Articles

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

GDPR: Cross-border transfers - don’t be on the wrong track!

01.07.2016

The virtual world has no borders, and we often do not realize the massive amount of data flows generated within companies operating across the globe. In practice, all companies collect personal data of, for example, their customers, suppliers, or contractors (i.e., “data subjects). However, they are not always aware of their legal obligations when using—and especially when transferring—their data.

 

For example, companies must take special precautions when personal data are transferred to non-European countries that do not provide an EU-like data protection  framework. Moreover, the concept of “transfer of personal data” is very broad. For instance, it also covers hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an “adequate level of protection” for EU data subjects’ personal data that are transferred to third countries outside of the European Economic Area (“EEA”). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the Court of Justice of the European Union (CJEU) to strike down the EU safe harbor principles that governed data transfers to the United States of America (“USA”) until recently.

Adequate level of protection

Transfers of personal data within the European Union are authorized under Member States national legislations. In addition, personal data can also be transferred to countries outside the EEA, ensuring an “adequate level of protection” of personal data. The same  rules generally apply under the GDPR.

The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, only recognized the following countries that do offer this level of protection: Andorra, Argentina, Canada (only for certain kinds of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

Data subject’s consent

If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized by the European Commission as offering an adequate level of protection, it can rely on the data subject’s consent for allowing such transfer. However, such consent must be free, clear, and unequivocal. This could prove to be quite tricky when it comes to employees’ personal data, as many countries believe an employee is not in a position that allows him or her to freely give his or her consent to a request from the employer. Consent is thus not always the “magic” solution for businesses.

If not, other mechanisms?

  1. Transfers to the United States of America – Safe Harbor
    Because of the significant amount of data flows that occur between the EU and the USA, a flexible regime was adopted fifteen years ago for the exchange of personal data between these territories. This regime was known as “safe harbor”. It allowed companies to certify itself as “safe harbor” compliant by underwriting a set of EU-like privacy principles set forth by the Department of Commerce of the United States. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to US-based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the CJEU recently invalidated the Safe Harbor regime. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the “Privacy Shield”. The focus of the Privacy Shield is on trust and effective enforcement of the EU citizen’s right to privacy, and it imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield was criticized by various national DPAs and is currently under scrutiny of the CJEU.  
  2. EU Standard Contractual Clauses
    EU-based companies transferring personal data to a third country outside  of the EEA can also rely on the so-called “EU Model Clauses”. These are templates of contract provisions that have been drafted by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA.  However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the CJEU in order to determine whether the reliance on the EU Model Clauses is legal under the EU law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities.
  3. Binding corporate rules
    Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules.
    These are known as “Binding Corporate Rules”. They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of data protection.

Besides the relative possibility to rely on the data subject’s consent, or on the use of Binding Corporate Rules with international groups, the legal basis for data transfers to the USA remains uncertain. Indeed, the future of the EU Model Clauses has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification body. It remains to be seen if and to what extent the GDPR and the decisions of the CJEU and national bodies will actually be able to resolve the remaining uncertainties in this area.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

12.03.2020 EU law
Stibbe sets up corona team

Inside Stibbe - The coronavirus (COVID-19) may have legal consequences for your business. We have set up a team of specialists who can provide insight into the legal implications of the virus.

Read more

10.03.2020 NL law
De AVG staat niet in de weg aan de verwerking van persoonsgegevens door een toezichthouder tijdens een bedrijfsbezoek

Short Reads - Bedrijven die met toezicht worden geconfronteerd, zijn gehouden op verzoek van een toezichthouder in beginsel alle informatie te verstrekken. Met de komst van de Algemene verordening gegevensbescherming (AVG) is in de praktijk de vraag opgekomen of een toezichthouder bevoegd is om persoonsgegevens die onderdeel uitmaken van de gevraagde informatie te verwerken.

Read more

18.03.2020 EU law
Stibbe: COVID-19

Short Reads - In view of the developments concerning the coronavirus, we hereby inform you of our business operations and the measures we take to ensure the continuity of our services to you.

Read more

26.02.2020 BE law
18 March 2020: Erik Valgaeren sheds a light on the legal perspectives of industrial data during a Beltug conference

Speaking slot - In this era of digitisation, data is often called the 'new gold' or 'oil'.  In our aim to gain more insights that will lead us to higher revenue, new market opportunities or new regions, we are analysing data at full throttle. But it needs to be handled with care, using a data architecture that follows your general strategy while ensuring solid security, quality, etc.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring