GDPR: Cross-border transfers - don’t be on the wrong track!

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating across the globe. In practice, all companies collect personal data, for example of their customers, suppliers or contractors (i.e. “data subjects). However, they are not always aware of their legal obligations when using and especially transferring their data. 

For example companies must take special precaution when personal data is transferred to non-European countries that do not provide an EU-like data protection framework. Moreover, the concept of “transfer of personal data” is very broad. It includes for instance any kind of hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an “adequate level of protection” for EU data subjects’ personal data transferred to third countries outside of the European Economic Area (“EEA”). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the European Court of Justice (ECJ) to strike down the EU safe harbor principles, that until recently governed data that were transferred to the United States of America (“USA”).

Adequate level of protection

Transfers of personal data within the European Union are authorized under Member States national legislations.  In addition, personal data can also be transferred to countries outside the EEA ensuring an “adequate level of protection” of personal data. The same rules generally apply under the general data protection Regulation (GDPR) adopted earlier this year. The GDPR will be directly applicable in all Member States as from May 25, 2018. 

The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, recognized the following countries: Andorra, Argentina, Canada (not all kind of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Data subject's consent

If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized as offering an adequate level of protection, it can rely on the data subject’s consent for allowing such transfer. However, it is important to stress that such consent must be free, clear and unequivocal. This could prove to be quite tricky when it comes to employees’ personal data, as many countries believe an employee is not in a position that allows him/her to freely give his/her consent to a decision imposed by his/her employer. Consent thus appears not to be a pragmatic solution for businesses. 

If not, other mechanisms?

1- Transfers to the United States of America – Safe Harbor

Because of the important data flows that occur between the EU and the USA, a flexible approach has been adopted fifteen years ago to the exchange of personal data between these territories, known as “safe harbor”.  This approach allowed companies to abide by privacy principles adopted by the Department of Commerce of the Unites States, in order to be entitled to self-certify as “safe habor” compliant. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to U.S based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the ECJ recently invalidated the U.S. Safe Harbor system. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the “Privacy Shield”. The focus of the Privacy Shield is on trust and effective enforcement of EU citizen’s right to privacy and imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield is still to be approved by EU Member States and has not so far been favorably welcomed by the national data protection authorities.

2- EU Standard Contractual Clauses

EU based companies transferring personal data to a third country outside of the EEA can also rely on the so-called “EU Model Clauses”. These are templates of contractual provisions which have been prepared by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA. 
However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the ECJ in order to determine whether the reliance on the EU Model Clauses is legal under the European law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities.

3- Binding corporate rules

Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules. These are known as “Binding Corporate Rules” (“BCR”). They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of protection.

Besides the possibility to rely on the data subject’s consent, the existing framework today allows for intra-European transfers of personal data as well as transfers within an international group that has adopted the BCR. However, in other circumstances, the legal basis for transfers to the USA remains uncertain. Indeed, EU Model Clauses appear to be the last practical solution available to companies for legally transferring personal data to third countries outside of the EEA that are not on the list of companies providing an adequate level of protection, yet their future has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as: a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification organism. It remains to be seen if and to what extend the GDPR will effectively be able to resolve all the remaining uncertainties in this area.