With WHOm can I share data? Applying the GDPR to transfers of data to International Organisations

Introduction

The Coronavirus pandemic has thrown International Organisations (IOs) such as the World Health Organisation (WHO) into the spotlight. Critics ask whether they suffer from undue political influence or unhelpful political apathy. A more prosaic question the crisis raises, however, concerns the rules that apply to such bodies when they process personal data. In this regard, while the debate about whether the GDPR applies to IOs directly, has largely been settled, its application to entities transferring data to them remains beset by uncertainty. The decision of the CJEU in Schrems II has done little to ameliorate that uncertainty. Those proceedings concerned the transmission of data to a third country. However, the impugned provisions (in Chapter V of the GDPR) which limit such transfers except in certain circumstances, also apply when data are transferred to IOs. In its wake, the European Data Protection Board (EDPB) published two documents addressing the issues raised (here and here). Meanwhile the Commission has adopted a Draft Implementing Decision elaborating a new set of standard contractual clauses for such transfers. However, save for the somewhat cryptic statement in Recital (3) of that Decision to the effect that ‘[r]eliance on the standard contractual clauses is notwithstanding any contractual obligations of the data exporter and/or importer to ensure respect for applicable privileges and immunities,’ nothing more has been said about transfers of data to IOs. In the meantime, anecdotal evidence suggests that EU controllers are concerned that sharing data with these entities may breach the Regulation. The implications of this for the work of IOs resonate beyond the pandemic and demand attention. This piece will highlight some of the difficulties that shoehorning IOs into provisions of the GDPR that were designed with States in mind gives rise to and offers some tentative solutions.

The GDPR and IOs

The question of whether the GDPR applies to IOs themselves has been examined by Kuner. While an IO is, in principle, subject to the jurisdiction of the host state, and their activities fall within the broadly conceived material and territorial scope of the GDPR, their assimilation with third countries in Chapter V, strongly suggests that it was not expected that it would apply to them. Transfers of data to them are, therefore, prohibited except in certain circumstances. Had the Regulation applied, it would not have been necessary to treat them this way. Whatever the position in principle, however, in practice, the immunity granted to an IO by the host State is likely to preclude its enforcement; a fact acknowledged by the EDPB. Perhaps this was the gap that their inclusion in the prohibition against transfers was intended to fill. Thus, although the Organisations themselves do not have to comply with the GDPR, EU entities providing data to them must do so. Applying the provisions in Chapter V to transfers to IOs, however, is not without its difficulties.

Transfers from public bodies

In the absence of an adequacy decision, where the data exporter is a public authority, transfers can be made to an IO where a legally binding instrument, or in its absence, an MOU is in place (Articles 46(2)(a) and (3)(b)). Aside from the administrative burden of having to put such arrangements in place for every transfer, MOUs require approval by the relevant EU Supervisory Authority. This risks compromising the Organisation’s inviolability and perhaps its immunity. Meanwhile, the content of such agreements as prescribed by the EDPB will largely reflect, and in doing so impose GDPR standards by the back door.

Transfers from private bodies

In addition, while IOs do receive personal data from other public authorities, this does not exhaust the sphere of their activities. Increasingly, they work alongside civil society and the private sector to fulfil their mandate and build capacity. See for example, the growing use of public-private partnerships in the field of international public health co-operation (Burci). They may also purchase services from EU companies. Transfers can be made in such circumstances using standard data protection clauses adopted by the Commission (Article 46(2)(c)) (or by a Supervisory Authority and approved by the Commission (Article 46(3)(a)). The Commission’s revised contractual clauses issued in the wake of Schrems II, however, do not appear to have been drafted with exports to IOs in mind. For example, the obligation on the data importer to document processing activities and make such documentation available to the competent Supervisory Authority on request (Clause 1.9(b)) would compromise the inviolability of the IO’s communications and archives; likewise, the requirement to submit to inquiries and audits (Clause 9). Meanwhile the duty to submit to the jurisdiction of a Member State’s Supervisory Authority and/or the courts and to abide by their decisions (Clauses 6 and 9, and 3 of the Final Provisions) would require a waiver of immunity. Perhaps the reference to the need to comply with contractual obligations to respect privileges and immunities in the Commission’s Implementing Decision is a tacit acknowledgement of this. If so, it hardly brings the clarity that those dealing with IOs require. Nor is it obvious how such a contractual obligation would work in circumstances where the immunity enjoyed by IOs applies in respect of the adjudicative and enforcement jurisdiction of the State.

Transfers for important reasons of public interest?

It also begs the much broader question of whether IOs should be subject to the GDPR by the back door (Bordin). The UN thinks not. Its comments on the EDPB Guidelines on Articles 46(2)(a) and (3)(b) stress the ‘adverse impact’ the GDPR has had on its activities (in terms of the disruption of data flows from partners and suppliers in EU Member States). It argues in favour of a more nuanced approach. Precisely what that should look like is unclear, though there are hints that it might entail a more permissive attitude to the derogation for transfers made for important reasons of public interest in Article 49(1)(d). While this (the third and final transfer mechanism of relevance to IOs) looks like a promising solution, it raises several issues. The first is that even if one accepts that all the activities of the UN are done for important reasons of public interest on the basis of its universal mandate, the derogation will need to accommodate frequent transfers of potentially large amounts of data. This would have to be reconciled with the EDPB’s approach to exceptions to fundamental rights (including those made in the public interest) which dictates that they should be interpreted narrowly, used only as far as strictly necessary, and not for large scale or systematic transfers [11]. Consideration would also have to be given to how the rules could be adjusted for the UN whilst maintaining the principle of strict necessity in other contexts.

Assuming these difficulties could be overcome, where does this approach leave others? Do all IOs merit the same treatment? Do they all serve the public interest? Even if they do, should Article 49(1)(d) only apply to those interests that are universally shared?

There is a miscellany of IOs beyond the UN and its subordinate bodies. These range from those that exist to protect the economic interests of particular regions, the producers and consumers of certain commodities, or to provide financial services. Some perform military, law enforcement or judicial functions. Meanwhile others deliver education, conduct research or seek to strengthen shared cultural or religious ties. The definition in the GDPR opens up the potential field even further by including ‘any other body which is set up by, or on the basis of, an agreement between two or more countries’ (Article 4(26)). Such diversity may suggest the need for different treatment. Attempts to articulate a coherent taxonomy of IOs (for the purposes of identifying whether they merit different privileges and immunities), however, have faltered (Klabbers). Thus, while there is a presumption that they act in the public interest, there is nothing in the international law definition (or the GDPR) that requires them to do so. The focus is instead, on formal attributes. Article 2 of the ILC Draft Articles on the International Responsibility of International Organizations 2011, therefore, defines an IO as one ‘established by a treaty or other instrument governed by international law and possessing its own international legal personality’ while the GDPR refers to bodies governed by public international law, or established by agreement between two or more States (Article 4(26)). In the few cases in which courts have considered whether a body is an IO, they have taken into account the public nature of their tasks (SAT Fluggesellschaft mbH v European Organization for the Safety of Air Navigation (1994); Reineccius v Bank for International Settlements (2002)). Identifying what constitutes the public interest, however, is not straightforward. Thus, whilst one may question whether a body whose activities are focussed on the interests of a particular group of individuals is acting in the ‘public’ interest, or whether pursuing profit for shareholders serves the public good, this is too simplistic. In particular, it overlooks the benefits that accrue to everyone when the peace, prosperity, and wellbeing of our global neighbours are secured (indeed isn’t this the premise of the UN and the EU?). But perhaps this is too generous.

What is material for the purposes of Article 49(1)(d) is that the public interest is recognised by EU or Member State law. This includes the public interest in ‘international cooperation’ in a ‘spirit of reciprocity’. While this looks broad, the EDPB advises that it entails more than the identification of a common, but abstract purpose pursued for the public good. This arguably precludes the ‘your interests are my interests’ approach suggested above. On the other hand, the existence of an international agreement to which the Member State (or EU) is a party, which ‘recognises a certain objective and provides for international cooperation to foster that objective’, may, according to the EDPB, be evidence of an important public interest. The implication of this is that if the EU or a Member State has determined that an issue should be addressed by means of international cooperation through an IO then ipso facto, its activities serve important reasons of public interest. The exporting Member State’s membership of the IO would, it appears, be sufficient, in principle, to enable reliance on Article 49(1)(d). The criteria for determining whether the activities of IOs in which Europe does not participate are in the public interest, however, remain opaque.

A bespoke adequacy regime?

Perhaps the solution involves Article 45. To date, IOs have shown little appetite for engaging with the adequacy process. Their hesitation doubtless stems from concerns that doing so would compromise their inviolability or immunity. Nor are the criteria in Article 45 well-suited to assessing whether they adequately protect personal data. Substantively their focus is on the domestic legislative framework for the protection of fundamental rights, including data protection, and the existence of international commitments to such standards. Procedurally their concern is with the judicial mechanisms that exist for the enforcement of data rights. While these considerations make sense when assessing a third country, it is doubtful whether they are appropriate benchmarks for IOs (Ntouvas). A bespoke adequacy regime for IOs would, therefore, be required. A starting point for this could be a commitment to a core set of principles along the lines of the UN Data Protection and Privacy Principles. In terms of remedies and supervision, lessons could be learned from the approach taken by the ECtHR in cases involving clashes between the immunity of IOs and the right of access to justice. There the focus of the inquiry is on proportionality and whether the individual has a ‘reasonable alternative means of redress’ (Waite and Kennedy v Germany (2000)) (albeit its absence does not necessarily imply disproportionality (Stichting Mothers of Srebrenica v Netherlands (2013)). Meanwhile, existing rules that provide for periodic review and the revocation of adequacy decisions where standards fall short, require adjustment.

Conclusion

The assimilation of IOs with States in Chapter V of the GDPR looks like an afterthought. The way they handle personal data plays into the wider narrative around their accountability and although it is right to expect that information transferred to them will be protected, the existing mechanisms for doing so are poorly adapted to their circumstances. While the UN has the political clout to advocate strongly in favour of special recognition of the important public interests it serves, others may not, and the precise contours of what the public interest means in the context of IOs in which Europe does not participate remain ill-defined. One solution is to treat them all as ‘innately good, socially beneficial creatures’ (Klabbers) or, if a one size fits all approach is unsuitable, then bespoke tailoring is required.