GDPR: cross-border data transfers
Cross-border data transfers are indispensable for most international businesses and organisations. Almost all businesses rely on cross-border data transfers in their day-to-day business operations (e.g. electronic payment systems, Internet-based advertising, cloud based software services and cloud storage).
In practice, this means that personal data is often transferred by the data controller to a data processor outside the EU. Under the new European data protection laws (General Data Protection Regulations or GDPR) both data controller and data processor can now incur considerable fines for violating the requirements for cross-border transfers under the GDPR.
Fines of up to EUR 20.000,000 or up to 4% of the global annual turnover for breach of the GDPR. The new statutory liability which also targets data processors creates a new level of risk for businesses that rely on international data transfers.
What is the GDPR?
The European Union has modernised and streamlined its data protection laws (General Data Protection Regulations or GDPR) in light of new technological developments and increased use of personal data.
The main objective of the GDPR is to overcome the existing fragmented regulations around data protection. The practical and social implications of the GDPR are very significant, as it constitutes a single and updated set of rules applicable in the whole of the EU and for all the data processing of European citizens.
Although the GDPR is a European piece of legislation, its application goes well beyond the borders of the European Union. Its application beyond Europe’s borders is meant to ensure that the privacy of EU residents and fair competition within the EU internal market.
No more forum shopping for the lowest data protection standards
The GDPR prevents organisations and business from forum shopping. Prior to the GDPR multinational business would simply establish a business in Europe where the data protection standards where comparatively low.
Cross-border data transfers outside the European Union
The GDPR imposes numerous safeguards to cross-border data transfers outside the European Union to ensure that the level of data protection afforded by the GDPR is not undermined. Transfers of personal data to countries outside the EU are only allowed where certain requirements have been met.
According to article 44 of the GDPR:
|Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.|
Any transfer of personal data that is being processed or intended to be processed after the transfer to a third country must comply with the GDPR. ‘Transfer of personal data’ to third party countries includes, for instance, any kind of hosting of personal data in the cloud outside the European Union.
Data may only be transferred to third party countries if:
- the transfer complies with the requirements for data processing within the EU (i.e. it is based on the data subject’s consent or based on another statutory permission under the GDPR); and
- the transfer complies with the additional requirements set out in Article 44 et seq. GDPR to ensure an adequate level of data protection.
These requirements are non-negotiable, meaning that personal data cannot be transferred to third-countries if the above requirements are not met.
Safe Third Countries
Several mechanisms are available to ensure an ‘adequate level of protection’ for EU data subject’s personal data. Data transfers to countries outside the European Union which the Commission has decided ensure an adequate level of protection do not require any specific authorisation.
The Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
EU – US Privacy Shield
The USA provide adequate protection with respect to the Privacy Shield-certified companies. The adequacy decisions made by the Commission under the current EU Privacy Directive will remain in force under GDPR until amended or repealed (see also Privacy Shield). At the time of writing, 2510 American entities have certified themselves as complying with the provisions of the EU-US Privacy Shield. Certified businesses that comply with the Privacy Shield’s standards are deemed to provide an adequate level of data protection and can therefore receive personal data from the EU.
European Economic Area (EEA)
Norway, Iceland, and Liechtenstein which are members of the European Economic Area (EEA) but not members of the European Union but they can pass a resolution on the applicability of the GDPR.
International data transfer can also take place – independent of the level of data protection guaranteed in the third party country, if the data subject has explicitly consented to the proposed transfer. In this case the data subject has to be informed about the risks of the proposed transfer due to the absence of an adequate level of data protection in the third party country. The data subject also needs to be informed about the exact location of the data and who will be handling their data in the third party country.
The data subject has the right to revoke their consent for the international data transfer at any time. It is, therefore, in most cases not advisable to rely on the data subject’s consent. Instead, other measures should be used to ensure a lawful cross-border data transfer such as binding corporate rules or standard contractual clauses
A violation of the GDPR rules may result in fines of up to EUR 20.000,000 or up to 4% of the global annual turnover. For that reason, businesses and organisation should review their approach to international data transfers and whether they comply with the GDPR.