Introduction
Cross-border data transfers refer to the movement of personal data from the European Union (EU) to countries outside the EU. With the implementation of the General Data Protection Regulation (GDPR) in May 2018, the EU has strengthened its data protection rules to ensure that personal data is protected when transferred outside the EU. In this article, we will discuss the various ways in which cross-border data transfers can be compliant with the GDPR.
Cross-border data transfers: Adequacy and beyond
Adequacy is a concept that the European Commission uses to determine whether a third country provides adequate protection for personal data. The European Commission has issued adequacy decisions for several countries, including Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Iceland, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. In such cases, personal data can be transferred to these countries without additional safeguards.
However, in the absence of an adequacy decision, data transfers must be made with appropriate safeguards. The GDPR outlines several mechanisms organizations can use to ensure proper safeguards, including standard data protection clauses, binding corporate rules, and approved codes of conduct.
Transfers with an adequacy decision
One of the ways to comply with the General Data Protection Regulation (GDPR) when transferring personal data to a third country is to ensure that the European Commission has granted the third country an adequacy decision. An adequacy decision is a decision by the Commission that a third country offers adequate protection for personal data. This means that personal data can be transferred to that third country without the need for additional safeguards.
Organizations can rely on an adequacy decision when transferring personal data to a third country the Commission has granted an adequacy decision. However, they must still ensure that the transfer complies with the GDPR and that the personal data is protected. Organizations must also monitor the situation in the third country and take appropriate measures if the personal data protection level changes.
What types of organizations are most affected?
The General Data Protection Regulation (GDPR) applies to all organizations that process personal data, regardless of size or location. However, some types of organizations are more likely to be affected by the rules on cross-border data transfers.
Multinational corporations and organizations with global operations are particularly affected by the GDPR’s rules on cross-border data transfers. These organizations often transfer personal data between countries and continents as part of their normal business operations.
Online service providers, such as cloud service providers and e-commerce platforms, are also likely to be affected by the rules on cross-border data transfers. These organizations often transfer personal data between countries to provide their services to customers and clients.
Transfers by way of appropriate safeguards
In the absence of an adequacy decision, organizations must ensure that appropriate safeguards are in place when transferring personal data outside the EU. The GDPR outlines several mechanisms that organizations can use to ensure that appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs): SCCs are standard clauses that the European Commission has approved as providing appropriate safeguards for personal data. Organizations can use SCCs in their contracts with data processors to ensure that personal data is protected when transferred outside the EU.
Binding Corporate Rules (BCRs): BCRs are binding and enforceable commitments made by a data controller within the same corporate group. BCRs can be used to transfer personal data within a corporate group, regardless of where the data subjects are located.
Ad hoc Contractual Clauses: Organizations can also use ad hoc contractual clauses to transfer personal data outside the EU. Ad hoc clauses must be approved by the relevant data protection authority and provide appropriate safeguards for personal data.
Standard data protection contractual clauses
The standard data protection contractual clauses are model clauses that can be used to protect personal data during cross-border transfers under the GDPR. The EU Commission has created these clauses to provide a standard set of terms that can be used by data controllers and data processors in their contracts for cross-border data transfers.
The standard data protection contractual clauses set out the rights and obligations of the parties involved in a cross-border data transfer and ensure that personal data is protected in line with the GDPR. They must be included in all contracts for cross-border data transfers and must be legally binding and enforceable. The clauses must also be incorporated into the contract as written and cannot be amended.
These clauses provide appropriate safeguards for cross-border data transfers by setting out specific requirements for protecting personal data. This includes provisions for processing personal data, data subjects’ rights, and the responsibilities of data controllers and data processors. The clauses also provide for the resolution of disputes and the enforcement of the terms of the contract.
The use of standard data protection contractual clauses is mandatory when transferring personal data to third countries where there is no adequacy decision. In addition, they can also be used in situations where the adequacy decision is in place to provide additional safeguards and to demonstrate compliance with the GDPR.
Codes of conduct and certification mechanisms
The General Data Protection Regulation (GDPR) recognizes codes of conduct and certification mechanisms as appropriate safeguards for cross-border data transfers. These mechanisms allow organizations to demonstrate their compliance with the GDPR when transferring personal data to third countries.
A code of conduct is a set of rules and guidelines that an organization must follow to comply with the GDPR. These codes of conduct are created by organizations or trade associations and are approved by the relevant data protection authorities. Organizations that follow a code of conduct can demonstrate their commitment to protecting personal data and compliance with the GDPR.
Certification mechanisms are similar to codes of conduct. Still, they also include a certification process that verifies that an organization follows the rules and guidelines set out in the mechanism. The certification process may include an audit, inspection, or other evaluation of the organization’s data protection practices. Organizations that have received certification can demonstrate their commitment to protecting personal data and compliance with the GDPR.
Using codes of conduct and certification mechanisms is optional for organizations. Still, they can provide a way for organizations to demonstrate compliance with the GDPR when transferring personal data to third countries. These mechanisms can also provide a level of assurance to data subjects that their data is being protected in line with the GDPR.
Derogations for specific situations
In some circumstances, organizations may not be able to transfer personal data to third countries using an adequacy decision, appropriate safeguards, or codes of conduct. In these situations, the General Data Protection Regulation (GDPR) provides for specific derogations or exceptions to the general rules for cross-border data transfers.
The most common derogations for cross-border data transfers are:
Explicit consent of the data subject: Personal data may be transferred to a third country if the data subject has given explicit consent to the transfer. The data subject must be informed of the transfer risks and that the GDPR will not protect their personal data in the same way as it would be within the European Union (EU).
Vital interests of the data subject: Personal data may be transferred to a third country if the transfer is necessary to protect the data subject’s vital interests. This derogation can only be used in exceptional circumstances and must be proportionate to the aim pursued.
Performance of a contract: Personal data may be transferred to a third country if the transfer is necessary for the performance of a contract between the data subject and the data controller. This derogation can only be used if the data subject is a party to the contract.
Public interest: Personal data may be transferred to a third country if the transfer is necessary for important reasons of public interest, such as the protection of national security or the investigation of a criminal offense.
Organizations must assess each cross-border data transfer on a case-by-case basis and ensure that the derogation being used is appropriate for the specific circumstances. The organization must also keep adequate records of the decision to use a derogation and the basis for that decision.
Requirement of privacy notice and consent
In addition to complying with the rules for cross-border data transfers, organizations must also ensure that they provide data subjects with adequate information about the transfer and obtain their consent where necessary. This is known as the requirement of privacy notice and consent.
Under the General Data Protection Regulation (GDPR), organizations must provide data subjects with the following information before or at the time of the data collection:
The identity of the data controller and their contact details.
The purpose of the data processing and the legal basis for the processing.
The recipients or categories of recipients of the data.
The data subject’s rights, such as the right to access, rectify or erase their personal data.
The right to withdraw consent.
The right to lodge a complaint with a supervisory authority.
The fact that the personal data will be transferred to a third country and the safeguards in place to protect the data.
In some circumstances, organizations may also be required to obtain the data subject’s explicit consent to transfer their personal data to a third country. The data subject must be informed of the transfer risks and that the GDPR will not protect their personal data in the same way as it would be within the EU.
Conclusion
Cross-border data transfers are an essential part of modern business and commerce. However, they also pose significant risks to the privacy and security of personal data. The GDPR sets out strict rules for cross-border data transfers to ensure that personal data is protected, regardless of where it is transferred. Organizations must take appropriate measures to comply with the GDPR when transferring personal data to a third country. This may involve using an adequacy decision, appropriate safeguards such as standard data protection clauses or codes of conduct and certification mechanisms, or relying on specific derogations.
In addition, organizations must also provide data subjects with adequate information about the transfer and obtain their consent where necessary. This helps to ensure that the data subject’s rights and freedoms are protected and that the transfer is lawful under the GDPR. Cross-border data transfers must be carried out in a way that complies with the GDPR and protects the privacy and security of personal data. Organizations must be aware of the rules and take appropriate measures to ensure compliance. Failure to comply with the GDPR can result in significant fines and reputational damage.