The European Data Protection Supervisor (EDPS) has issued an opinion on the European Union Agency for Cybersecurity’s (ENISA) use of the explicit consent derogation as a legal basis for cross border transfers to the US concerning subscriptions to its newsletter.
Cry and Pray (and try to not transfer):
- The EDPS has requested EU institutions (EUIs) take a strong precautionary approach concerning new processing operations carried out with appropriate safeguards and appropriate supplementary measures.
- The EDPS strongly encourages EUIs to ensure that any new processing operations or new contracts with any service provides does not involve transfers of personal data to the US.
- ENISA uses an EU based processor and US sub-processors.
- ENISA should primarily assess with the processor the availability of alternative newsletter solutions not involving the transfer of personal data to sub-processors in the US.
- (Failing that) ENISA should instruct is processor re: the legality of transfers and the processor should comply with the provisions of Chapter V (re cross border transfers)
Regarding the derogation of explicit consent: Consent should be freely given (e.g. the option to consult the newsletter directly on the ENISA website), specific, informed (see above re disclosure and unambiguous.
- Data subjects need to be fully informed that the processing of their personal data involves a transfer to a third country (or an international organization).
- In the absence of an adequacy decision and appropriate safeguards this must also include information on the possible risks of such transfers for the data subject resulting from the absence of an adequacy decision and appropriate safeguards. Per Schrems II, this should include the limitations on the protection of personal data arising from the domestic law of the US on access and use of data transfers to the US and the lack of enforceable data subject rights. Which risks exist for data subject will depend on the specificities of the US based sub-processor chosen by ENISA’s processor.
- The information can be provided at the same time as the information and consent to the processing in general as long as it remains specific.
- Consent should be given by a clear affirmative act e.g. ticking a box. It is not enough to say that “by registering to the newsletter the user agrees to the privacy terms and conditions of the (newsletter service provider.”
- There needs to be a subsequent affirmative act by the participants to indicate their agreement with transfers to the US referred to by the terms and conditions.
- Consent for transfers for subscription cannot be used for other/future outreach activities.
- Explicit consent on transfer is different and in addition to the consent to the processing itself. ENISA could acquire the consent to the transfer when getting the consent to the processing or imposed this on the processor.
- Be able to demonstrate that the data subject consented to the processing.
- Data subjects need to be told about the possibility to withdraw their consent in the data protection statement. Once consent is withdrawn the data must be deleted unless there is another legal basis.
- In case there may be difficulties to enforce contractual terms in practice in the third country, data subjects will need to be informed about this risk due to the absence of appropriate safeguards.