Your Guide to GDPR Compliance: Transfers of personal data to third countries
The GDPR went into effect last week. We all got a billion emails with people surprisingly updating their privacy policies. Many spread FUD. Even more spread cute memes. So that was fun. Some panicked. We hope you didn’t. Did you block all EU traffic like some US news sites? (Blocking European IPs does not get you off the hook. Maybe a better approach is simply to have some respect to people’s privacy?). Did you try to force consent like Google and Facebook are accused of doing? If you’ve been following our GDPR guide series, you’re doing much better than most. With two more topics to cover, the journey isn’t over yet so let’s get started on this post’s topic: transferring personal data internationally.
If your organization is based in the European Economic Area (EEA), there may be times that you want to transfer your data to a third country i.e. all countries who are not in the European Union or an EEA member state. In that case you can only do so under specific conditions, which we’ll explore each one in more detail below:
- Transfers on the basis of an adequacy
- Transfers subject to appropriate safeguards
- Binding corporate rules
There are exemptions to these three conditions. If your transfer meets any of these criteria, you will need to have it all which needs to be clearly documented and justified:
- The individual gave consent, after being informed of the risk. Remember the bigger the risk the clearer the consent must be. If you are planning on sharing biometric information with a company from Latveria, you better be sure about the level of consent that was given something in the lines of “I understand my DNA will be used by a swarm of autonomous drones with a heavy accent to hunt me down and kill me.”
- The transfer is necessary to fulfill the contract between the individual and the company. Again, this is about privacy by design and default. You can only send those information items that are necessary what the EU calls “data quality and proportionality”.
- It is necessary for the contract in the interest of the data subject. So if a person has or wants to enter into a contract with you, this covers not only clients, but also price quotes, RFQs, and such.
- If it is for public interest. Basically, anything that is mandated by an EU member state law, or done within the administrative authority of an EU government.
- It is necessary to establish, exercise or defend legal claims. Try not to get sued, it is never fun, but if you are, and you need to present evidence, and that concerns third party personal information ... good news, you can.
- It is necessary to protect the vital interest of someone. Basically, in life and death situations, don’t wait for consent. The regulator is not evil.
What is a transfer on the basis of adequacy?
This means that the country in which the entity you are transferring personal information to has adequate levels of protection. Those transfers do not require any specific authorization (you still need to follow all the other GDPR rules).
The Commission put in place certain criteria for adequacy:
- The Rule of law
- Respect for human rights and freedoms
- Relevant legislation, both general and sectoral concerning public security, defence, national security and criminal law
- The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organization is subject
There is no restriction on transferring personal data to EEA countries, but of course do make sure that you process and transfer data responsibly.
Personal information can only be transferred to an organization that is under a legal system that has sufficient guarantees for the rights granted under the GDPR. You may try to figure out if a specific country poses a huge issue or not. Or follow the list of countries that the Commission has already decided are OK. It’s a pretty weird list: it contains Andorra, the Faroe Islands, the Isle of Man, Guernsey and Jersey as well as Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay… and wait for it… the United States of America. Yes. Well, the US thing is limited to the Privacy Shield framework; we will have more on this below.
The list does not include Australia. But you can bet Australia is mostly OK (see the Australian Privacy Act), if you take appropriate measures. But if you want to send PII to Iran, Russia or China… as you might expect, there will be many more hoops to jump through. It doesn't mean you can’t. It means you need to establish some other safeguards, you need to jump through more hoops.
Transfers subject to appropriate safeguards
So if the country is not “safe by default”, what do you need to do? Here’s what this regulation considers as acceptable safeguards:
- Legally binding and enforceable instrument between public authorities or bodies - this means laws and regulations some other country put into place to make sure that it is going to be OK to transfer data to them. This is important, it means some countries won’t get a blanket OK from the Commission, but in certain circumstances you will be covered. Imagine a law in, let’s say Latveria, that specifically addresses call center operators and adds sufficient guarantees. In that case you will be OK with a call center, but you will be required to provide more safeguards for another industry.
- Binding corporate rules - this is not a magical get out-of-prison card, there are strong constraints on what these may be, and how they are formulated. This was designed first and foremost for larger multinational organizations, so they can continue to operate. These are very strict codes of conduct, and they must be approved by the regulator. Basically, if you don’t have an army of lawyers, this is not the thing that is going to help you.
- Standard data protection clauses adopted by the European Commission - This is a magical get-out-of-prison card. These are contracts written by nice people at the Commission so you don’t need to have an army of lawyers and still operate with companies outside the EU.
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission - this is the same as above, but at the country level, not the EU level.
- An approved code of conduct - This is basically the same thing as the “Binding Corporate Rules” but you don’t use an army of lawyers and decide to adhere to someone else’s proposed (and approved by the commission) code of conduct. This is not magical, the COC itself needs to cover all the bases and your adherence should be something you can show. Lip service is not enough.
- An approved certification mechanism that comes together with commitments of third country organizations to apply the appropriate safeguards including respect for data subject rights - For the moment there are none. You can be “compliant” with the GDPR but you can’t be certified, because there are no approved certification mechanisms. But this will come. People will make a lot of money out of this. There are people selling those already, and these can be useful as they would show how much you care (which the Regulator does take under the new rules into consideration). But this is not yet magical.
- Contractual clauses between the controller/processor and the controller/processor/recipient in the third country or international organizational - If you can’t get blanket safeguards, you may still transfer data internationally by putting in place specific safeguards for the specific action you are trying to accomplish.
Zoom on Binding corporate rules - Working with multinationals
We will go into a bit more detail on this one. As this is something that will happen to you often, especially if ever you use Amazon, Google, Facebook, or Microsoft’s services. If you don’t, you are either living under a rock, or more power to you!
There are corporate rules that multinational corporations and international organizations can put in place when it comes to transferring data. These allow them to transfer data across EU borders within the same corporate group even to countries with lower levels of protection.
The binding corporate rules must contain privacy principles, such as transparency, data quality, security, tools of effectiveness (such as audit, training, or complaint handling systems) and an element proving that the rules are binding. Parties need to demonstrate that there are adequate safeguards put in place to protect personal data. The set of rules need to be approved by the supervisory authority and it can only be used within an arrangement of organizations or a multinational corporation. If you want to apply the rules to an expanded group of organizations, you will need to get further approval from the supervisory authority.
If you want to transfer private data to the US you should definitely check if the US company is certified to the EU-US Privacy Shield, which is designed to comply with data protection requirements when transferring private data from EU to US. It was adopted by the EU Commission in July 2016 and became operational on 1 August 2016. The Privacy shield is a self-certified mechanism which must be renewed annually. So, before sharing the personal information with a company in the US, you should check that its certification is active and that the information in question is covered.
All companies who obtained the certification are listed on the Privacy Shield website along with the types of personal information for which they have the certification. The Privacy Shield is based on the old Data Privacy Directive, so it will likely be updated in 2018 in order to match the GDPR.
To sum up, the GDPR does allow you to transfer personal data outside of the EU. But all the rules still apply. You can’t just exfiltrate the data and do whatever afterwards. But if there are adequate controls on what happens “on the other side”, your life doesn't need to become any more complicated. The more “upstanding” citizens of privacy the countries to which you want to transfer data to, the easier and more transparent it is.
If you are doing business only with the the Faroe Islands and Andorra, you are already mostly fine. But as we have shown, working with the US is very largely covered as is working with multinational companies.