GDPR Update: The future of international data transfers
How will international data transfers be impacted by the GDPR?
We are more connected than ever. For any organisation operating on a global scale, the international transfer of data is an essential element of daily business operations. Organisations may, for example, store customer personal data in a cloud service hosted abroad or may store employee personal data at a subsidiary established in another country. How will the upcoming General Data Protection Regulation (GDPR) affect such international data transfers? Let us explain!
Adequate and “non-adequate” countries
The GDPR essentially distinguishes between countries outside the European Economic Area (EEA) that are considered to ensure an adequate level of protection for personal data and “non-adequate” countries. A transfer to an “adequate” country is the simplest way to transfer personal data outside the EEA; these transfers are permitted and legal under the GDPR. A transfer to an adequate country does not require prior approval from a supervisory authority and organisations need not take any further action.
What’s the catch though? Only the European Commission can decide on adequacy, this is not a self-assessment. The full list of adequate countries can be found on the Commission’s website.
“Non-adequate” country? Appropriate safeguards!
In the absence of a Commission adequacy decision, international data transfers may only take place where organisations have taken appropriate safeguards for the protection of personal data. This is to ensure that the level of protection offered by the GDPR is not undermined. The GDPR lists a number of possible safeguards that can be taken. Below, we discuss the two best known safeguards for organisations operating on a global scale: Binding Corporate Rules and Model Standard Clauses.
Binding Corporate Rules
Binding Corporate Rules (BCRs) is a mechanism whereby an organisation can set out its global policy on the international transfer of personal data within that corporate group. Whilst the concept of BCRs may not be new (they existed pre-GDPR as well), the GDPR is expected to offer greater legal certainty to organisations considering adopting them. This is partially due to the new statutory recognition of BCRs as an appropriate safeguard as well as the fact that they must meet specific content requirements. Organisations are now better equipped to understand what is expected of them and to understand the requirements for obtaining approval. BCRs are furthermore subject to a new streamlined approval process whereby the approval is coordinated by one Data Protection Authority (DPA) in Europe and must follow set deadlines. There is therefore no longer a need to obtain approval from multiple DPAs and the timeline for approval should be better streamlined.
The initial investment of gaining approval is however particularly costly (both in monetary terms as well as in time) but there may be great benefits for larger organisations. BCRs must, for example, ensure compliance through mechanisms such as data protection audits and must ensure data protection training for personnel with access to personal data. Such content requirements can help stimulate a privacy-aware culture within the organisation and help move the organisation towards GDPR compliance. Moreover, after having obtained approval, transfers made in accordance with the BCRs require no further approval thereby limiting the administrative burden.
Furthermore, it is important to note that BCRs offer no solution for the international transfer of personal data to third parties. BCRs merely cover intra-group transfers and should not be considered as an adequate safeguard for international transfers outside the corporate group. BCRs are better suited for organisations with a complex web of internal processing activities. Gaining approval is a complicated process requiring a significant investment and it may be difficult to translate the BCR provisions into practical requirements. This investment may not pay off in the long-run for smaller organisations and such organisations may be more interested in adopting Standard Model Clauses instead.
Standard Model Clauses
Standard Model Clauses are essentially contracts approved by the European Commission that can be adopted for the transfer of personal data outside the EEA. Model Clauses already exist today but the Commission is expected to draft a set of new clauses to follow GDPR standards. The GDPR also introduces the possibility for local DPAs to draft Model Clauses. Model Clauses are considered to provide appropriate safeguards and hence have been widely used.
Model Clauses are popular amongst SME’s for simple structural data transfers but this mechanism may be interesting for both private companies of any size as well as public entities. Model Clauses simply require a signature from the organisation sending the data (data exporter) and the organisation receiving it (data importer) under the condition that the data importer can comply with the stipulated provisions in the agreement. Model Clauses are therefore not recommended for larger organisations with complex processing activities as this solution would impose a heavy administrative burden and little flexibility given that new processing activities would require new Model Clauses to be signed.
Recently, however, concerns have been raised as to whether the Model Clauses sufficiently protect personal data transferred outside Europe. Consequently, a number of questions concerning the validity of the Model Clauses have been referred to the Court of Justice of the European Union. Organisations that rely on Model Clauses should therefore pay careful attention as the playing field may change in the future. In this quickly changing environment, organisations should prepare for alternative solutions or be ready to adapt if needed. For the time being, Model Clauses are still considered a valid option and should not be disregarded!
The impact is positive
Whilst the rules on international data transfers may at first sight seem complicated and difficult to navigate, the impact of the GDPR is likely to be positive for organisations. The GDPR offers a suitable solution for various types of organisations. Large organisations with a complex web of processing activities are more likely to opt for BCRs given their additional legal certainty and global impact, whereas organisations with a more limited network of international transfers may choose to adopt Model Clauses.
BCRs and Model Clauses are certainly the main appropriate safeguards for international transfers but it is important to note that the GDPR also offers other solutions:
• An approved certification mechanism whereby GDPR compliance is demonstrated through certification, data protection seals and marks together with binding and enforceable commitments;
• An approved code of conduct that stipulates the international transfer of personal data together with binding and enforceable commitments on how to apply the code of conduct.
• “Ad-hoc contracts” approved by a competent Supervisory Authority;
• Derogations such as explicit consent, transfers on the basis of performance of a contract, necessary for legal claims or defenses etc. The derogations should be used narrowly and only in exceptional cases. Consent is a complicated legal basis (individuals can withdraw their consent at any time!) and should not be used for international data transfers that take place on a large and/or structural basis.