The GDPR generally prohibits data transfers to non-EU countries unless the data can expect an “adequate level of protection” abroad. The GDPR provides various mechanisms for permitting data transfers and establishes a clear hierarchy among those mechanisms. The first is whether there is an adequate level of protection in place. If there is no adequate level of protection in place, data may still be transferred to a non-EU country on the basis of appropriate safeguards. In the absence of such safeguards, the transfer must satisfy one of the Article 49 exceptions (referred to in the GDPR as “derogations”) in order to be permitted. Each of these transfer mechanisms are described in more detail below.
Adequate Level of Protection
GDPR Article 45 specifically authorizes transfers of personal data to a non-EU country (called a “third country”) where the EU Commission (“Commission”) has determined that the third country ensures an adequate level of protection. These so-called “adequacy decisions” are binding on all EU member states and generally permit unlimited data transfers. Decisions must be reviewed by the EU Commission at least every four years. Adequacy decisions made under the Data Protection Directive, GDPR’s predecessor, remain in effect until amended, replaced, or repealed. Canada is among the countries deemed “adequate” by the Commission. While transfers to “adequate” countries were also allowed under the Directive, the GDPR now permits transfers to territories or one or more specified sectors within a third country that has received “adequate level of protection” status from the Commission.
The United States has not been white-listed by the Commission, but the Privacy Shield program offers U.S. companies the equivalent of an adequacy decision. U.S. companies that join the Privacy Shield program must self-certify to the Department of Commerce and publicly commit to comply with the EU-U.S. Privacy Shield Framework. That voluntary commitment is then enforceable by the FTC and Department of Transportation.
U.S. companies that are not Privacy Shield certified may still receive data from the EU on the basis of appropriate safeguards identified in Article 46. One such safeguard is a model contractual clause – standard data protection clauses adopted by the Commission. Another is Binding Corporate Rules (BCRs), a code of conduct that applies to the processing of personal data within a group of companies. For example, a U.S. subsidiary of a French corporation would qualify if BCRs were in place. Under the Directive, BCRs were allowed only for data controllers; the GDPR expands the use of BCRs to data processors.
The list of appropriate safeguards in Article 46 also includes codes of conduct, which may be drawn up by associations or other bodies representing categories of companies, and certifications. Codes of conduct must be approved by the relevant Data Protection Authority (DPA). Certifications can only be issued by DPAs or approved certification bodies, and are valid three years from the date of issue.
In the absence of “appropriate safeguards,” data may be transferred if the transfer falls under one of the limited exceptions (derogations) set forth in GDPR Article 49. The list of exceptions is taken from the Directive, but the GDPR adjusts the requirements in some circumstances. The exceptions are:
- Explicit consent of the data subject for the particular transfer or set of transfers. The Article 29 Working Party Guidelines (“Guidelines”) state that the data subject must be informed of specific risks resulting from the fact of the transfer to a country that does not have adequate protection.
- Transfer necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken at the data subject’s request. The Guidelines specify that there must be a close and substantial connection between the data transfer and the purpose of the contract, i.e., the “Necessity Test.” Moreover, such transfers must be occasional, not systematic and repeated.
- Transfer is necessary for the conclusion or performance of a contract concluded in the legal interest of the data subject between the controller and another natural or legal person. Per the Guidelines, this type of transfer is also subject to the Necessity Test, and must be occasional.
- Transfer necessary for important reasons of public interest. The Guidelines explain that such a transfer may only take place where it is necessary or legally required on important public interest grounds that are recognized in EU law or the law of the Member State to which the controller is subject.
- Transfer necessary for the establishment, exercise or defense of legal claims. This type of transfer can be made where it is occasional and necessary in relation to a contract or legal claim, regardless of whether in a judicial proceeding or administrative or out-of-court proceeding. The Guidelines specifically state that such transfers should not include all possibly relevant data but must be limited to what is actually necessary. Companies should also consider whether the data may be anonymized or pseudonymized prior to transfer.
- Transfer necessary in order to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent. The example given by the Guidelines is where a data subject traveling outside the EU is unconscious, requires urgent medical care, and needs personal data from his or her doctor located in the EU.
- Transfer made from a public register. The Guidelines define “public register” and state that transfers under this exception cannot include the entirety of the personal data or categories of data contained in the register.
In addition to the above, Article 49 introduces one new exception not previously included in the Directive: transfer necessary for the purposes of compelling legitimate interests pursued by the data exporter. This derogation may be used only as a last resort where “a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation is applicable.”
U.S. companies that receive data from the EU on a large-scale basis or as part of general business operations should consider Privacy Shield certification, or plan to implement model contractual clauses or BCRs (if the transfers are within a family of companies).