GDPR and Cross Border Transfers of Data
Technological advances and global business opportunities means that personal data travels round the world faster and more easily than ever before. Free movement of data is of prime importance for businesses and many are worried about the effects that the GDPR will have – concerned that it may hinder their business or impose additional administrative burdens upon them.
Understanding the requirements of the GDPR in relation to cross border transfers of personal data is therefore important for all organisations (both controllers and processors, including cloud service providers) who require to move data outside of the EU. This will also affect international organisations with global databases who are also caught by the cross border data transfer provisions. In general, the GDPR does not in fact move significantly away from the Directive’s rules for transferring personal data cross-border. However, unlike the limited sanctions within the Directive for failure to comply with transfer requirements, breaches occurring once the GDPR is in force will attract the highest category of fines (up to €20M or in the case of undertakings up to 4% of annual worldwide turnover).
Transfers of personal data to third countries outside the EU are allowed only where both controllers and processors comply with the conditions laid down in the GDPR. Under the GDPR, the transfer of personal data to recipients outside the EU is generally prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.
Adequate Protection. Where personal data is being transferred to a third country (or a territory or one or more specified sectors within that third country, or the international organization in question) which the Commission has decided ensures adequate level of protection, personal data can be transferred without any specific authorisation.
EU/US Privacy Shield Following the decisions that the US Safe Harbor is invalid for this purposes, the US has introduced the new EU/US Privacy Shield to fill the gap. The Article 29 Working Party however has recently reviewed the adequacy of the Privacy Shield and whilst welcoming some changes it has made, it is of the opinion that there are a number of important unresolved issues remaining. In the joint review report they state that these issues include:
“lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers and on the rights and available recourse and remedies for data subjects. In addition, the WP29 calls for an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies. The US authorities are also requested to clearly distinguish the status of data processors from that of data controllers both at the time of their self-certification and at the time of further checks.
Moreover, further improvements should be made with regards to the interpretation and handling of HR data and the rules governing automated-decision making/profiling. Finally, the self-certification process for companies should be enhanced to ensure uninterrupted protection for data subjects and rapid compliance with the Privacy Shield principles. Additionally, the cooperation between U.S. authorities within the Privacy Shield mechanism should be adjusted.
In addition to the points mentioned above, the WP29 recalls the unresolved issues mentioned in Opinion 1/2016, e.g. absence or limitation to the rights of the data subjects, of key definitions, of guarantees on transfers for regulatory purpose in the field of medical context and the overly broad exemption for publicly available information”
Additionally, the Article 29 Working Party have a number of further concerns relating to the access by public authorities to data transferred to the US under the Privacy Shield. Therefore, until these concerns are addressed and resolved, the US does not appear on the list of countries out-with the EU providing adequate protection.
Appropriate Safeguards. Cross Border transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. Such appropriate safeguards are set out in Article 46 and include a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules for transfers within a corporate group (as set out in Article 47 of the GDPR), standard data protection classes adopted by the Commission or a supervisory authority, an approved code of conduct or an approved certification mechanism (the latter two applicable only when they are alongside binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.)
Derogations. The GDPR also contains a list of derogations which, if applicable, allow the transfer of data in the absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46. This list of derogations is similar to those included in the Directive and allows transfers where:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers;
- The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defense of legal claims;
- The transfer is necessary in order to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent; or
- The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.
An additional derogation does exist in limited circumstances - to transfer where no other mechanic is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority is required if relying on this derogation. Even if the scope of this transfer mechanism is narrow, it provides for another option to enable Cross-Border Data Transfers.
As a result of these requirements, organisations who do require to transfer data out with the EU must have an action plan in place in relation to cross border transfers, ideally as part of a wider data governance plan.
- The first step a business should undertake is comprehensive data mapping. Undertaking a data audit within an organisation will help to identify data flows including any transfers out with the EU;
- A review of future business activities involving personal data should flag any situations where cross border transfers may take place and allow a business to take preparatory steps for such transfers in accordance with GDPR requirements; and
- Ensure that GDPR compliant data transfer mechanisms are in place for all such cross border transfers.