Episode 12 – International Data Transfers
The area of international data transfers is one where there has been significant change and tightening of the regulations under the GDPR, but also one where the European Commission has endeavoured to acknowledge the structure and operation of modern businesses.
The reasons for these changes are logical. The Snowden revelations provided a wakeup call to the EU with regards to the extent of the US governments’ surveillance activities, resulting in the abolition of the so call ‘Safe Harbour’ provisions.
Business has become global with data transfer and the processing of European Citizens data happening around the world. Without robust regulation, organisations could simply transfer data to a country outside of Europe and circumvent the protections afforded to citizens in the GDPR.
As such the provisions governing the transfer of data outside of Europe could be said to push the requirements of the GDPR into all of the countries of the world.
Or at the very least ensure the protection flows with the data.
The GDPR permits the transfer of personal data to a third country (i.e. one outside of the European Economic Area) whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection, so called Adequacy Decisions. The word adequate is perhaps a misnomer, as essentially the EC is saying that those countries provide a level of data protection which is equivalent to that provided by the original Data Protection Directive, and the new GDPR.
Currently there are 10 countries with Adequacy Decisions: New Zealand, Jersey, Isle of Man, Israel, Guernsey, Faeroe Islands, Switzerland, Canada, Argentina and Andorra. Organisations are free to transfer data to them, just as they would any country within the EEA, subject to the remaining provisions of the GDPR.
In the absence of an adequacy decision, transfers are also allowed outside non-EEA states under certain circumstances, such as by the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). The changes embodied with the GDPR with regards to SCCs and BCR’s are of benefit to business and reduce their administrative burden. Under the GDPR, these clauses do not require prior authorisation of supervisory authorities and such clauses can be adopted by the European Commission as well as by national supervisory authorities.
In Article 49, the GDPR lists two new appropriate safeguards — codes of conduct and certification mechanisms — that have general application to both controllers and processors.
Codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain information privacy standards (e.g. ISO27001.) Under the GDPR, such codes may be prepared by associations or other bodies representing controllers or processors, and may be drawn up to address many aspects of the GDPR including international data transfers. Adherence to these codes of conduct by controllers or processors not otherwise subject to the regulation, but involved in the transfer of personal data outside the EU, will help a regulated controller demonstrate adequate safeguards.
The GDPR also allows for the development of data protection certification, seals, and marks, to demonstrate a controller’s or processor’s adherence to certain standards. Like the codes of conduct, certification is available to controllers and processors outside the EU provided they demonstrate, by contractual or other legal binding instruments, their willingness to adhere to the mandated data protection safeguards. There is currently some discussion within the European Data Protection Board, with regards to the development of a European Data Protection Seal. This would be recognised by all EEA member states and demonstrate an organisations adherence to the GDPR. Mechanisms such as this could prove incredibly helpful to multinational, multi-tenant SAP centric businesses or those with data in the cloud.
In the absence of the above it is still possible to transfer data to a non-EEA country provided one of the ‘Derogations’ can be applied:
- The data subject has explicitly consented to the proposed transfer […]
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defense of a legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.
Article 49 GDPR
In addition, a final derogation provides that where a transfer could not be based on any other mechanism, a transfer to a third country or an international organisation may take place only if the transfer is “not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller […]”
Article 49 GDPR
The use of this derogation requires careful consideration and substantial documentation as it is open to broad interpretation. And should the transfer be subsequently classed as a breach of the GDPR by the competent authority, would attract the highest level of fine.
Interestingly in addition to facilitating international data transfers through new mechanisms, the GDPR also makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. A clause the UK has opted out of.
In deciding whether to transfer data outside of the EEA, it is suggested that companies begin from the position of the transfer not being undertaken, and ascertain the position of compliance that would allow the transfer to happen, rather than looking for a reasons for the transfer not to happen.
Where possible SAP centric businesses are advised to implement Binding Corporate Rules or await the release of the approved GDPR corporate certification seals e.g. the European Data Protection Seal, though this may take some time.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.