GDPR and Cross Border Transfers of Data
Technological advances and global business opportunities means that personal data travels round the world faster and more easily than ever before. Free movement of data is of prime importance for businesses and many are worried about the effects that the GDPR will have – concerned that it may hinder their business or impose additional administrative burdens upon them.
Understanding the requirements of the GDPR in relation to cross border transfers of personal data is therefore important for all organisations (both controllers and processors, including cloud service providers) who require to move data outside of the EU. This will also affect international organisations with global databases who are also caught by the cross border data transfer provisions. In general, the GDPR does not in fact move significantly away from the Directive’s rules for transferring personal data cross-border. However, unlike the limited sanctions within the Directive for failure to comply with transfer requirements, breaches occurring once the GDPR is in force will attract the highest category of fines (up to €20M or in the case of undertakings up to 4% of annual worldwide turnover).
Transfers of personal data to third countries outside the EU are allowed only where both controllers and processors comply with the conditions laid down in the GDPR. Under the GDPR, the transfer of personal data to recipients outside the EU is generally prohibited unless:
Adequate Protection. Where personal data is being transferred to a third country (or a territory or one or more specified sectors within that third country, or the international organization in question) which the Commission has decided ensures adequate level of protection, personal data can be transferred without any specific authorisation.
EU/US Privacy Shield Following the decisions that the US Safe Harbor is invalid for this purposes, the US has introduced the new EU/US Privacy Shield to fill the gap. The Article 29 Working Party however has recently reviewed the adequacy of the Privacy Shield and whilst welcoming some changes it has made, it is of the opinion that there are a number of important unresolved issues remaining. In the joint review report they state that these issues include:
“lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers and on the rights and available recourse and remedies for data subjects. In addition, the WP29 calls for an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies. The US authorities are also requested to clearly distinguish the status of data processors from that of data controllers both at the time of their self-certification and at the time of further checks.
Moreover, further improvements should be made with regards to the interpretation and handling of HR data and the rules governing automated-decision making/profiling. Finally, the self-certification process for companies should be enhanced to ensure uninterrupted protection for data subjects and rapid compliance with the Privacy Shield principles. Additionally, the cooperation between U.S. authorities within the Privacy Shield mechanism should be adjusted.
In addition to the points mentioned above, the WP29 recalls the unresolved issues mentioned in Opinion 1/2016, e.g. absence or limitation to the rights of the data subjects, of key definitions, of guarantees on transfers for regulatory purpose in the field of medical context and the overly broad exemption for publicly available information”
Additionally, the Article 29 Working Party have a number of further concerns relating to the access by public authorities to data transferred to the US under the Privacy Shield. Therefore, until these concerns are addressed and resolved, the US does not appear on the list of countries out-with the EU providing adequate protection.
Appropriate Safeguards. Cross Border transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. Such appropriate safeguards are set out in Article 46 and include a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules for transfers within a corporate group (as set out in Article 47 of the GDPR), standard data protection classes adopted by the Commission or a supervisory authority, an approved code of conduct or an approved certification mechanism (the latter two applicable only when they are alongside binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.)
Derogations. The GDPR also contains a list of derogations which, if applicable, allow the transfer of data in the absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46. This list of derogations is similar to those included in the Directive and allows transfers where:
An additional derogation does exist in limited circumstances - to transfer where no other mechanic is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority is required if relying on this derogation. Even if the scope of this transfer mechanism is narrow, it provides for another option to enable Cross-Border Data Transfers.
Action plan
As a result of these requirements, organisations who do require to transfer data out with the EU must have an action plan in place in relation to cross border transfers, ideally as part of a wider data governance plan.
For more information on GDPR, contact andy.harris@mbmcommercial.co.uk.