To enforce the Regulation outside the bounds of the EU, the GDPR has a number of elements designed to control how organisations within the EU are able to transfer personal data internationally.
So called “third countries”, those outside the bounds of the EU, are designated under the DPD as “any country other than the EU and EEA Member States”. Given that the Council of Europe includes 17 distinct groups like the EU, EEA, Eurozone and the EFTA, with a complex set of overlaps, it’s critical to understand who “in Europe” you’re allowed to send information to, and what rules need to be in place to do so.
For ease of reference, the EU and EEA countries are shown in Table 2.
The United Kingdom voted in a referendum in 2016 to leave the EU. Once it has done that, it will no longer automatically meet the adequacy test for data transfers.
The additional conditions for transferring data to third countries also apply to transferring data to international organisations. Unlike third countries, international organisations are defined in the Regulation:
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Public international law is the set of conditions under which nations interact with other nations, and with individuals, organisations and other entities internationally. As such, an international organisation would be one that operates internationally, under the auspices of a trade agreement or treaty.
The designation of international organisation comprises an extremely wide set of organisations. The designation even applies to organisations that are based within the EEA but have operations outside it. For instance, a German company that has operations in the US is also an international organisation, even though its central operations are based within the EEA. You should thus always take care to ensure that you understand the full business nature of the organisations with which you interact.
Transferring personal data to a country outside the EU/EEA can only be done under two specific conditions:
- The destination has been the subject of an adequacy decision.
- The transfer is subject to appropriate safeguards to protect the personal data.
Simply meeting one of these conditions may not be adequate in itself, and it’s possible that one of the appropriate authorities will ban all transfers of personal data to specific countries regardless of the security measures you put in place.
Any further transfers of the personal data – within the target country or beyond – are also subject to these same restrictions. If your organisation is based in the EEA and wants to transfer data to a third country or international organisation, you will need to ensure that all conditions are met, including that those third country or international organisations will abide by the requirements of the GDPR.
The exceptions under which the organisation can transfer personal data are:
- With the data subject’s consent, after having been informed of the risks for the data subject, in particular the risks due to the absence of an adequacy decision and safeguards.
- If the transfer is necessary to fulfil a contract between the data subject and the controller, or to implement pre-contract measures at the data subject’s request.
- If the transfer is necessary to fulfil a contract in the interests of the data subject.
- If the transfer is necessary for important reasons of public interest.
- If the transfer is necessary to establish, exercise or defend legal claims.
- If the transfer is necessary to protect the vital interests of the data subject or other persons and the data subject is unable to give consent.
- If the transfer is made from a register intended to provide information to the public and is open to consultation, but only to the extent that the relevant laws permit consultation.
You will need to ensure that you clearly document your justification for the transfer, and that this documentation can be made available to the supervisory authority on request.
Adequacy decisions are decisions made by the Commission that a given country or organisation is an acceptable destination to which to transfer personal data. This is usually because the destination country meets a set of criteria in law. The adequacy criteria require that the third country has at least the following:
- The rule of law.
- Access to justice.
- Respect for human rights and fundamental freedoms.
- Relevant legislation, both general and sectoral, with regard to:
Similar rules existed under the Data Protection Directive, and adequacy decisions made under the DPD will remain valid until they are otherwise amended, replaced or repealed. As such, there is already a short list of countries that meet the adequacy criteria, as shown in Table 3.
A number of ‘European’ states are listed above because they are not actually members of the EEA. Switzerland is a member of the EFTA, for instance, while Jersey, Guernsey and the Isle of Man are part of the European Community (and thus have access to the single market without actually being members of the EU or EEA).
Note that the United States is not one of the countries on which an adequacy decision has been made. This is partly because the United States has no national data protection law. Most member states of the USA have their own data protection or data breach laws, and these all provide varying levels of protection for consumers. Special arrangements exist to make data transfers between the USA and EU possible, and these are described later in this chapter.
Personal data can be transferred to any one of the above countries just as if the data was being transferred to a host within the EEA; there are no further requirements for doing so beyond those contained in the GDPR.
Adequacy decisions are reviewed every four years, so it’s important to ensure that any country you transfer personal data to on this basis has retained its approval. It is worth checking to see if any countries are added to the list, as they may offer business opportunities for your organisation. The complete list of countries subject to an adequacy decision is published in the Official Journal of the European Union and on the Commission’s website.
Transfers to third countries and international organisations are permissible if there are appropriate measures to protect the rights and freedoms of the data subject, and if the data subject will have enforceable rights and legal remedies. This means ensuring that the data will be secure, and that the personal data will only be transferred to an organisation within a legal system that will support the data subject’s rights. If you cannot meet both of these requirements, the transfer will not be deemed legal under the Regulation.
The Regulation provides a set of acceptable safeguards, some of which require specific approval from the supervisory authority before they can be considered to comply with the Regulation:
- Legally binding and enforceable instrument between public authorities or bodies.
- Binding corporate rules.
- Standard data protection clauses adopted by the Commission.
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission.
- An approved code of conduct together with binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards and protect data subjects’ rights.
- An approved certification mechanism with binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards and protect data subjects’ rights.
- Contractual clauses between the controller/processor and the controller/processor/recipient in the third country or international organisation.
- Provisions inserted into administrative arrangements between public authorities or bodies, including enforceable and effective data subject rights.212
The last two safeguards require approval from the supervisory authority. Many of the options for safeguarding personal data rely on structures that are either established in law or have been previously approved by the supervisory authority and/or the Commission.
It’s important to recognise that the set of accepted safeguards is not a simple list of measures or controls. Rather, the safeguards as described could represent a broad range of solutions that are – crucially – backed up by legal measures.
If you choose to use one of these options in order to transfer personal data outside the EEA, you should consult the supervisory authority to see what your options are. You will not need to use one of the preapproved models, but they may prove enlightening if you want to develop your own solution to be agreed between yourself and the organisation you want to deal with, and will almost certainly make it simpler to get approval from the supervisory authority.
Binding corporate rules
Binding corporate rules were originally devised by the Article 29 Working Party (a group within the EU that develops and promotes good practices for data protection) in order to allow large organisations or groups of organisations to securely transfer data internationally while reducing bureaucratic interference. They are defined in the GDPR as:
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers of a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
The GDPR establishes conditions for individual Member States to establish their own binding corporate rules to streamline international transfers.
The advantage of binding corporate rules is that the organisations involved can transfer personal data quickly and with a minimum of interference from a supervisory authority. However, they can only be used within an arrangement of organisations or a multinational, and the set of rules you elect to put in place will need to be approved by the supervisory authority.
Binding corporate rules do not provide a basis for making transfers outside of the approved group of organisations. If you want to expand the group of organisations to which the rules apply, you’ll need to get further approval from the supervisory authority.
The EU-US Privacy Shield
As we’ve said previously, it is illegal for any EU organisation to transfer personal data to any country in respect of which there has not been an ‘adequacy’ determination by the EU Commission. This is a major issue for the EU-US trading relationship and led to the development of a ‘Safe Harbor’ framework by means of which US organisations could register with the US Department of Commerce, make a declaration as to their information security practices in respect of personal data and be given safe harbour from prosecution.
In October 2015, the European Court of Justice declared that the Safe Harbor framework was ‘invalid’ and not an adequate mechanism for complying with existing EU data protection legislation. Work therefore started on creating a replacement mechanism, the EU-US Privacy Shield Framework.
The EU-US Privacy Shield was adopted by the EU Commission in July 2016 and became available on 1 August 2016. The EU Commission has deemed the protections provided by the Shield to EU citizens in respect of their personal data to be ‘adequate’ in terms of the GDPR requirements covering international transfers of PII. These requirements are as applicable to the personal data of employees as they are to the personal data of customers collected by an organisation. In real terms, there are no categories of personal data that are outside the scope of GDPR and, therefore, US organisations with operations within the EU that simply wish to process or store HR data relating to their EU staff have to comply with the GDPR and will need to join the EU-US Privacy Shield Framework. The alternatives are to limit all such processing to EU entities or to withdraw from doing business in the EU.
US organisations are able to sign up to the Privacy Shield, which is administered by the ITA (International Trade Administration) with the US Department of Commerce. The starting point is here: www.privacyshield.gov/welcome. Once an organisation has voluntarily completed the application process and made a public commitment to comply with the Privacy Shield Framework, that commitment becomes enforceable under US law.
It should be noted that the Privacy Shield is based on the DPD rather than the GDPR, so it’s likely that it will be updated when the Directive is formally repealed in 2018 in order to match the changing requirements. In particular, the Privacy Shield does nothing to help organisations comply with the requirement for extra-EU controllers and processors to nominate a representative organisation within the EU.
The first requirement of the Privacy Shield is that organisations must include their statement of commitment to compliance in their published privacy policies; the policy must also include a link to the website or other submission-starting point of the selected independent recourse which the organisation must put in place to ensure that data subjects are easily able to make individual complaints. The “Key New Requirements” page (www.privacyshield.gov/Key-New-Requirements) of the Privacy Shield website sets out clearly what organisations have to do in addition to what they should have been doing under the now rejected Safe Harbor arrangements. These requirements are all contained in the formal EU-US Privacy Shield Framework and should be seen as extensions to those contained in the GDPR, rather than as an alternative. The starting assumption should be that, when EU citizens raise a complaint, it will be because they believe their rights as set out in the GDPR have been transgressed. Privacy Shield members are required to resolve all complaints expeditiously and to submit, where necessary, to binding arbitration where a complaint has not been resolved through normal processes.
Even once an organisation leaves the Privacy Shield, it must continue to maintain its compliance with the requirements in respect of EU citizen data it collected while a member, and must recertify annually to demonstrate that it is doing so.
Privacy Shield membership is a self-certification process. The certification is enforceable by both the US Federal Trade Commission (FTC) and the US Department of Transportation (DOT). The full test and requirements are available here: www.privacyshield.gov/Program-Overview.
To comply with the scheme, organisations must implement measures to meet the seven Privacy Shield Principles:
- Notice – organisations are required to inform data subjects of a range of things, including about the Privacy Shield scheme and the data subject’s rights.
- Choice – data subjects must be free to choose to opt out of having their data disclosed to a third party or used for any purposes beyond those for which it was collected. Data subjects must have a clear and simple way to exercise this choice.
- Accountability for onward transfer – the organisation is responsible for the personal data, and must ensure that it is transferred only to organisations that will also provide the same level of protection as the organisation under the Privacy Shield.
- Security – the organisation must take “reasonable and appropriate measures” to protect personal data from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
- Data integrity and purpose limitation – the organisation must take reasonable steps to ensure personal data is “reliable for its intended use, accurate, complete, and current”. It must also ensure that personal information is limited to what is relevant for the purposes of the processing.
- Access – data subjects must have access to personal information about them held by the organisation, and must be able to correct, amend or delete the information if it is inaccurate or has been processed in violation of the Principles.
- Recourse, enforcement and liability – data subjects must be able to seek independent recourse to resolve any complaints at no cost to themselves. Furthermore, the organisation is responsible for the processing of personal information it receives under the Privacy Shield and transfers to a third party.
There are 16 supplemental principles, which cover topics like journalism, sensitive data, exceptions, dispute resolution, enforcement, access requests, data protection authorities, human resources data, and pharmaceutical and medical products. All of the principles align with the requirements of the DPD and, in a general sense, with those of the GDPR.
It is possible to make transfers of personal data on a limited basis without having to establish more formal or permanent measures. Under Article 49 of the Regulation, such transfers are permissible if:
the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
You will need to inform both the supervisory authority and the data subject of the transfer in question and of the “compelling legitimate interests”. It is important to provide this notice with sufficient time to allow either of those parties to object.
If your organisation uses a Cloud provider to store or process personal data, you will need to confirm the location of the data centres where personal data is kept. It’s easy to overlook Cloud providers, especially if they deliver software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS). In these instances, the user is often unaware that they are using a tool that is hosted remotely and, in many cases, is actually based in another country.
Because Cloud providers often take advantage of vast server farms located in disparate countries around the world, many of them will qualify as international organisations and, as such, you will need to ensure that you establish appropriate safeguards to protect personal data. In instances where Cloud providers have little control over the circumstances in which the data is actually stored and little power to secure appropriate assurances from the other parties involved, it would be advisable to change providers or develop an in-house capacity to replace the Cloud services.
Furthermore, because Cloud services may store data in a third country, controllers will have to meet the usual requirements of the Regulation with regard to international data transfer. This includes having a legitimate reason for the transfer, asserting the data protection principles, applying appropriate controls or measures to protect the personal data (such as model contract clauses approved by the Commission), and informing the data subject of the transfer of their personal data.
ISO/IEC 27018:2014, part of the ISO 27000 family of standards, presents a good starting point for protecting personally identifiable information hosted in the Cloud. The Standard proposes a set of additional controls that can be applied in order to protect this information, and provides guidance on the implementation of those controls.
211 GDPR, Article 45.
212 GDPR, Article 46.