The EU General Data Protection Regulation (GDPR) applies to all EU companies, and to many non-EU companies engaged in commercial activity within the EU. Businesses must comply with strict rules about how they collect, use and share personal data.
There would be little point in enforcing these rules within the EU if companies were allowed to export personal data to countries with weaker privacy laws without any conditions attached. This is why the transfer of personal data to non-EU countries is tightly regulated.
There's no firewall that automatically prevents personal data from leaving the EU. Instead, there are a number of legal mechanisms by which companies can transfer personal data overseas.
Let's work through these mechanisms and see which one might apply to your business.
International Transfers of Personal Data
The rules about transferring personal data to third countries are set out across Chapter 5 of the GDPR.
There are several ways in which personal data might be transferred from a sender in the EU to a recipient in a non-EU country. We'll be focusing on these four situations:
- The recipient's country has received an adequacy decision from the European Commission
- The sender and the recipient are within separate companies, and are bound by a contract containing standard data protection clauses
- The sender and recipient are within different entities of a multinational corporation or corporate group within which Binding Corporate Rules have been agreed
- The transfer is an exceptional event and the sender can rely on one of the GDPR's derogations
There are some other mechanisms involving public authorities, certification, and codes of conduct which will not be discussed in this article.
If you read the text of the GDPR, you'll notice that the GDPR talks a lot about "international organizations" in the context of international transfers. This is also not relevant to this article. It refers to a public body governed by international law.
EU data protection law is very strict. The GDPR is the main data protection law in the EU. It regulates the collection, use, storage, and sharing of information about individuals.
Before we explain the rules around international transfers of personal data, it's important to define a few key terms:
- Personal data - Information that can, directly or indirectly, lead to the identification of a living individual (data subject). Examples include a person's full name, address, or cookie ID.
- Processing - Doing something with personal data. Examples include collecting, sending or storing it.
- Data controller - An entity that "determines the purposes and means of the processing of personal data." For example, a company wanting to promote a new product might use its customers' names and email addresses to distribute marketing communications.
- Data processor - An entity that "processes personal data on behalf of a data controller." For example, a marketing company that receives a list of customer email addresses from a data controller, and then sends marketing communications on behalf of that company.
- Third country - A country that is outside of the European Economic Area (EEA). The EEA includes all of the EU countries plus Iceland, Lichtenstein, and Norway.
When Do the Transfer Rules Apply?
The international transfer rules apply when one entity (be it an individual, public body, or business) sends personal data from inside the EU to another entity in a third country (see the definition above).
The rules also cover situations in which EU-originating personal data received in a third country is transferred onwards to another recipient who is also in a third country.
The rules on international transfers are not designed to cover situations where the obtaining and transferring of personal data is contained entirely within one company, even where the company is based in a third country.
This is because a non-EU company is already bound by the GDPR whenever it is processing the personal data of EU data subjects (providing it meets the conditions set out in Article 3 of the GDPR).
Therefore, the whole of the GDPR applies when a company collects the personal data of EU data subjects. There is no need to impose special rules that bind the recipient to store the personal data securely, provide access to it, etc. These rules already apply directly.
Here are two examples in which the rules around international transfers would not apply:
- An Australian company collects EU consumers' personal data via its website. The personal data is stored on servers located in Australia.
- A Brazilian company has a branch in Portugal. This branch is part of the main company and not a subsidiary, affiliate or franchise. Personal data is sent from the Portuguese office to the company's headquarters in Brazil.
In both cases, the personal data must be collected, stored, and shared (or otherwise processed) in accordance with the GDPR. But the transfer from the EU to the third country is not restricted by the rules around international transfers.
Any onward transfers to other non-EU companies, even within the recipient third country, would be governed by the international transfer rules.
Approved Third Countries
Certain third countries are not affected by the rules on international transfers. The European Commission has reviewed data protection practices in these countries and deemed them to be "adequate."
If you're transferring personal data to these countries, you can treat them as EU countries. You don't need any special arrangements in place with the recipient. Of course, you must still obey the GDPR, just as you would if you were transferring personal data within the EU.
Countries with an Adequacy Decision
Before the European Commission makes an adequacy decision, it must be convinced that the country offers an equivalent level of safeguards to those provided under the GDPR.
Many factors are considered. The country seeking an adequacy decision must demonstrate that:
- The principles of data processing are guaranteed under national law
- Data protection is regulated by an independent public authority
- Further transfers of EU citizens' personal data to "non-adequate" countries will not take place without consent
The following countries are in receipt of an adequacy decision:
Transfers to Guernsey and Jersey, and the Isle of Man are also covered. There are territories of the United Kingdom but are not part of the EU.
Additionally, Canada is approved, but only in respect of private sector organizations covered by the Personal Information Protection and Electronic Documents Act (PIPEDA).
Talks with South Korea are underway.
United States (Privacy Shield)
The United States does not have an adequacy decision from the Commission. However, there is a scheme available to US companies that will allow them to receive personal data without any additional safeguards.
The Privacy Shield framework is a certification process requiring US businesses to commit to certain principles, costs, and liabilities in relation to data protection. Once certified, a US company can send and receive EU citizens' personal data to and from an EU company without restrictions.
Privacy Shield-certified companies include Google and Facebook along with many smaller organizations.
You can apply to join the scheme by completing the form on the Privacy Shield website:
Standard Contractual Clauses
Standard contractual clauses (SCCs) are a method to allow transfers of personal data between EU and third-country companies.
SCCs are issued by the European Commission and can be inserted into contracts between companies. The clauses aim to ensure that each company complies with similar rules and principles as required under the GDPR.
Who Can Use Standard Contractual Clauses?
SCCs can be used by any type of business. They can represent a solution for a company of any size wishing to enter into business arrangements involving the sharing of personal data.
SCCs can be used in contracts:
Here are some examples where both companies are data controllers:
- A German company arranges coach tours in South Africa. A South African company provides the coaches. The German company needs to regularly transfer passenger lists to the South African company.
- A Polish private language school runs an exchange program with a private school in Australia. The schools need to exchange details about the students.
Here's an example involving a data controller and data processor:
- An Irish company wishes to use an Indian email marketing company. The Irish company needs to provide the Indian company with its customers' email addresses.
Having a contract containing SCCs can help lawfully facilitate such transfers.
Using Standard Contractual Clauses
The Commission has produced three sets of SCCs.
For use where the sender is an EU data controller and the recipient is a third-country data controller:
For use where the sender is an EU data controller and the recipient is a third-country data processor:
By agreeing to a contract containing the SCCs, the parties are legally bound to provide a high standard of data protection and privacy.
For example, this clause from Decision 2001/497/EC requires data controllers to provide an opt-out mechanism from all direct marketing correspondence (such as an "unsubscribe" link):
And this optional clause from Decision 2010/87/EU requires one party to indemnify the other for any losses created by its breach of the SCCs:
This helps ensure that data subjects can claim compensation if their rights under the GDPR are violated.
Binding Corporate Rules
Binding Corporate Rules (BCRs) are another method that businesses can use to facilitate a lawful international transfer of personal data. BCRs are designed to allow for smoother intra-organizational transfers of personal data within multinational corporations and joint enterprises.
BCRs are like a corporation's "data protection code of conduct." They set out the principles of data processing and the chain of accountability within a corporation. BCRs are legally binding.
Who Can Use Binding Corporate Rules?
Two types of organization might consider implementing BCRs:
- A multinational corporation that operates in the EU and has affiliates, franchises and/or subsidiaries based in third countries
- A group of companies working together to process personal data in a joint enterprise, where some members of the group are based in the EU, and some members are based in third countries
BCRs will not be an appropriate option for smaller companies that do not have a network of affiliates or are not part of a larger corporate group.
Drafting Binding Corporate Rules
BCRs are drafted by the corporation(s) seeking to adopt them. They must be approved by a Data Protection Authority.
BCRs must comply with the criteria developed by the Article 29 Working Party in a series of working papers it produced between 2003 and 2008. The papers include:
BCRs must include certain provisions. For example, there must be a commitment for the corporation to accept liability and pay compensation in the event of a breach of the rules.
Here's an example of this clause in the BCRs adopted by EY Group (at page 5):
BCRs must also contain assurances that the staff working with the corporation will receive adequate training in data protection. Here's the relevant part of Mastercard's BCRs (at page 21):
BCRs must be submitted via the official application form in Working Paper 133.
Derogations for Specific Situations
The GDPR also includes a set or derogations (exceptions) to the rules around international transfers.
These are characterized as exceptions, rather than additional mechanisms for facilitating a transfer. This is because they are not suitable as a regular or long-term solution.
If you need to make a transfer of personal data from the EU to a third country but you have none of the above safeguards are in place, you can do so if one of the exceptions under Article 49 of the GDPR applies.
We're going to look at some of the examples that might be most relevant to business-owners.
If the data subject has provided their explicit, specific and informed consent, you can make a one-off transfer.
The GDPR sets a very high bar for consent. In this case, the threshold should be considered to be even higher, as Article 49 makes reference to "explicit" consent.
The data subject must receive all relevant information before they can consent to the transfer. The UK's Information Commissioner's Office says that the following information should be provided:
You may be able to make a one-off transfer if it's necessary to do so in order for you to fulfill your obligations under a contract with the data subject or enter into a contract with the data subject.
It's important to emphasize that the transfer must be necessary for these purposes. This means that if you did not carry out the transfer, you would be in breach of your core obligations under the contract or unable to enter into the contract.
An additional derogation exists to allow transfers to be made for other beneficiaries of the data subject's contract. For example, where a person has booked a hotel for their whole family, the personal data of other family members also can be transferred if required.
This derogation is strictly for occasional use and is likely to be necessary only in special circumstances.
It may be in your legitimate interests to make an international transfer even where none of the safeguards or other exceptions apply.
This is an absolute last resort, and must only be used in truly exceptional circumstances.
Before you can rely on legitimate interests, you must carry out a Legitimate Interests Assessment in order to balance your interests against the rights of the data subject.
You must inform your Data Protection Authority about the transfer if you're planning to invoke this exemption.
Letting People Know
As we've seen, there are several mechanisms for facilitating an international transfer. Your company might not routinely make transfers outside of the EEA, or do so only to approved third countries.
Here's how Friendly Homecare explains this:
Privacy Shield participants must publish a specific Privacy Shield Policy as part of their accreditation. Here's part of Stripe's Privacy Shield Policy:
The GDPR doesn't seek to prohibit international transfers of personal data. But it does require that they occur subject to some quite strict rules.
Consider whether any of the following methods might be appropriate for your company:
- Transfers to approved third countries
- Privacy Shield participation
- Standard contractual clauses
- Binding Corporate Rules
- Derogations for specific situations