Articles

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

01.07.2016

The virtual world has no borders, and we often do not realize the massive amount of data flows generated within companies operating across the globe. In practice, all companies collect personal data of, for example, their customers, suppliers, or contractors (i.e., “data subjects). However, they are not always aware of their legal obligations when using—and especially when transferring—their data.

 

For example, companies must take special precautions when personal data are transferred to non-European countries that do not provide an EU-like data protection  framework. Moreover, the concept of “transfer of personal data” is very broad. For instance, it also covers hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an “adequate level of protection” for EU data subjects’ personal data that are transferred to third countries outside of the European Economic Area (“EEA”). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the Court of Justice of the European Union (CJEU) to strike down the EU safe harbor principles that governed data transfers to the United States of America (“USA”) until recently.

Adequate level of protection

Transfers of personal data within the European Union are authorized under Member States national legislations. In addition, personal data can also be transferred to countries outside the EEA, ensuring an “adequate level of protection” of personal data. The same  rules generally apply under the GDPR.

The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, only recognized the following countries that do offer this level of protection: Andorra, Argentina, Canada (only for certain kinds of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

Data subject’s consent

If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized by the European Commission as offering an adequate level of protection, it can rely on the data subject’s consent for allowing such transfer. However, such consent must be free, clear, and unequivocal. This could prove to be quite tricky when it comes to employees’ personal data, as many countries believe an employee is not in a position that allows him or her to freely give his or her consent to a request from the employer. Consent is thus not always the “magic” solution for businesses.

If not, other mechanisms?

  1. Transfers to the United States of America – Safe Harbor
    Because of the significant amount of data flows that occur between the EU and the USA, a flexible regime was adopted fifteen years ago for the exchange of personal data between these territories. This regime was known as “safe harbor”. It allowed companies to certify itself as “safe harbor” compliant by underwriting a set of EU-like privacy principles set forth by the Department of Commerce of the United States. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to US-based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the CJEU recently invalidated the Safe Harbor regime. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the “Privacy Shield”. The focus of the Privacy Shield is on trust and effective enforcement of the EU citizen’s right to privacy, and it imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield was criticized by various national DPAs and is currently under scrutiny of the CJEU.  
  2. EU Standard Contractual Clauses
    EU-based companies transferring personal data to a third country outside  of the EEA can also rely on the so-called “EU Model Clauses”. These are templates of contract provisions that have been drafted by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA.  However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the CJEU in order to determine whether the reliance on the EU Model Clauses is legal under the EU law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities.
  3. Binding corporate rules
    Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules.
    These are known as “Binding Corporate Rules”. They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of data protection.

Besides the relative possibility to rely on the data subject’s consent, or on the use of Binding Corporate Rules with international groups, the legal basis for data transfers to the USA remains uncertain. Indeed, the future of the EU Model Clauses has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification body. It remains to be seen if and to what extent the GDPR and the decisions of the CJEU and national bodies will actually be able to resolve the remaining uncertainties in this area.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

25.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

23.08.2018
ECJ: Facebook fan page administrator is a joint data controller

Short Reads - On 5 June 2018, the European Court of Justice ("ECJ") decided on several preliminary questions that were raised in an administrative proceeding between the German Data Protection Authority ("GDPA") and Wirtschaftsakademie Schleswig-Holstein GmbH ("Wirtschaftsakademie"), a German educational services provider that offers its services through a Facebook fan page. In its decision, the ECJ held, among other things, that Wirtschaftsakademie qualifies as a data controller ex Article 2 under d Directive 95/46/EC[1] ("Privacy Directive").

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring