Since the General Data Privacy Regulation (GPDR) came into effect in May 2018, businesses need to comply with strict rules on how they handle the personal information of citizens in the European Union (EU). One of the biggest changes to privacy law is how the GPDR regulates the transfer of personal information of EU citizens overseas. If you are an Australian business looking to target EU citizens or you are going to open an office in the EU, you need to understand the GPDR rules. This article will explain when you can legally transfer EU citizen data overseas.
What is the GDPR?
The GDPR is a set of laws from the EU that aims to protect individual privacy, specifically the use of personal information. As part of the changes in 2018, the GDPR introduced strict new rules on how they can handle customer data when transferred to a third party.
If the data is transferred to a third party within the EU, the third party must:
- ensure any data processing is covered by a written legal contract;
- promise to process personal data on the written instructions of the business transferring the data; and
- help with any questions from the regulator.
However, under the GDPR, transferring personal data outside the EU is prohibited. Yet, many server providers such as Amazon Web Services are located outside of the EU. These companies rely on the daily transfer of data to a third party. Therefore, the GPDR has set out two exceptions for this transfer.
When Can Your Business Transfer EU Citizen Data Overseas?
A company can only send an EU citizen’s data to a company based outside the EU if:
- there are appropriate safeguards for any misuse of data when the transfer takes place; or
- the EU decides that a non-EU country is safe enough to receive EU citizens’ data (known as an adequacy decision).
1. Appropriate Safeguards
There are many different types of ‘appropriate safeguards’. For example, an appropriate safeguard can be:
- corporate rules committing an organisation to good privacy practices;
- agreeing to the ‘EU standard contractual clauses’; or
- allowing the EU citizen to take action against the culprit if their data was misused during the transfer.
The Standard Clauses
The EU’s standard contractual clauses (standard clauses) are contract clauses which set out rules for transferring data from an EU country to a non-EU country. The rules do not change (hence they are ‘standard’). For example, one of the rules requires that the recipient of the data has technical and security measures in place to safeguard the data.
The standard clauses count as an ‘appropriate safeguard’ under the GDPR. The GDPR states that if a business transferring data and a business receiving data (based outside the EU) sign a contract based on the standard clauses, then the transfer can go ahead. This is because the standard clauses set out rules that make a transfer of data, and the processing of data, safe.
For example, the standard clauses state that the business processing personal data must:
- co-operate with EU supervisory authorities;
- put in place good security to protect personal data;
- put in place processes and procedures to help the business transferring the data deal with any person’s request to exercise their data rights under the GDPR; and
- delete personal data if the contract ends.
2. Adequacy Decision
The European Commission has the power to decide a non-EU country is safe enough to receive EU citizens’ data. This is known as an adequacy decision. The European Commission makes its decision based on factors such as:
- the rules in that country;
- whether the country has an independent supervisory authority looking out for the privacy rights of its citizens;
- any international commitments to privacy; and
- whether the country has a serious enough commitment to privacy to not need any other intervention.
For example, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Switzerland, Uruguay and New Zealand are on this list.
The EU-US Privacy Shield Framework
Besides adequacy decisions, there are also agreements between the EU and certain non-EU countries, such as the EU-US Privacy Shield Framework introduced in 2016. This is another way that the EU can determine that a non-EU country is safe enough to receive data.
The framework functions to enable data transfers to companies based in the US, with few restrictions. However not every company is allowed to receive a transfer of data from the EU. Only companies that have met the requirements of the framework can join. It’s a self-certification process and any company that wants to receive data needs to:
- develop a privacy policy that complies with the framework;
- have a way to investigate privacy complaints;
- pay a joining fee;
- have a designated privacy contact; and
- meet the other requirements set out in the framework.
If a US company successfully meets all the requirements needed to join the framework, then EU companies that want to transfer data to the US company do not need to worry about whether the US company agrees to the standard clauses.
Key Takeaways
If you’re an Australian business and you handle EU citizens’ personal data, then it is important to remember:
- you likely need to comply with the GDPR;
- if a business in a non-EU company helps you deal with EU citizens’ data, then there must be appropriate safeguards in place to protect data (this includes having the recipient company agreeing to the standard clauses); and
- the country in which the company is based is subject to an adequacy decision and the most common example of these is the framework.
If you have any questions about complying with the GDPR, you can contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.
