Inter­na­tio­nal data trans­fers: opti­ons for companies

Whe­ther cus­to­mer and employee data or data rela­ting to third-party ser­vices on web­sites or Micro­soft 365, trans­fer­ring per­so­nal data to third count­ries is stan­dard prac­ti­ce for many com­pa­nies. But in light of the “Schrems II” decis­i­on by the Euro­pean Court of Jus­ti­ce (ECJ), tho­se enga­ging in this prac­ti­ce may face not only trou­ble from the aut­ho­ri­ties but also claims from data sub­jects see­king com­pen­sa­ti­on for non-material dama­ges. The fol­lo­wing is an over­view of the legal requi­re­ments and options.

What is a third-country transfer?

“Third count­ries” are defi­ned as all count­ries which are not mem­ber sta­tes of the Euro­pean Eco­no­mic Area (EEA). The EEA includes all EU mem­ber sta­tes, as well as Nor­way, Ice­land and Liech­ten­stein. But the ques­ti­on of what con­sti­tu­tes a third-country trans­fer is hot­ly deba­ted and has yet to be ful­ly resol­ved, par­ti­cu­lar­ly in cases whe­re the data is not trans­fer­red direct­ly, but mere­ly disclosed.

When is a third-country trans­fer permissible?

In each case whe­re per­so­nal data is trans­fer­red to third count­ries, it must be ensu­red that data pro­tec­tion does not fall short of the level pre­scri­bed in the GDPR. In par­ti­cu­lar, the GDPR pro­vi­des for the fol­lo­wing options:

1. Ade­quacy decisions

The Euro­pean Com­mis­si­on can issue an ade­quacy decis­i­on affir­ming that an ade­qua­te level of pro­tec­tion for per­so­nal data exists in a spe­ci­fic third coun­try. Such decis­i­ons have been issued e.g. for the United King­dom, Cana­da, Switz­er­land, Japan, Isra­el and South Korea. A com­ple­te list can be found on the EU Commission’s web­site. An agree­ment bet­ween the US and EU is also being pre­pared, the Trans-Atlantic Data Pri­va­cy Frame­work, which is desi­gned to ser­ve as the basis for an ade­quacy decision.

2. Stan­dard con­trac­tu­al clauses

In cases whe­re no ade­quacy decis­i­on exists, the con­trol­ler or pro­ces­sor is requi­red to pro­vi­de appro­pria­te safe­guards in order to ensu­re an ade­qua­te level of pro­tec­tion. Of par­ti­cu­lar importance are the EU Commission’s stan­dard con­trac­tu­al clau­ses, which may be adopted by data importers and export­ers. But com­pa­nies should keep in mind that the use of the­se clau­ses is not always suf­fi­ci­ent on its own. Data export­ers need to exami­ne in each indi­vi­du­al case whe­ther the legal situa­ti­on and prac­ti­ces in the third coun­try are such as to ensu­re an ade­qua­te level of data pro­tec­tion or whe­ther addi­tio­nal mea­su­res  are requi­red, such as e.g. encryp­ti­on or anonymization.

3. Other options

Cor­po­ra­te groups in par­ti­cu­lar have the opti­on of adop­ting inter­nal rules gover­ning data pro­tec­tion, or “bin­ding cor­po­ra­te rules.” This opti­on accounts for the need of inter­na­tio­nal con­glo­me­ra­tes to have a sin­gle set of data pro­tec­tion rules, e.g. for the trans­fer of worker or employee data. The­re are also excep­ti­ons to the­se rest­ric­tions, par­ti­cu­lar­ly if a trans­fer can be per­for­med based on the express con­sent of the data sub­ject. In the view of the super­vi­so­ry aut­ho­ri­ties, howe­ver, this would only come into con­side­ra­ti­on in excep­tio­nal cases.

Con­clu­si­on

Legal cer­tain­ty is lack­ing for com­pa­nies except in cases whe­re a data trans­fer to third count­ries is valid­ly excluded or whe­re an ade­quacy decis­i­on exists. It is in the inte­rest of com­pa­nies which trans­fer per­so­nal data to third count­ries wit­hout the bene­fit of an ade­quacy decis­i­on to exami­ne whe­ther appro­pria­te safe­guards exist to ensu­re an ade­qua­te level of data pro­tec­tion. It may also be neces­sa­ry to clo­se­ly exami­ne the legal situa­ti­on and prac­ti­ces in the third country.