GDPR applicability to international organisations

/ blog / By

This article was first published by IAPP in Privacy Perspectives

Although there is no universally accepted definition of international organizations in public international law, Article 4(26) of the General Data Protection Regulation describes them as “organizations and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.” This paragraph was not contained in the original European Commission proposal for the GDPR and was introduced later by the European Council.

sunflower, flowers, yellow flowers-6515860.jpgThe statement that an international organization must be “set up by, or on the basis of an agreement between states” allows an organization given a mandate under public international law is considered subject to the requirements and rigors of the GDPR. 

International organizations have different mandates, including collecting information and monitoring trends, delivering services and aid as part of humanitarian missions, conducting peaceful military exercises, or providing forums for bargaining and settling disputes.

An international organization that has been given a mandate under the public international law will process personal data precisely to accomplish that mission and mandate.  

Data analytics, drones and unmanned aerial vehicles, biometrics, cloud services, and mobile messaging applications are inevitably dependent on collecting and further processing of personal data. That said, international organizations are required to implement rules to protect the processing of personal data.

In some sectors, the misuse of personal data may have life-and-death consequences. For example, the disclosure of a simple list of names of people with peace-keeping blue helmets part of an international humanitarian international may endanger their lives. Data protection laws can provide a manual for processing personal data derived from regional and international human rights standards.  The lawful processing of personal data by international organizations, according to the GDPR standards, can help build trust with the individuals protected under the international organization’s missions.

Privileges and immunities under international law for organizations and their potential clashes with the GDPR

There are claims the GDPR does not apply to international organizations and that they were intended to fall outside the regulation’s scope. According to Advocate General Maciej Szpunar of the Court of Justice of the European Union, the EU law has extraterritorial effects only “in extreme situations of an exceptional nature.” The European Commission has also stated informally the GDPR does not apply to international organizations directly since they generally enjoy privileges and immunities under international law. However, the commission also maintains that the GDPR’s international data transfer rules apply to transfers from the EU to international organizations.

Alternatively, there are claims that applying the GDPR to international organizations should be determined under its material and territorial scope. The GDPR contains several exemptions from its material scope, and the legislator could have mentioned international organizations among them if it had meant to exclude them.

Under Article 44(1), transfers of EU data between international organizations only be carried out subject to the rules, indicating legislators’ concern about processing their personal data. The Court of Justice of the European Union has also found that EU law can take precedence over international law when EU fundamental rights, including data protection rights, are involved. Therefore, the argument that the GDPR intended to exclude all international organizations from its scope per se does not seem plausible.

Many international organizations are granted immunity from jurisdiction and immunity from constraint measures in the countries where they operate to protect their property and assets. When granted under a treaty, the international organization’s immunities usually relate to any of its acts.

Every act of the organization is indeed presumed to pursue the purposes of the organization. In Waite and Kennedy v. Germany and Beer and Regan v. Germany cases, the European Court of Human Rights admitted that granting privileges and immunities to international organizations have a legitimate objective. In particular, the court said, “The attribution of privileges and immunities to international organizations is an essential means of ensuring the proper functioning of such organizations free from unilateral interference by individual governments.”

Since EU law becomes part of the legal order of member states and immunities assumed in international treaties should also apply when a data protection authority or national court attempts to carry out enforcement action under the GDPR, hard enforcement by data protection authorities against the international organizations is unlikely.

Soft enforcement is more likely through informal pressure that public and private sector actors can exert against international organizations to adopt the GDPR. This may involve, for example, an EU agency requiring an international organization to comply with the GDPR as a condition for receiving funding. Or a company that provides services to an international organization demanding that it accept a clause in the services agreement stating it complies with the GDPR. Soft enforcement can be more difficult for international organizations to resist than hard enforcement.

There is usually no way to mitigate the former’s effects short of refusing to deal with the actor making the demands. Furthermore, it could be interpreted under the customary international law that in the absence of any means of redress instituted within the organization, its immunity must automatically be set aside.

earth, globe, world-65050.jpg

Legal basis for processing personal data by the international organizations under the GDPR and the data subject rights

For international organizations in the humanitarian sector, the GDPR offers legal grounds for processing personal information, such as performance of a task carried out in the public interest (Article 6.1. e) or the processing is in the vital interests of data subjects or of another natural person (Article 6.1. d). Thus, according to Recital 46, “some types of processing may serve both important grounds of public interest and the vital interests of data subjects as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”

Further, Recital 112 prescribes, “Any transfer to an international humanitarian organization of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplish a task incumbent under the Geneva Convention or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.” 

 

The GDPR requires data controllers to provide information about their dealings with international organizations and gives access rights to data subjects whose data is intended to be transferred to international organizations. Under Articles 13(1)(e) and 14(1)(f), data controllers must inform data subjects about their intention to transfer personal data to international organizations. They must provide information about the existence or absence of a commission adequacy decision covering the relevant international organization or the appropriate safeguards for the data transfer and how to obtain a copy of them.

Under Article 15(1)(c), individuals also have a right to learn from data controllers that personal data have or will be disclosed to international organizations and under Article 15(2) the appropriate safeguards that were used for the transfer. Finally, under Article 28(3)(a), data processors may only transfer personal data to international organizations based on documented instructions from the data controller, unless they are required to do so by EU or member state law.

 
Data transfers to international organizations
 
Article 44 of the GDPR requires that transfers to or between an international organization and another third country be conducted based on the GDPR. Thus, it mandates the application of EU data protection law to data transfers to international organizations and onward transfers from them. These scenarios may give rise to conflicts because the international organizations involved may regard their data transfers as governed by the United Nations Charter, treaty rules, customary international law or internal rules. 
 
Under Article 44 of the GDPR, EU data protection law should apply. Furthermore, according to Article 45, “A transfer of personal data to a third country or an international organization might take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country or the international organization in question ensures an adequate level of protection.”
 
Suppose an international organization enjoys privileges and immunities based on an international agreement. In that case, it might seem that such conflicts could be resolved by recourse because international agreements rank above legislation in the EU legal hierarchy. 
 
However, data protection is a fundamental right in the EU legal system, and fundamental rights have the status of primary law, which takes precedence over international law, including treaties. This means that under EU law, the GDPR could potentially be seen as overriding rules of international law granting privileges and immunities to international organizations if such rules were regarded as violating the fundamental right to data protection.
 
Given the importance of international law in the EU legal order, the possibility for the GDPR to override international law in cases where the two clashes should be narrowly construed and should be limited to situations when the core principles of data protection are at stake. This concept is seen in the CJEU’s rulings in the “Schrems II” cases that third countries must provide a level of protection that is “essentially equivalent” to that under EU law, which requires that there be a core of values against which equivalence can be measured.
 

Conclusion

International organizations cannot expect to be isolated from the growing importance of data protection, nor should they be. They need to process increased amounts of personal data and use new technologies to fulfill their mandates. Data protection facilitates this by reducing the possibility of data misuse and increasing trust among individuals and other stakeholders. International organizations should implement data protection in their operations regardless of the potential application of the GDPR because this is ultimately in their self-interest, and there is growing consensus that data protection is an integral part of the international human rights framework.
 

Author Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law @EU Digital Partners