Transferring the personal data of European citizens outside of the EU is prohibited by the General Data Protection Regulation (GDPR), unless proper security of the data is ensured.
The companies that transfer the personal data of their clients or employees to data processors or controllers to third parties located outside the EU, e.g., providers of data storage (cloud) services or payroll services, must first ensure that the transferred personal data will be properly protected and secured. These companies have to conclude data processing agreements and also choose one of the suitable methods of transferring personal data as set forth in the GDPR.
The following are several ways of ensuring proper personal data security:
- Transferring data to a country, region or international organization approved by the European Commission as ensuring adequate level of protection to the personal data of European citizens; e.g. such countries are Canada, Switzerland and Japan.
- Sign the adopted by the European Commission with the data recipient in the third country.
- Apply the proper data protection measures listed in Article 46 of the GDPR, e.g. Binging Corporate Rule for data transfers within the group of companies.
- If neither of these measures is applicable, the companies may transfer data in the absence of the appropriate safeguards as set forth in Article 49 of the GDPR, e.g., the data transfer is required to fulfill the contractual obligations according to the agreement signed by the data subject and data controller (when booking a hotel room) or the data subject clearly expressed its consent for the data to be transferred to the third country.
- Transferring depersonalized data.
No additional measures are required when transferring data to an approved country which ensures an adequate level of protection; thus, this is one of the most convenient ways to transfer personal data to a third country. Based on this principle, personal data transfers were permitted to commercial data recipients (controllers or processors)in the US that followed the Privacy Shield provisions, until the decision of the Court of Justice of the European Union (CJEU) in case No. C‑311/18. However, the CJEU determined that the Privacy Shield was not sufficient to protect the personal data of the European citizens from the US Government and did not grant the proper rights to defend oneself from possible spying.
SCC are yet another method of personal data transfer and they are signed with the data recipient in a third country. According to the CJEU, when signing such clauses, data controller should also take the possible data access of governmental institutions of the respective third country into account. This is why the CJEU made personal data transfer to the USA more difficult for the majority of companies, as according to the US laws, companies are obligated to grant governmental institutions access to the personal data of both the US and third country citizens.
Companies which use SCC for personal data transfers to third countries must assess whether or not the governmental institutions of the respective countries may demand access to a disproportionate quantity of the protected personal data of the European citizens. If such a possibility exists, the personal data cannot be transferred under this basis.
For example, in Lithuania, upon the request of governmental institutions, providers of electronic communication services (Internet and mobile connection) must grant these institutions access to the electronic communication data, if such access is required to investigate severe or grave crimes. Meanwhile, in the USA, such access is granted to both the communication data of the suspected individual and any other individuals who comply with monitoring program criteria, although are not necessarily suspected of any crime.
Without a doubt, the requirement to assess the laws of third country and to inform the other contractual party about any changes in such laws bring many difficulties to the companies. The European Commission has notified that in consideration of the CJEU decision, the approved SCC are under review and will be soon updated. Maybe, a list of the approved countries or sectors will be prepared.
The companies which used the Privacy Shield to transfer personal data to the US should now choose other possible measures to ensure personal data protection.
Associate of Glimstedt Law Firm Raminta Bučiūtė specializes in data protection, intellectual property and technology, media and communication law.
Translated by MP Translations Agency in Kaunas.