The virtual world has no borders, and we often do not realize the massive amount of data flows generated within companies operating across the globe. In practice, all companies collect personal data of, for example, their customers, suppliers, or contractors (i.e., “data subjects). However, they are not always aware of their legal obligations when using—and especially when transferring—their data.
For example, companies must take special precautions when personal data are transferred to non-European countries that do not provide an EU-like data protection framework. Moreover, the concept of “transfer of personal data” is very broad. For instance, it also covers hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an “adequate level of protection” for EU data subjects’ personal data that are transferred to third countries outside of the European Economic Area (“EEA”). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the Court of Justice of the European Union (CJEU) to strike down the EU safe harbor principles that governed data transfers to the United States of America (“USA”) until recently.
Adequate level of protection
Transfers of personal data within the European Union are authorized under Member States national legislations. In addition, personal data can also be transferred to countries outside the EEA, ensuring an “adequate level of protection” of personal data. The same rules generally apply under the GDPR.
The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, only recognized the following countries that do offer this level of protection: Andorra, Argentina, Canada (only for certain kinds of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
Data subject’s consent
If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized by the European Commission as offering an adequate level of protection, it can rely on the data subject’s consent for allowing such transfer. However, such consent must be free, clear, and unequivocal. This could prove to be quite tricky when it comes to employees’ personal data, as many countries believe an employee is not in a position that allows him or her to freely give his or her consent to a request from the employer. Consent is thus not always the “magic” solution for businesses.
If not, other mechanisms?
- Transfers to the United States of America – Safe Harbor
Because of the significant amount of data flows that occur between the EU and the USA, a flexible regime was adopted fifteen years ago for the exchange of personal data between these territories. This regime was known as “safe harbor”. It allowed companies to certify itself as “safe harbor” compliant by underwriting a set of EU-like privacy principles set forth by the Department of Commerce of the United States. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to US-based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the CJEU recently invalidated the Safe Harbor regime. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the “Privacy Shield”. The focus of the Privacy Shield is on trust and effective enforcement of the EU citizen’s right to privacy, and it imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield was criticized by various national DPAs and is currently under scrutiny of the CJEU.
- EU Standard Contractual Clauses
EU-based companies transferring personal data to a third country outside of the EEA can also rely on the so-called “EU Model Clauses”. These are templates of contract provisions that have been drafted by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA. However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the CJEU in order to determine whether the reliance on the EU Model Clauses is legal under the EU law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities.
- Binding corporate rules
Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules.
These are known as “Binding Corporate Rules”. They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of data protection.
Besides the relative possibility to rely on the data subject’s consent, or on the use of Binding Corporate Rules with international groups, the legal basis for data transfers to the USA remains uncertain. Indeed, the future of the EU Model Clauses has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification body. It remains to be seen if and to what extent the GDPR and the decisions of the CJEU and national bodies will actually be able to resolve the remaining uncertainties in this area.
To read more about this series of articles (and the articles that were published previously), please click here