13 February 2020
The EU General Data Protection Regulation (GDPR) applies to all EU companies, and to many non-EU companies engaged in commercial activity within the EU. Businesses must comply with strict rules about how they collect, use and share personal data.
There would be little point in enforcing these rules within the EU if companies were allowed to export personal data to countries with weaker privacy laws without any conditions attached. This is why the transfer of personal data to non-EU countries is tightly regulated.
There's no firewall that automatically prevents personal data from leaving the EU. Instead, there are a number of legal mechanisms by which companies can transfer personal data overseas.
Let's work through these mechanisms and see which one might apply to your business.
The rules about transferring personal data to third countries are set out across Chapter 5 of the GDPR.
There are several ways in which personal data might be transferred from a sender in the EU to a recipient in a non-EU country. We'll be focusing on these four situations:
There are some other mechanisms involving public authorities, certification, and codes of conduct which will not be discussed in this article.
If you read the text of the GDPR, you'll notice that the GDPR talks a lot about "international organizations" in the context of international transfers. This is also not relevant to this article. It refers to a public body governed by international law.
EU data protection law is very strict. The GDPR is the main data protection law in the EU. It regulates the collection, use, storage, and sharing of information about individuals.
Before we explain the rules around international transfers of personal data, it's important to define a few key terms:
The international transfer rules apply when one entity (be it an individual, public body, or business) sends personal data from inside the EU to another entity in a third country (see the definition above).
The rules also cover situations in which EU-originating personal data received in a third country is transferred onwards to another recipient who is also in a third country.
The rules on international transfers are not designed to cover situations where the obtaining and transferring of personal data is contained entirely within one company, even where the company is based in a third country.
This is because a non-EU company is already bound by the GDPR whenever it is processing the personal data of EU data subjects (providing it meets the conditions set out in Article 3 of the GDPR).
Therefore, the whole of the GDPR applies when a company collects the personal data of EU data subjects. There is no need to impose special rules that bind the recipient to store the personal data securely, provide access to it, etc. These rules already apply directly.
Here are two examples in which the rules around international transfers would not apply:
In both cases, the personal data must be collected, stored, and shared (or otherwise processed) in accordance with the GDPR. But the transfer from the EU to the third country is not restricted by the rules around international transfers.
Any onward transfers to other non-EU companies, even within the recipient third country, would be governed by the international transfer rules.
Certain third countries are not affected by the rules on international transfers. The European Commission has reviewed data protection practices in these countries and deemed them to be "adequate."
If you're transferring personal data to these countries, you can treat them as EU countries. You don't need any special arrangements in place with the recipient. Of course, you must still obey the GDPR, just as you would if you were transferring personal data within the EU.
Before the European Commission makes an adequacy decision, it must be convinced that the country offers an equivalent level of safeguards to those provided under the GDPR.
Many factors are considered. The country seeking an adequacy decision must demonstrate that:
The following countries are in receipt of an adequacy decision:
Additionally, Canada is approved, but only in respect of private sector organizations covered by the Personal Information Protection and Electronic Documents Act (PIPEDA).
Talks with South Korea are underway.
The United States does not have an adequacy decision from the Commission. However, there is a scheme available to US companies that will allow them to receive personal data without any additional safeguards.
The Privacy Shield framework is a certification process requiring US businesses to commit to certain principles, costs, and liabilities in relation to data protection. Once certified, a US company can send and receive EU citizens' personal data to and from an EU company without restrictions.
You can apply to join the scheme by completing the form on the Privacy Shield website:
Standard contractual clauses (SCCs) are a method to allow transfers of personal data between EU and third-country companies.
SCCs are issued by the European Commission and can be inserted into contracts between companies. The clauses aim to ensure that each company complies with similar rules and principles as required under the GDPR.
SCCs can be used by any type of business. They can represent a solution for a company of any size wishing to enter into business arrangements involving the sharing of personal data.
SCCs can be used in contracts:
Here are some examples where both companies are data controllers:
Here's an example involving a data controller and data processor:
Having a contract containing SCCs can help lawfully facilitate such transfers.
The Commission has produced three sets of SCCs.
For use where the sender is an EU data controller and the recipient is a third-country data controller:
For use where the sender is an EU data controller and the recipient is a third-country data processor:
By agreeing to a contract containing the SCCs, the parties are legally bound to provide a high standard of data protection and privacy.
For example, this clause from Decision 2001/497/EC requires data controllers to provide an opt-out mechanism from all direct marketing correspondence (such as an "unsubscribe" link):
And this optional clause from Decision 2010/87/EU requires one party to indemnify the other for any losses created by its breach of the SCCs:
This helps ensure that data subjects can claim compensation if their rights under the GDPR are violated.
Binding Corporate Rules (BCRs) are another method that businesses can use to facilitate a lawful international transfer of personal data. BCRs are designed to allow for smoother intra-organizational transfers of personal data within multinational corporations and joint enterprises.
BCRs are like a corporation's "data protection code of conduct." They set out the principles of data processing and the chain of accountability within a corporation. BCRs are legally binding.
Two types of organization might consider implementing BCRs:
BCRs will not be an appropriate option for smaller companies that do not have a network of affiliates or are not part of a larger corporate group.
BCRs are drafted by the corporation(s) seeking to adopt them. They must be approved by a Data Protection Authority.
BCRs must comply with the criteria developed by the Article 29 Working Party in a series of working papers it produced between 2003 and 2008. The papers include:
BCRs must include certain provisions. For example, there must be a commitment for the corporation to accept liability and pay compensation in the event of a breach of the rules.
Here's an example of this clause in the BCRs adopted by EY Group (at page 5):
BCRs must also contain assurances that the staff working with the corporation will receive adequate training in data protection. Here's the relevant part of Mastercard's BCRs (at page 21):
BCRs must be submitted via the official application form in Working Paper 133.
The GDPR also includes a set or derogations (exceptions) to the rules around international transfers.
These are characterized as exceptions, rather than additional mechanisms for facilitating a transfer. This is because they are not suitable as a regular or long-term solution.
If you need to make a transfer of personal data from the EU to a third country but you have none of the above safeguards are in place, you can do so if one of the exceptions under Article 49 of the GDPR applies.
We're going to look at some of the examples that might be most relevant to business-owners.
If the data subject has provided their explicit, specific and informed consent, you can make a one-off transfer.
The GDPR sets a very high bar for consent. In this case, the threshold should be considered to be even higher, as Article 49 makes reference to "explicit" consent.
The data subject must receive all relevant information before they can consent to the transfer. The UK's Information Commissioner's Office says that the following information should be provided:
You may be able to make a one-off transfer if it's necessary to do so in order for you to fulfill your obligations under a contract with the data subject or enter into a contract with the data subject.
It's important to emphasize that the transfer must be necessary for these purposes. This means that if you did not carry out the transfer, you would be in breach of your core obligations under the contract or unable to enter into the contract.
An additional derogation exists to allow transfers to be made for other beneficiaries of the data subject's contract. For example, where a person has booked a hotel for their whole family, the personal data of other family members also can be transferred if required.
This derogation is strictly for occasional use and is likely to be necessary only in special circumstances.
It may be in your legitimate interests to make an international transfer even where none of the safeguards or other exceptions apply.
This is an absolute last resort, and must only be used in truly exceptional circumstances.
Before you can rely on legitimate interests, you must carry out a Legitimate Interests Assessment in order to balance your interests against the rights of the data subject.
You must inform your Data Protection Authority about the transfer if you're planning to invoke this exemption.
As we've seen, there are several mechanisms for facilitating an international transfer. Your company might not routinely make transfers outside of the EEA, or do so only to approved third countries.
Here's how Friendly Homecare explains this:
Privacy Shield participants must publish a specific Privacy Shield Policy as part of their accreditation. Here's part of Stripe's Privacy Shield Policy:
The GDPR doesn't seek to prohibit international transfers of personal data. But it does require that they occur subject to some quite strict rules.
Consider whether any of the following methods might be appropriate for your company: