Whether customer and employee data or data relating to third-party services on websites or Microsoft 365, transferring personal data to third countries is standard practice for many companies. But in light of the “Schrems II” decision by the European Court of Justice (ECJ), those engaging in this practice may face not only trouble from the authorities but also claims from data subjects seeking compensation for non-material damages. The following is an overview of the legal requirements and options.
What is a third-country transfer?
“Third countries” are defined as all countries which are not member states of the European Economic Area (EEA). The EEA includes all EU member states, as well as Norway, Iceland and Liechtenstein. But the question of what constitutes a third-country transfer is hotly debated and has yet to be fully resolved, particularly in cases where the data is not transferred directly, but merely disclosed.
When is a third-country transfer permissible?
In each case where personal data is transferred to third countries, it must be ensured that data protection does not fall short of the level prescribed in the GDPR. In particular, the GDPR provides for the following options:
1. Adequacy decisions
The European Commission can issue an adequacy decision affirming that an adequate level of protection for personal data exists in a specific third country. Such decisions have been issued e.g. for the United Kingdom, Canada, Switzerland, Japan, Israel and South Korea. A complete list can be found on the EU Commission’s website. An agreement between the US and EU is also being prepared, the Trans-Atlantic Data Privacy Framework, which is designed to serve as the basis for an adequacy decision.
2. Standard contractual clauses
In cases where no adequacy decision exists, the controller or processor is required to provide appropriate safeguards in order to ensure an adequate level of protection. Of particular importance are the EU Commission’s standard contractual clauses, which may be adopted by data importers and exporters. But companies should keep in mind that the use of these clauses is not always sufficient on its own. Data exporters need to examine in each individual case whether the legal situation and practices in the third country are such as to ensure an adequate level of data protection or whether additional measures are required, such as e.g. encryption or anonymization.
3. Other options
Corporate groups in particular have the option of adopting internal rules governing data protection, or “binding corporate rules.” This option accounts for the need of international conglomerates to have a single set of data protection rules, e.g. for the transfer of worker or employee data. There are also exceptions to these restrictions, particularly if a transfer can be performed based on the express consent of the data subject. In the view of the supervisory authorities, however, this would only come into consideration in exceptional cases.
Legal certainty is lacking for companies except in cases where a data transfer to third countries is validly excluded or where an adequacy decision exists. It is in the interest of companies which transfer personal data to third countries without the benefit of an adequacy decision to examine whether appropriate safeguards exist to ensure an adequate level of data protection. It may also be necessary to closely examine the legal situation and practices in the third country.back