Global organizations need a clear, legal means to share data across borders, whether to conduct day-to-day business, comply with government regulations, perform under a contract, respond to lawsuits, or simply communicate and share information with colleagues. In this installment of The eData Guide to the GDPR, we explore mechanisms provided in the GDPR that facilitate the cross-border transfer of personal data within a global organization to operations or facilities in countries the European Commission (EC) has not found to provide an “adequate” level of protection for personal data, such as the United States.
Chapter V, and specifically Article 47 of the GDPR, provides guidance regarding the use of binding corporate rules as an option to facilitate such cross-border transfers. In previous installments of The eData Guide to the GDPR, we have looked at the EU’s preference for the inclusion of standard contractual clauses to protect the transfer of data by defining the parties involved in the transfer, the reasons for doing so, and the methods by which the data will be protected.[1] This article will explore other mechanisms designed to ensure similar protections.
Binding corporate rules (BCRs) provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
Article 47 provides some specific requirements for appropriate BCRs. These rules must be
BCRs are the most effective way for a multinational organization to transfer personal data internally on a regular basis, such as human resources and payroll information.
Prior to the enactment of the GDPR, the EU Data Protection Board (at the time known as Article 29 Working Party) had provided guidance[2] on the recommended content of BCRs. According to the board, in addition to the GDPR requirements listed above, good BCRs should incorporate the following:
Although these requirements are rigorous, once the necessary structures and processes are implemented in accordance with a company’s BCRs, they allow a much freer and more natural transfer of data within a company than would otherwise be allowed under GDPR.
The Privacy Shield Framework (Privacy Shield) is a mechanism approved by the EC in July 2016 through which enrolled organizations may transfer personal data from Europe to the United States, and is a replacement for the previous Safe Harbor arrangement.[3] Privacy Shield is administered by the International Trade Administration (ITA) within the US Department of Commerce in cooperation with the European Commission and has over 5,000 active participants. [4] The framework provides
US companies can join Privacy Shield by voluntarily self-certifying with the Department of Commerce that they will adhere to the principles of Privacy Shield after developing a privacy policy that is compliant with the framework. Once enrolled, the obligation to follow these principles becomes enforceable under federal law, either by the Federal Trade Commission (FTC) or the Department of Transportation, and recertification must be done on an annual basis.[6]
Privacy Shield operates under a set of principles that ensure compliance with EU standards of data protection and processing, consistent with GDPR. These principles include
The application to join Privacy Shield requires basic company information, as well as contact information for the personnel within the applying organization who will be responsible for handling complaints from data subjects and data access requests. The applicant also must describe the ways in which it uses personal data and the types it uses, such as human resources data, customer and visitor information, and clinical trial data. Organizations participating in Privacy Shield must also designate whether they will work directly with European DPAs to resolve complaints from data subjects, or with a “private sector developed independent recourse mechanism,” such as the International Centre for Dispute Resolution. They must show that their privacy policies are aligned with the Privacy Shield principles, including specifically providing information on their compliance with each of these principles in the privacy policy.
When data is sent from the European Union to the United States, the data controller in the European Union is required to enter into a contract. This contract ensures that the processor in the United States only acts on instructions from the controller; protects the personal data through appropriate safeguards; and assists the controller in responding to data subjects in the case of complaint or enforcement. These contracts do not require prior authorization from an EU member state for Privacy Shield participants.
In compliance with the Privacy Shield principles, data processors must ensure that data subjects can opt out of processing; that the integrity of the data is maintained; and that the data is only maintained for as long as necessary according to the purpose of the processing. Data processors must also provide data subjects with access to their personal information. This is best achieved by “putting [the data subject] in contact with the EU controller, or by working together with the EU controller to provide access, as prescribed by the EU controller.”[7]
Privacy Shield requires an annual review by both European Union and United States regulators to certify the effectiveness of the program. The third annual review in October 2019 confirmed that the United States should “continue[d] to ensure an adequate level of protection for personal data” and that there had been a “number of improvements in the functioning of the framework.”[8] These improvements include more systematic oversight by the US Department of Commerce: monthly compliance checks; seven enforcement actions by the FTC; assertion of rights by EU data subjects; and the appointment of a permanent ombudsman. The review, however, identified a few areas for improvement, such as the speed of the certification and recertification processes; guidance on human resources data; and the sharing of information by the FTC on ongoing investigations.
The GDPR provides several mechanisms for otherwise impermissible cross-border transfers of data, including binding corporate rules and the use of other checks such as Privacy Sheild. All of these methods come with limitations, but in most cases, will allow businesses to function seamlessly from an operational and compliance perspective despite their disparate geographic locations. Adherence to the GDPR’s listed requirements and guidance from EU authorities is key to keeping these tools in place, enabling the smooth operation of a multinational business.
[1] See Appropriate Safeguards in the GDPR.
[2] Working Document on Binding Corporate Rules for Controllers (wp256rev.01), February 6, 2018.
[3] The Safe Harbor arrangement was invalidated by the European Union Court of Justice in the 2015 Maximilian Schrems v. Data Protection Authority (Case C-263/14).
[4] Read more about the Privacy Shield Framework.
[5] Read more about EU-US data transfers.
[6] Read more about the Privacy Shield Framework
[7] Id.
[8] See EU-U.S. Privacy Shield: Third review welcomes progress while identifying steps for improvement