Skip to main content

International Data Transfers under GDPR

One goal of the General Data Protection Regulation (GDPR) is to facilitate the free movement of personal data among member states under shared data protection principles. However, the Regulation also acknowledges that transferring personal data to non-member countries demands special attention.
Chapter V of GDPR specifically talks about the transfers of personal data to third countries only when:-
  • The third country must ensure an adequate level of protection for personal data as determined by the European Commission.
  • If such protection is not in place, the data controller or processor must provide appropriate safeguards, ensuring enforceable rights and effective legal remedies for data subjects.
  • Alternatively, if neither adequate protection nor appropriate safeguards are present, the transfer of personal data must fall within one of the specific derogations outlined in the Regulation.
To better understand the concept of International Data Transfer, we first need to understand what the term Transfer includes:

What counts as a 'transfer' of personal data?
The GDPR doesn't clearly define what a 'transfer' is, but it's more than just sending data through another country. A 'transfer' involves some kind of processing (like storing, changing, or using the data) in the third country. Simply passing data through a third country (like when data is just travelling through) doesn’t count as a transfer unless that country actually does something with the data.

·    Two common situations not considered data transfers:
Technical Routing: When data (like emails or web pages) moves between servers around the world just as part of how the internet works, it doesn't count as a data transfer under the GDPR rules.

Temporary Access by Travellers: If someone temporarily in a country with lower data protection (like logging into a European system from an airport abroad), it’s not considered a data transfer.

Case Example:
 In a 2003 European Court of Justice Case, it was decided that if someone in the EU uploads personal data to a website hosted in the EU or another EU country, and it can be accessed by anyone on the internet, it does not count as a transfer to a third country.

· If personal information is shared internationally and then processed in the receiving country, it's considered a transfer. For example, if someone in the EU gives personal data over the phone to someone in a third country, and that person then enters the data into a computer system; this is a data transfer according to the GDPR, even if just sharing the information over the phone wouldn't be.
Article 45(1) of the Regulation states that:
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”

· The Commission, after evaluating the level of data protection, can decide through an implementing act that a third country, a specific area within a third country or an international organization provides adequate protection as defined by law. This implementing act must include a mechanism for periodic review, at least every four years, considering all relevant changes in the third country or organization. It must also detail the territorial and sectoral scope and, if relevant, identify the authorities responsible for ensuring and enforcing compliance with data protection rules. Additionally, the Commission must continually monitor developments in third countries and international organizations that might impact the adequacy decisions.

·  Situation in United state for transferring Data: Given the significant volume of data transfers between the EU and the United States, the U.S. Department of Commerce and the European Commission originally developed the Safe Harbor mechanism as a self-regulatory framework to meet EU data protection requirements for transatlantic data transfers. On July 26, 2000, after extensive negotiations, the Commission decided that the Safe Harbor Privacy Principles provided adequate protection for personal data transferred from the EU. This decision allowed EU personal data to be transferred to U.S. companies that agreed to comply with these principles.

However, the Safe Harbor Framework faced many challenges from the start. Although the Safe Harbor Privacy Principles were intended to meet the adequacy standards of the Directive, the self-certification process and the non-European approach of its provisions drew significant criticism. Weaknesses included companies not performing the required annual compliance checks and the Federal Trade Commission's (FTC) lack of active enforcement compared to other domestic cases. These issues led some EU data protection authorities (DPAs) to question the Safe Harbor Framework's validity as an adequacy mechanism.

·         Schrems I and Schrems II
The June 2013 revelations by Edward Snowden about the mass surveillance operations conducted by the U.S. National Security Agency (NSA) significantly impacted the EU's regulation of international personal data transfers.

Austrian law student Maximilian Schrems questioned the validity of Safe Harbor by filing a complaint with the Irish Data Protection Commissioner, requesting the cessation of personal data transfers by Facebook Ireland to the United States. Schrems argued that Facebook Ireland, which manages data for Facebook’s European users, could no longer justify transferring his data to the U.S. under the Safe Harbor Framework due to the extensive access U.S. intelligence agencies had to such data, as revealed by Snowden. The complaint was escalated to the Irish High Court, which then referred the issue to the Court of Justice of the European Union (CJEU). On October 6, 2015, the CJEU declared the Safe Harbor adequacy decision invalid. This ruling increased the pressure on the Commission to establish a more robust mechanism for EU-U.S. data transfers.

Maximilian continues his legal proceeding and challengeEU-US privacy shield framework, which was a successor of safe harbour, the Privacy Shield framework was invalidated by the CJEU on July 16, 2020, in the Schrems II case. The court ruled that the framework did not provide adequate protection against U.S. surveillance practices and did not ensure effective legal remedies for EU citizens. The ruling highlighted concerns over U.S. government access to personal data and the lack of sufficient safeguards and redress mechanisms to protect EU citizens' data privacy rights.
Since the invalidation of the Privacy Shield, companies have had to rely on other mechanisms, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), for transatlantic data transfers, while policymakers work towards developing a new framework to address these issues.

·     Standard Contractual Clauses
As per the General Data Protection Regulation (GDPR), contractual clauses that guarantee adequate data protection measures can be utilized as a lawful basis for transferring data from the EU to third countries. This includes standardized contract clauses known as standard contractual clauses (SCCs), which have been pre-approved by the European Commission.

On June 4, 2021, the Commission issued updated standard contractual clauses under the GDPR. These clauses are designed for transfers of personal data from controllers or processors within the EU/EEA (or otherwise under the jurisdiction of the GDPR) to controllers or processors located outside the EU/EEA and not subject to the GDPR.

.Organizations are required to use these SCCs for new data transfers under Article 46(2)(c) of the EU General Data Protection Regulation starting in late September 2021. Additionally, they must replace existing SCCs for current processing operations by late December 2022.
The New SCC Clauses have some the following features:-

  • Implementation Timeline: The European Commission provides companies an 18-month transitional period starting June 27, 2021, to replace all contracts with the new standard contractual clauses (SCCs). This is more generous than the one-year period initially proposed, yet it still requires significant preparation. Organizations can continue using the current SCCs for new transfers for three months after the new SCCs come into effect (Article 4 of the Implementing Decision).
  • Greater Alignment with the GDPR: The new SCCs have been revised to better align with GDPR requirements, including:
Obligations on data processors now include all elements required under Article 28 GDPR.
  • Importer controllers must notify data protection authorities of personal data breaches likely to risk individuals' rights and freedoms, and notify data subjects in line with Article 34 GDPR (Module 1, clause 8.5(e) and (f)).
  • Obligations to implement appropriate technical and organizational safeguards are now more closely aligned with Article 32 GDPR (Module 1, clauses 8.5; Modules 2 and 3, clause 8.6; Module 4, clause 8.2). Defined timeframes for importer controllers to handle data subject rights (Module 1, clause 10).
  •  A revised liability regime (Clause 12).
  • Expanding Onward Transfer Rights: The new SCCs allow importers to transfer personal data to third parties in third countries without standard contractual clauses or similar binding instruments when necessary for legal claims or to protect vital interests (Clause 8.7 (Module 1), Clause 8.8 (Module 2 and 3)). They also clarify that controller importers do not need to inform data subjects of all recipients' identities, only the categories of recipients.
  • Security of Processing: Security provisions have been strengthened. Clause 8.5(b) of Module 1 requires Annex II (Technical and Organizational Measures) completion where the importer is a controller, and processor importers must regularly verify these measures' appropriateness (Modules 2 and 3, Clause 8.6). Annex II demands specific descriptions of measures for each transfer.
  • Data Subject Rights and Supervision: The new SCCs expand the list of clauses data subjects cannot invoke or enforce against the data exporter/importer. Data subjects can still invoke most clauses as third-party beneficiaries. Clause 1 clarifies that data subjects can lodge complaints with the supervisory authority (SA) in their residence, place of work, or the relevant SA provided in the supervision clause. For organizations outside the EU with an Article 27 EU representative, the competent SA is where the EU representative is established, and these must be listed in Annex 1 (Clauses 3, 11(c), and 13).
  • Liability and Indemnification: The previous indemnification clause is replaced with a "contribution clause" reflecting Article 82.5 of the GDPR. It allows controllers or processors that paid full compensation for damages to claim back from others responsible for the damage, maintaining the practical effect (Clause 12).
  • Identifying Controllers in P2P Transfers: The new SCCs remove the requirement to list controllers in processor-to-processor transfers, a requirement from the draft SCCs. Sub-processor importers need only notify controllers of personal data breaches where "appropriate and feasible."

Binding Corporate Rules
EU Data Protection Authorities (DPAs) have recognized Binding Corporate Rules (BCRs) as a valid mechanism for legitimizing data transfers within a corporate group. BCRs are a comprehensive set of rules based on European privacy standards, voluntarily adopted by multinational organizations and approved by national regulators in accordance with their own laws. The concept of using BCRs to provide adequate safeguards under the Directive was initially proposed by the Article 29 Working Party (WP29) in Working Document WP 74.

Since then, EU DPAs have enhanced their cooperation to streamline the BCR approval process, leading to the adoption of a 'mutual recognition' process, which has been integrated into the Regulation.
According to the Regulation, Data Protection Authorities (DPAs) must approve a set of Binding Corporate Rules (BCRs) through the "consistency mechanism" (see Chapter 13), provided these rules are legally binding and grant enforceable rights to data subjects.

A complete and valid set of BCRs must include the following elements:
  •  The structure and contact information of the corporate group and each of its members.
  • Details of the data transfers, including categories of personal data, the type and purpose of processing, the type of data subjects affected, and identification of the relevant third country or countries.
  • Their legally binding nature, both internally and externally.
  • The application of general data protection principles, particularly purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, handling of special categories of personal data, measures to ensure data security, and requirements for onward transfers to entities not bound by the BCR.
  • The rights of data subjects regarding processing and the means to exercise these rights, including protection against decisions based solely on automated processing (including profiling), the right to lodge complaints with the competent supervisory authority and courts, and the right to obtain redress and compensation for BCR breaches.
  • Acceptance by the controller or processor established in a member state of liability for any BCR breaches by any member not established in the Union.
  • How information on the BCR is provided to data subjects.
  • The responsibilities of any data protection officer (DPO) or other individuals/entities in charge of monitoring BCR compliance.
  • The complaint procedures.
  • Mechanisms to ensure verification of BCR compliance.
  • Procedures for reporting and recording changes to the rules and informing the supervisory authority of these changes.
  • Cooperation mechanisms with the supervisory authority to ensure compliance.
  • Procedures for reporting to the competent supervisory authority any legal requirements in a third country that may substantially adversely affect the guarantees provided by the BCR.
  • Appropriate data protection training for personnel with permanent or regular access to personal data.
 
The future of international Data Transfer
Overcoming the restrictions on international data transfers remains one of the most challenging compliance issues for global organizations operating in the EU. As previously mentioned, identifying and implementing the appropriate mechanism to ensure an adequate level of protection can be arduous and time-consuming. Despite technological advancements, increasing globalization, and surveillance threats, the likelihood of the EU institutions adopting a more lenient approach in the near future is low. To ensure compliance, organizations are strongly encouraged to develop a robust global data protection compliance program that aligns with the adequacy criteria set by the European Commission. This can be achieved through either contractual mechanisms or a set of Binding Corporate Rules (BCRs).


By: Shanu Rajput 
(Cyber Legal Content Strategist, WCSF)

Comments

Post a Comment

Popular posts from this blog

UNESCO Guidelines on Generative AI in Schools

The advent of artificial intelligence has assumed prominence amongst all industries and various facets of people's personal lives. The integration of AI in education has been inevitable, given the significance and role of information, knowledge production and administration in the sector. This is especially so as its capabilities entail replicating higher-order thinking. Besides assisting in the education process, it also brings the element of real-life relevance, allowing education to be imparted against the backdrop of the evolving world due to the same AI. It tends to have implications on the subject matter that needs to be imparted, which tends to be something that constantly needs to answer the question of "Why and how is this particular subject matter relevant for learning?".  This induces policy-makers and educational institutions to rethink what they need to impart as knowledge, the area of matter, and the manner of thinking to be emphasised. This is because educa...
Post a Comment
Read more

Dark Web: Safe or unsafe? Truth Revealed!

  The dark web is the part of the internet that is not visible to search engines. With the advancement in technology, digitization has resulted in different types of attacks. We can talk to anyone as long as we have an internet connection. The main concern is with privacy and anonymity in mind.  A team of computer scientists and mathematicians working for one branch of the US navy which is known as the Naval Research laboratory (NRL), developed a new technology known as Onion Routing. It allows anonymous communication where the source and destination cannot be determined by the third party. A network using the Onion Routing technique is classified as Darknet. The NRL released the Onion Routing Technique and it became The Onion Router, also known as TOR. Advantages of Dark Web  Humans are allowed to hold privacy and express their views freely. Privacy is considered to be critical for honest persons through the different criminals and stalkers.  The growing tendency of...
5 comments
Read more

India's Cybersecurity Landscape: New Rules, Rising Threats, and Government Response

The recent interaction of the newly reappointed Union IT Minister with journalists has sparked significant interest within the IT Industry and among privacy enthusiasts. Ashwini Vaishnaw announced on June 15 that the MEITY will soon release the rules under the Digital Personal Data Protection (DPDP) Act, a development of immense significance for India's cybersecurity landscape. [1] 's Acts. It holds immense significance for the country, especially with the increasing number of internet users.  Of 2023 for public consultation. The rules hold immense significance for a country like India, with 751.5 million internet users at the commencement of 2024 [2] . With the continuous surge in internet usage across India, the volume of personal data shared online is also on the rise. This occurs either voluntarily, such as an individual providing personal information to a social media platform to access its services, or involuntarily, as a consequence of falling victim to a cybercrime inci...
Post a Comment
Read more