The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Are Companies Allowed to Transfer Personal Data Outside of the EEA?
Answer: Companies are allowed to transfer personal data outside the EEA, provided they have in place appropriate safeguards to transfer such data.
Alternatively, such safeguards would not be required if the country has been recognized by the European Commission as ensuring an adequate level of protection, pursuant to Article 45. Canada, Israel, and Argentina, among others, have been recognized as ensuring adequate protection. It is expected that the UK, after Brexit, will also be recognized as ensuring adequate protection (although it is unclear how quickly such a decision will be rendered).
Existing protective measures are:
Standard data protection clauses. “Standard Contractual Clauses” or “Model Contractual Clauses” refer to contractual clauses that have been reviewed and approved by the European Commission. There currently exist Standard Contractual Clauses designed to facilitate the transfer of personal data from a controller within the European Economic Area to a Controller outside of the European Economic Area (i.e., controller-to controller clauses), as well as Standard Contractual Clauses designed to facilitate the transfer of personal data from a controller within the European Economic Area to a processor outside of the European Economic Area (i.e., controller-to-processor clauses);
Binding Corporate Rules. Binding corporate rules or “BCRs” refer to a set of internal policies, procedures, and protocols that are adopted between and among a group of interrelated entities (e.g., a multinational corporation), are presented to a data protection authority, and are ultimately approved by that data protection authority;
Privacy Shield. Privacy Shield refers to an agreement entered into between the United States Department of Commerce and the European Union Commission under which a company can self-certify to the Department of Commerce that they will abide by privacy principles that are similar in nature to those contained within the GDPR.
The GDPR also provides for the potential development of two new safeguards listed in Article 46:
Codes of conduct that may be approved at a later date and to which data importers may commit to adhere; or
An approved certification mechanism providing for privacy standards to which data importers may adhere and commit.
It is important to remember that there are also a number of exceptions for specific situations, most of which preexisted the GDPR. When one of these exceptions is present (often referred to as “derogations”) an adequacy measure is not needed to transfer personal data. These include situations where a data subject has given their explicit consent, or where the transfer is necessary to perform a contract between the data subject and the controller. The GDPR also introduces a new exception – a self-assessment of adequacy in cases where the transfer could not be based on an adequacy decision, appropriate safeguards, or the other exceptions. A self-assessment is not permitted, however, if the transfer is repetitive, concerns more than a limited number of data subjects, or is not necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests, rights and freedoms of the data subject. If a company relies upon a self-assessment they are also responsible for implementing suitable safeguards to protect personal data after the transfer occurs.