Personal data flows to and from countries outside the EU and international organizations are necessary in order to expand international trade and cooperation. However, the European Parliament and the Council have stipulated that these transfers may only be carried out in full compliance with the GDPR. This also applies to onward transfers of personal data from one third country or international organization to another. The leading principle is that when personal data of Europeans are transferred outside the EU, the protection travels with that data. Everywhere...
How does it work?
The European Commission may decide that a third country, a territory or specified sector within a third country or an international organization provides an adequate level of data protection. Such an adequacy decision allows the free flow of personal data from the EU without having to implement additional safeguards or being subject to further conditions. Transfers to the country in question will be assimilated to intra-EU data transmissions, thereby providing privileged access to the EU Single Digital Market.
Next steps
Since the US has no general data protection legislation, adequacy for data transfers to the US is limited to the Privacy Shield Framework. It relies on commitments of participating companies to apply the data protection standards set out by this arrangement. In practise this means, for instance, annual self-certification and compliance with EU Data Protection Authorities. On June 11 2018 however, the European Parliament Committee on Civil Liberties, Justice and Home Affairs adopted a resolution in which it called on the European Commission to take all necessary measures to ensure that the Privacy Shield will fully comply with GDPR. This way, the adequacy should not lead to loopholes or competitive advantage for US companies. The full House is expected to vote on the resolution in July.
BCRs and SCC’s as guarantees regarding safeguards
In the absence of an adequacy decision, international transfers can take place on the basis of Binding Corporate Rules (BCRs). These are internal rules for data transfers within the same corporate group or in a group of enterprises engaged in a joint economic activity. These rules are like a Code of Conduct: they allow multinational companies to transfer personal data to countries that do not provide an adequate protection level within the boundaries of the corporate data protection rules. Another possibility is using Standard Contractual Clauses (SCC’s). So far the European Commission has issued only two sets of SCCs and one set of Contractual Clauses for data transfers from data controllers in the EU to data controllers outside the EU. What does this all mean for companies transferring and exchanging personal data to countries outside the EU?
Make sure you have the right stamps
As you can see, protecting and exchanging personal data are not mutually exclusive. A strong data protection system will facilitate data flows by building confidence in those companies that care about the way they handle their customers’ personal data. Furthermore, the GDPR creates a level playing field between EU and foreign companies. Companies based outside the EU will have to apply the same rules as European companies in offering goods and services or monitoring the behaviour of individuals in the EU.
DPA Privacy Sherpa’s can assess your international data flows. Does the EU Privacy Shield apply, do you need Binding Corporate Rules or are the Standard Contractual Provisions sufficient? Make sure your personal data passport has the necessary border crossing stamps before it leaves on an international data flow. Finally, for those of you who want to know more about the GDPR framework for international data flows, click here to find a PowerPoint presentation on this topic.