Articles

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

01.07.2016

The virtual world has no borders, and we often do not realize the massive amount of data flows generated within companies operating across the globe. In practice, all companies collect personal data of, for example, their customers, suppliers, or contractors (i.e., “data subjects). However, they are not always aware of their legal obligations when using—and especially when transferring—their data.

 

For example, companies must take special precautions when personal data are transferred to non-European countries that do not provide an EU-like data protection  framework. Moreover, the concept of “transfer of personal data” is very broad. For instance, it also covers hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an “adequate level of protection” for EU data subjects’ personal data that are transferred to third countries outside of the European Economic Area (“EEA”). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the Court of Justice of the European Union (CJEU) to strike down the EU safe harbor principles that governed data transfers to the United States of America (“USA”) until recently.

Adequate level of protection

Transfers of personal data within the European Union are authorized under Member States national legislations. In addition, personal data can also be transferred to countries outside the EEA, ensuring an “adequate level of protection” of personal data. The same  rules generally apply under the GDPR.

The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, only recognized the following countries that do offer this level of protection: Andorra, Argentina, Canada (only for certain kinds of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

Data subject’s consent

If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized by the European Commission as offering an adequate level of protection, it can rely on the data subject’s consent for allowing such transfer. However, such consent must be free, clear, and unequivocal. This could prove to be quite tricky when it comes to employees’ personal data, as many countries believe an employee is not in a position that allows him or her to freely give his or her consent to a request from the employer. Consent is thus not always the “magic” solution for businesses.

If not, other mechanisms?

  1. Transfers to the United States of America – Safe Harbor
    Because of the significant amount of data flows that occur between the EU and the USA, a flexible regime was adopted fifteen years ago for the exchange of personal data between these territories. This regime was known as “safe harbor”. It allowed companies to certify itself as “safe harbor” compliant by underwriting a set of EU-like privacy principles set forth by the Department of Commerce of the United States. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to US-based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the CJEU recently invalidated the Safe Harbor regime. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the “Privacy Shield”. The focus of the Privacy Shield is on trust and effective enforcement of the EU citizen’s right to privacy, and it imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield was criticized by various national DPAs and is currently under scrutiny of the CJEU.  
  2. EU Standard Contractual Clauses
    EU-based companies transferring personal data to a third country outside  of the EEA can also rely on the so-called “EU Model Clauses”. These are templates of contract provisions that have been drafted by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA.  However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the CJEU in order to determine whether the reliance on the EU Model Clauses is legal under the EU law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities.
  3. Binding corporate rules
    Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules.
    These are known as “Binding Corporate Rules”. They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of data protection.

Besides the relative possibility to rely on the data subject’s consent, or on the use of Binding Corporate Rules with international groups, the legal basis for data transfers to the USA remains uncertain. Indeed, the future of the EU Model Clauses has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification body. It remains to be seen if and to what extent the GDPR and the decisions of the CJEU and national bodies will actually be able to resolve the remaining uncertainties in this area.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

14.10.2019 NL law
Kamerdebat over digitalisering van de overheid: aandacht voor bescherming burger vereist

Short Reads - Op 24 september 2019 zijn er vier moties in stemming gebracht én aangenomen door de Tweede Kamer. De moties hebben als gemeenschappelijke deler dat ze in het teken staan van de steeds groter wordende digitalisering bij de overheid. Het achterliggende doel van de moties is dat de burger voldoende beschermd moet worden tegen deze digitalisering.

Read more

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 25th at 9.30 am, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring