If you are operating a business in the European Economic Area (EEA) or if your business is outside the EEA but offers goods or services to customers in the EEA, you are no doubt aware of the General Data Protection Regulation.1 The GDPR, as it is known, aims to protect the fundamental privacy rights of data subjects and give them more control over their personal data. In a world where personal data is widely used, the GDPR works to ensure this data is collected, managed, processed, transferred, and protected under stringent conditions.
Although many countries have data protection laws, they are not consistent in their protection of personal data. And some countries, such as the United States, do not even have a federal data protection law. Understandably, this makes the European Commission cognizant that personal data leaving its borders may lack protection. To help combat this the GDPR contains mechanisms for transferring personal data outside the EEA.
The basic starting position of the GDPR is that a transfer of personal data outside the EEA is not permitted unless it meets certain requirements. To illustrate these requirements, let's use an example: You run an e-commerce business in the EEA and want to use a Customer Relationship Management program (CRM) to improve your relationships with customers and promote sales growth. You've researched CRM's and decided that a US company best meets your needs. You have a list of customers you want to manage with the CRM. Before you can transfer their personal data to the CRM in the US, you need to determine if the transfer is permitted under the GDPR.
The GDPR provides 3 mechanisms to justify the transfer of personal data to a country outside the EEA. First, does the country to where the data is being transferred provide an adequate level of protection of personal data. The European Commission has a list of countries which it has determined provide an adequate level of protection, available HERE. Check this list to see if the country where you want to transfer the personal data is included. If it is on the list, then you can make the transfer. In our example, we want to send personal data to the US. The US is not on the list, so we need to determine if a transfer to the US would meet another justification. Note that until recently, if the US company was self-certified under the EU-US Privacy Shield, you could transfer personal data from the EU to the company in the US as the Privacy Shield was considered to offer an adequate level of protection. But this is no longer the case. The EU-US Privacy Shield was recently declared invalid by the Court of Justice of the European Union.2 So this is no longer a mechanism to justify the transfer of personal data.
Second, if the country to which the personal data will be transferred does not have an adequate level of protection, as determined by the European Commission, you need to determine if you have appropriate safeguards in place to protect the data. Article 46 of GDPR elaborates on what these safeguards are, such as binding corporate rules and standard contractual clauses. But for purposes of our example, you don't have binding corporate rules as yours is a small company.
Standard contractual clauses are a safeguard that has often been used by companies to transfer the personal data. However, in the same decision by the Court of Justice of the European Union that ruled the EU-US Privacy Shield to be invalid, the Court also determined that standard contractual clauses cannot be relied upon for the transfer of personal data if the data exporter, who needs to conduct a risk assessment, determines through the assessment that the protection of the personal data cannot be ensured in light of the circumstances of the transfer and possible supplemental safeguard measures. In the US, the Federal government has broad powers to collect the personal data of non-US citizens for purposes of national security and anti-terrorism measures. The authorities can access such personal data and the public law granting them permission to do so takes precedence over commercial concerns. Along with this wide surveillance power, non-US citizens do not have sufficient legal rights in the US that they can enforce to protect their data. So standard contractual clauses in and of themselves are no longer adequate. You need to implement additional technical measures to prevent US authorities from accessing personal data in order to ensure appropriate safeguards are in place for its transfer. For example, the personal data could be encrypted but only if this adequately protects the data and if the authorities and your CRM have no way to decode the data. If adequate supplemental measures cannot be undertaken to protect the data, then you cannot rely upon standard contractual clauses for the transfer. Data protection authorities are starting to take this ruling to heart. Earlier this month, the Irish Data Protection Commission allegedly sent Facebook a preliminary order to suspend transfers of personal data to the United States using the standard contractual clauses.
The Swiss Federal Data Protection and Information Commissioner has come to a similar conclusion as the Court of Justice of the European Union with respect to the Swiss-US Privacy Shield and standard contractual clauses. The Swiss-US Privacy Shield was a mechanism for transferring personal data from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). On September 8, 2020 the Swiss Federal Data Protection and Information Commissioner said it no longer considers the Swiss-US Privacy Shield to provide an adequate level of protection for the transfer of personal data to the US, amending its stance on the US in its list of the adequacy of protections in certain countries.3 That assessment is subject to any deviations in rulings by Swiss courts. The Swiss Federal Data Protection and Information Commissioner also agreed with the assessment that standard contractual clauses cannot legally prevent foreign security authorities from accessing personal data and that Swiss citizens do not have adequate enforceable legal rights in the US to protect their personal data. There are no safeguards in place to ensure the personal data is protected adequately when transferred to the US. Switzerland and the EU mutually recognize that their respective data protection legislation provides equivalent levels of protection. It is important for both jurisdictions to align on their assessment of transfers of personal data to third countries, especially when personal data transferred between is then transferred to third country. The decision of the Swiss Federal Data Protection and Information Commissioner reflects this.
If you determine that the country to which you want to transfer the personal data does not have an adequate level of protection and you do not have appropriate safeguards in place to protect that personal data, you must then consider if the transfer meets one of the derogations established in Article 49 of the GDPR. A derogation is a specific justification for the transfer that applies to a specific situation. These derogations are interpreted narrowly and can be difficult to meet. For example, one derogation is consent. But to meet this, the data subject must explicitly consent to the transfer, their consent must be for a particular data transfer (set of transfers), and you must provide detailed information to the data subject on the transfer including the risks involved. Another derogation is that the transfer is necessary for the performance of your contract with the data subject. Again, this contractual necessity derogation is interpreted narrowly. Although transferring a customer's personal data to a CRM in the US would make your work with the customer more efficient, convenient, or even cost effective, it is not needed for you to perform your services for your customer. In this case, the transfer is not contractually necessary. It can be difficult for the transfer to fall within a derogation.
If a transfer of your customers' personal data to the US is not permitted under the GDPR transfer mechanisms, and you cannot provide adequate technical measures to protect the data, then you cannot transfer their personal data to the CRM's US location. What can you do if you still want to use the CRM? Many cloud-based companies now have servers in the EU to host their platforms. Check with the CRM to see if it has an EU server for its EU clients. If it does, then you can transfer the data to the EU server. The data stays within the EU and you stay within the requirements of the GDPR while utilizing the CRM. You can also turn to the European Data Protection Board and your national Data Protection Authority for further guidance in this ever evolving field of data protection.
1. The GDPR and its transfer regulations apply to the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway).
2. On July 16, 2020 the Court of Justice of the European Union stated that the European Commission's 2016 decision that the EU-Privacy Shield was adequate, was invalid. See Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems ("Schrems II").
3. For more information, see the FDPIC's "Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.