frequent, large and structural, or large-scale transfers of information. As GDPR was drafted after the LED, one can assume that GDPR was purposely barely extra liberal than the LED on this level. That is comprehensible given the distinction of rational between a Directive addressing the powers of legislation enforcement authorities on the one hand, and a Regulation aiming at permitting free circulation of private knowledge inside the EEA.
Manner ahead: display accountability
To make sure the lawfulness of transferring private knowledge to 3rd international locations, NGOs should fulfill a sequence of circumstances. First, the derogation should be essential and strictly required by the state of affairs. This deal with necessity, fairly than frequency or the variety of knowledge topics, aligns with the logic of emergency circumstances: derogation stays legitimate so long as very important pursuits justify it, no matter whether or not the state of affairs happens as soon as or repeatedly.
Knowledge safety measures should not impede the supply of important help. In humanitarian crises, acceptable authorized bases embody “essential causes of public curiosity” (Article 49.1(d) GDPR) and “very important pursuits of the info topic or others” (Article 49.1(f) GDPR). Nonetheless, a risk-based evaluation should observe to evaluate any excessive dangers to the rights and freedoms of people, consistent with Article 35 and Recital 84 GDPR. Furthermore, NGOs ought to conduct a broader threat evaluation beneath the do no hurt precept, balancing the dangers of transferring and withholding private knowledge. If acceptable mitigating measures are applied, the switch could also be justified, even with out making certain an “equal” stage of information safety. This contains balancing potential conflicting rights, making certain that knowledge topics’ objections are revered, and that no choices are made towards their will, whereas consent is probably not a legitimate foundation given the ability imbalance and lack of alternative from susceptible inhabitants.
Mitigating measures embody contractual clauses, sturdy knowledge retention insurance policies, and strong oversight of third-party compliance. Finally, NGOs should assess whether or not the switch introduces new dangers for knowledge topics, contemplating that the themes’ solely connection to EU legislation is the NGO’s EEA-based operations. If withholding knowledge compromises the people’ pursuits greater than the switch would, the latter would be the preferable choice.
Humanitarian actors, such because the UNHCR, OCHA, the ICRC and the Inter-Company Standing Committee began growing tips, however, regrettably, the EU lacks a standardised methodology for assessing knowledge safety equivalence in third international locations. Regardless of the important want to judge overseas legal guidelines for his or her important equivalence to EU requirements, neither EU establishments nor Knowledge Safety Authorities (DPAs) have publicly established a transparent strategy for doing so. Kuner means that this can be as a result of a restricted curiosity amongst EU establishments in facilitating knowledge transfers that serve very important international public pursuits, equivalent to these undertaken by worldwide humanitarian organizations to assist susceptible populations.
Within the writer’s view, the present challenges might also stem from the truth that the GDPR was primarily designed to guard people residing in Europe and to impose obligations on corporations primarily based in Europe, no matter the placement of their customers. Nonetheless, as articulated by Gulczynska, within the context of humanitarian assist, knowledge topics shouldn’t be thought of as customers of companies provided by NGOs primarily based in Europe. This paper goals to contribute additional insights into the pressing want for help to assist EEA-based NGOs navigate GDPR necessities when transferring private knowledge to ship emergency humanitarian assist to people in third international locations.
