The GDPR also has the global economy in its view: Anyone intending to process personal data from the EU for business purposes outside the EU must ̶ in accordance with Art. 3(2) GDPR ̶ submit to the EU rules of the game. Here the EU now joins other jurisdictions, such as the US but also China, and regulates offences in EU countries that may have an impact on EU citizens. Companies from other EU countries must also have a representative within the EU to whom EU citizens can turn directly (Art. 27 GDPR).
However, this is now where particularism in the EU strikes: anyone who had once dismissed discussion about a representative's liability for its principal outside the EU as merely theoretical (and the discussion in Germany was fierce) must now acknowledge a special Spanish rule ̶ the representative according to Art. 27 GDPR is liable, at least in Spain. Does this also apply to a non-Spanish representative who is a representative in Spain? A practical way out will now be to set up EU establishments of companies from outside the EU. Will other countries also assert similar requirements on other issues (such as e.g. cyber security requirements in China) against EU companies?
Germany plays a role here, too: The new Federal German Data Protection Act (continuing the old name: Bundesdatenschutzgesetz or "BDSG") also tries to preserve the old understanding of the data protection officer into the new age of the GDPR. This, in other EU member states, unpopular function, which is according to the GDPR only required in special processing situations, must be introduced in Germany for each enterprise with 10 or more computer workers. Companies with headquarters in other EU countries now need a data protection officer specifically for their branches in Germany.
The requirement to appoint a data protection officer raises another question in the international field: Does the GDPR really have the power to install a data protection officer in e.g. a South Korean company? Does this requirement still fall under an acceptable "effects doctrine" of international law? The competences of international administrative law end where measures on foreign territory are necessary. Here only the sovereignty of a territorial state governs and any interference from abroad could be considered as an act of "aggression". Since – to take the example from before ̶ South Korean data protection law does not require a data protection officer, neither the EU nor Germany can demand one inside South Korea. For this purpose, on the one hand, there is the function of the representative according to Art. 27 GDPR (with the potentially unpleasant consequence of liability – see before) and on the other hand there are the special regulations for the international transfer of personal data in Art. 44 ff. of the GDPR.
The movement of personal data outside Europe is usually based on two EU instruments: for the U.S. the EU - U.S. Privacy Shield applies and – in general - the EU Standard Contractual Clauses can be agreed. Here, too, EU solidarity is crumbling. Acceptance of these EU measures remains difficult in the national data protection environment ̶ both instruments date from before the GDPR. With regard to the EU Standard Contractual Clauses, there is a kind of "resumption" by the EU Commission in order to ensure that they apply under the GDPR. But what about the EU U.S. Privacy Shield?
Does a U.S. company have to consider possible further requirements according to Art. 3 (2) GDPR, even if it adheres strictly to this bilateral standard and is self-certified according to the privacy shield? There is certainly a view that the privacy shield does not constitute an international treaty because this instrument seems to be non-binding in the U.S. However, this view disregards the fact that the privacy shield is based on notes by relevant U.S. federal secretaries to create binding commitments under international law. The exchange of notes is a recognized instrument of international public commercial law. No contract in accordance with the Vienna Convention on the Law of International Contracts is required here; an exchange of notes is sufficient to be binding. The GDPR may thus have only a limited effect on privacy shield-certified companies in the U.S.
International relations continue to be an interesting challenge – in both ways: for exports of personal data from the EU but also imports from other jurisdictions! Dentons with its global network is the data privacy specialist law firm to help you out!
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.