The GDPR went into effect last week. We all got a billion emails with people surprisingly updating their privacy policies. Many spread FUD. Even more spread cute memes. So that was fun. Some panicked. We hope you didn’t. Did you block all EU traffic like some US news sites? (Blocking European IPs does not get you off the hook. Maybe a better approach is simply to have some respect to people’s privacy?). Did you try to force consent like Google and Facebook are accused of doing? If you’ve been following our GDPR guide series, you’re doing much better than most. With two more topics to cover, the journey isn’t over yet so let’s get started on this post’s topic: transferring personal data internationally.
If your organization is based in the European Economic Area (EEA), there may be times that you want to transfer your data to a third country i.e. all countries who are not in the European Union or an EEA member state. In that case you can only do so under specific conditions, which we’ll explore each one in more detail below:
There are exemptions to these three conditions. If your transfer meets any of these criteria, you will need to have it all which needs to be clearly documented and justified:
What is a transfer on the basis of adequacy?
This means that the country in which the entity you are transferring personal information to has adequate levels of protection. Those transfers do not require any specific authorization (you still need to follow all the other GDPR rules).
The Commission put in place certain criteria for adequacy:
There is no restriction on transferring personal data to EEA countries, but of course do make sure that you process and transfer data responsibly.
Personal information can only be transferred to an organization that is under a legal system that has sufficient guarantees for the rights granted under the GDPR. You may try to figure out if a specific country poses a huge issue or not. Or follow the list of countries that the Commission has already decided are OK. It’s a pretty weird list: it contains Andorra, the Faroe Islands, the Isle of Man, Guernsey and Jersey as well as Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay… and wait for it… the United States of America. Yes. Well, the US thing is limited to the Privacy Shield framework; we will have more on this below.
The list does not include Australia. But you can bet Australia is mostly OK (see the Australian Privacy Act), if you take appropriate measures. But if you want to send PII to Iran, Russia or China… as you might expect, there will be many more hoops to jump through. It doesn't mean you can’t. It means you need to establish some other safeguards, you need to jump through more hoops.
Transfers subject to appropriate safeguards
So if the country is not “safe by default”, what do you need to do? Here’s what this regulation considers as acceptable safeguards:
Zoom on Binding corporate rules - Working with multinationals
We will go into a bit more detail on this one. As this is something that will happen to you often, especially if ever you use Amazon, Google, Facebook, or Microsoft’s services. If you don’t, you are either living under a rock, or more power to you!
There are corporate rules that multinational corporations and international organizations can put in place when it comes to transferring data. These allow them to transfer data across EU borders within the same corporate group even to countries with lower levels of protection.
The binding corporate rules must contain privacy principles, such as transparency, data quality, security, tools of effectiveness (such as audit, training, or complaint handling systems) and an element proving that the rules are binding. Parties need to demonstrate that there are adequate safeguards put in place to protect personal data. The set of rules need to be approved by the supervisory authority and it can only be used within an arrangement of organizations or a multinational corporation. If you want to apply the rules to an expanded group of organizations, you will need to get further approval from the supervisory authority.
If you want to transfer private data to the US you should definitely check if the US company is certified to the EU-US Privacy Shield, which is designed to comply with data protection requirements when transferring private data from EU to US. It was adopted by the EU Commission in July 2016 and became operational on 1 August 2016. The Privacy shield is a self-certified mechanism which must be renewed annually. So, before sharing the personal information with a company in the US, you should check that its certification is active and that the information in question is covered.
All companies who obtained the certification are listed on the Privacy Shield website along with the types of personal information for which they have the certification. The Privacy Shield is based on the old Data Privacy Directive, so it will likely be updated in 2018 in order to match the GDPR.
To sum up, the GDPR does allow you to transfer personal data outside of the EU. But all the rules still apply. You can’t just exfiltrate the data and do whatever afterwards. But if there are adequate controls on what happens “on the other side”, your life doesn't need to become any more complicated. The more “upstanding” citizens of privacy the countries to which you want to transfer data to, the easier and more transparent it is.
If you are doing business only with the the Faroe Islands and Andorra, you are already mostly fine. But as we have shown, working with the US is very largely covered as is working with multinational companies.