Cross-border data flows are an essential part of the globalised and digitalised business world we are living today. Certainly, the rapid development in new technologies and their speedy integration in the business model has changed the way businesses operate, including the forms in which they process, exchange or even store personal data. Apart from driving business to connect and go global, technology has also served to dramatically reduce the cost of data storage, especially with the advent of cloud services. Whether you are trading globally or from one location, you may well be transferring or hosting personal data in another jurisdiction. Cloud storage has become a common trend even for the smallest of home-based businesses. However, the legal implications involved when storing or transferring personal data elsewhere end to be overlooked. Transfers to non-EU jurisdictions with insufficient or lack of data protection legislation and remedies, will result in a lower level of data protection, unless these are backed by adequate safeguards.
How to ensure compliance with the General Data Protection Regulation (GDPR)?
The GDPR applies a strict regime when personal data is transferred outside EU territory. In principle, it requires that an equivalent level of protection and safeguards are still afforded to such data, when this is processed outside European soil.
In addition, the GDPR also aims to protect EU citizens’ data by applying a wider territorial scope whereby, non-EU entities offering goods or services, or monitoring the behaviour of individuals based in the EU, will also be subject to the GDPR.
The impact on multinational organisations having trans-border operations is inevitable.
Entities based outside EU offering goods or services to individuals in the EU, will be required to comply with the GDPR, irrespective of whether they have an establishment within the EU. In addition, where EU entities transfer data of non-EU entities, the transfer would be required to ensure equivalent protection. This would also apply for intra-group transfers between entities forming part of the same group of companies.
Adequacy decisions are favourable decisions concerning the level of data protection in a non-EU country or even specified sectors within such third country, such as, for example, the EU-US privacy shield. These decisions are based on a detailed assessment of the data protection adequacy in the third country, and on the principle that such country provides sufficient guarantees which are essentially equivalent to those in the EU. An adequacy decision removes any barrier for data transfers to such jurisdictions or sectors. Decisions issued by the European Commission on the basis of the Directive 95 /46EC, remain valid until reviewed, amended or repealed under the GDPR.
If no adequacy decision is in place, EU entities would have to provide for appropriate safeguards aimed at protecting personal data once that this is transferred outside EU territory. These safeguards may particularly be provided by means of standard contractual clauses and binding corporate rules.
Other possible options to frame transfers within the legal boundaries, would be the transfer based on a certification scheme or code of conduct. These two are both novelties under the GDPR and one will need to assess how they will work in practice. Another possibility is to rely on derogations provided in the GDPR. However, while this is a possible option, derogations are considered the exception to the rule and should be narrowly interpreted. In principle, relying on derogations should only take place in limited circumstances (e.g. one-off or urgent transfers) when it is not possible to resort to other safeguards.
Transferring by means of appropriate safeguards
Standard Contractual Clauses are model contracts adopted by the EU Commission with the aim of facilitating EU controllers in providing sufficient guarantees when transferring personal data to a non-EU controller or processor.
EU data controllers typically use these standard clauses either as ad-hoc contracts or as part of wider Service-Level or business related agreements, both with other intra-group entities, or with external organisations based outside EU.
Binding Corporate Rules (BCR) are a set of internal rules designed by multinational organisations to regulate the transfer and subsequent processing of personal data within group entities including those located outside EU territory. The significant advantage of BCRs when compared to Standard Contractual Clauses, is that once a BCR is approved by EU Supervisory Authorities, this implies adequacy of the data protection framework adopted by a multinational, thus implying that personal data may freely flow within the group without requiring additional safeguards or formalities.
Possible scenarios for multinational organisations
A multinational having establishments in the EU would need to ensure that its data flows from its EU-based entities outside the Union comply with the GDPR. If similar data flows are of a frequent nature and involve the majority of organisations across the group, then the most practical option to be considered is BCR. Although the approval of a BCR would trigger a procedure involving the EU data protection authorities, once that a BCR is approved, this would facilitate the free flow of personal data amongst the group entities covered by such authorisation. In order to launch such procedure, the multinational should identify the EU lead data protection authority where such BCR should be filed. The criteria for establishing the lead authority are principally, the EU Headquarters or the place with delegated data protection responsibilities. Embarking on a BCR authorisation involves a procedure whereby following the reviews conducted by the lead and concerned supervisory authorities, the BCR application would then go through the consistency mechanism envisaged under the GDPR, whereby an opinion of the European Data Protection Board will be necessary.
Alternatively, if the transfer is ad-hoc or it requires a quicker, albeit individual solution, a multinational organisation may consider the use of standard contractual clauses to regulate data transfers between its EU-based entities and the third-country receiving entities. This would solve the matter for the short-term but the use of BCRs would be ideal to deal with data transfers on a long-term basis. The use of standard clauses is also common for EU entities not necessarily forming part of a group and engaging external service providers (being controllers or processors) in third countries.
More information and guidance on how to comply with the GDPR can be found in the author’s publication – A Practical Guide to GDPR.
About the Author:
David Cauchi is a seasoned data protection expert, having worked in the field for more than 14 years. After graduating in Management and Banking & Finance, with Honours in Management at the University of Malta in 2003, David joined the Maltese Data Protection Authority. Since then, he formed part of the technical team, where he is currently serving as Head Compliance.
Throughout all these years, David has developed a level of expertise in data protection matters, particularly in handling complaints, carrying out inspections and audits, dealing with cross-border issues, including international data transfers, providing guidance and raising awareness on data protection to the various sectors, including banking and financial services, online gaming, employment, and the public at large.
He also represents the Information and Data Protection Commissioner in various Data Protection fora and meetings organised by EU Institutions. He is actively involved in the Coordinated Supervision of EU large-scale information systems, such as Europol, Schengen (SISII), Visa (VIS), Eurodac and Customs (CIS). David is currently serving his first term as Chair of the SIS II Supervision Coordination Group, having been elected in November 2017, after serving as Vice-Chair for the previous four years.
He is often invited to participate as expert speaker in conferences and seminars on GDPR.
More information about the author is available on https://www.linkedin.com/in/cauchi-david-49090b5