From May 2018, the General Data Protection Regulation (GDPR) will apply to all international organisations that process EU residents’ data. Companies will therefore be required to make significant changes in data subject consent, privacy by design, data breach notification and in several other areas in order to comply with the Regulation and transfer data internationally.
A large number of delegates attending IT Governance’s GDPR webinars had questions related to international transfers of EU residents’ personal data under the GDPR, the impact Brexit will have on organisations in the UK, and the privacy considerations companies need to take into account when transferring data from Europe to the United States.
In this blog post, IT Governance’s GDPR expert answers our attendees’ most frequently asked questions to shed light on some of the GDPR requirements for international transfers.
If processing or controlling EU residents’ data but the processing/controlling takes place in the USA, how does the GDPR apply? Is the GDPR global or EU only?
Article 3 of the GDPR sets the territorial scope of the Regulation to apply to both:
- [Article 3(1)] the processing of personal data in the context of the activities of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union; and
- [Article 3(2)] the processing of personal data of data subjects within the Union by a controller or processor established outside the Union where the processing relates to either the offering of goods or services, or to the monitoring of EU data subjects’ behaviour within the Union.
This means that organisations that are not established in the EU but offer goods or services to individuals in the EU, or monitor their behaviour, will be required to comply with the GDPR.
The UK government has confirmed that, in line with its treaty obligations, the GDPR will apply in the UK from 25 May 2018.
The working assumption must, therefore, be that Brexit will have no impact on how the Regulation is applied. Reality, though, doesn’t always follow logic, so the only practical advice at the moment is to proceed on the basis that the GDPR will work as intended but to keep abreast of developments in the field over the next 18 months.
If somebody is living in the EU but is not actually an EU citizen (e.g. an expat), does the GDPR still apply?
Yes – when you travel abroad, you are subject to the laws of the country you travel to. Similarly, when you are living in the EU, your personal data is covered by its laws and regulations.
Is signing up to the EU-US Privacy Shield sufficient to satisfy the GDPR processing clauses?
No – the EU-US Privacy Shield is purely for protecting personal data under the Data Protection Directive (DPD) in transatlantic data flows. Its scope differs from that of the GDPR, particularly with regard to legal obligations around the processing, handling, collecting, etc. of personal data.
Moreover, the EU-US Privacy Shield is subject to annual review, and is therefore likely to change. This provides limited certainty with regard to data protection. This factor, combined with the drastically different data protection culture in America and in light of the GDPR principle of adequacy, means it is highly unlikely that current EU-US Privacy Shield conformance will suffice for GDPR compliance. US organisations that are within the scope of the GDPR should proceed on the basis that they, too, will have to fully comply with the Regulation’s requirements.
Is there flexibility to comply with the GDPR, or must all EU countries implement the Regulation exactly as written?
There is very little flexibility. The GDPR is a form of EU legislation known as a regulation. Within the EU, regulations are directly applicable in every Member State, and the GDPR will be directly binding on all Member States from 25 May 2018. No further legislation is required to implement the GDPR, and one of the Regulation’s drivers is to ensure the standardisation of data protection regimes across the EU.
However, some articles within the GDPR permit Member States a degree of flexibility. Member States can, for instance, vary the definition of special categories of data and the age they deem to be the threshold for a minor in relation to information society services.
What will the procedure be for gaining an adequacy rating, e.g. for an international organisation? Is it acceptable to use Cloud providers in the USA so long as there is a business contract in place that provides protection?
The rules regulating international transfers of data under the GDPR have much in common with the rules under the DPA in the UK (except that organisations are now limited in their ability to transfer data on the basis of their own adequacy assessment). It’s important to remember that there are two primary objectives to the GDPR, and one of those is facilitating the free movement of data. The GDPR thus clarifies some of the procedures for international data transfers that were contained in the DPD.
The adequacy of protection levels associated with a particular transfer may be ensured by:
- Use of model contract clauses;
- Use of binding corporate rules governing intra-group data transfers; or
- Reliance on an exemption.
For international organisations, these will still be legitimate options for international data transfers.
In addition to this, transfers may be made where the Commission decides that a third country, territory, one or more specific sectors in a third country, or an international organisation ensures an adequate level of protection. This is beneficial, since it means that organisations designated as adequate by the Commission will not need to obtain further authorisation for individual transfers.
Adequacy decisions are subject to a periodic review, in which the Commission consults with the entity and considers relevant developments in the entity and information from other relevant sources. Adequacy decisions therefore may involve some type of audit of the international organisation. The procedure for deciding adequacy is likely to involve the opinions of supervisory authorities, as well as the EDPB, and approval through an examination by the Article 31 Committee before the decision is adopted by the College of Commissioners.
What impact will Brexit have on the choice of the supervisory authority?
None: the ICO will remain the supervisory authority of the UK. NB: the UK government has confirmed that, regardless of the Brexit negotiations, the GDPR will apply in the UK. The GDPR already allows organisations to select a lead supervisory authority on the basis of the member state within which it has a permanent establishment or which is the location of a significant part of its processing, and it’s difficult to see this option not being available to UK companies post-Brexit.
In case of US-based companies, would NIST 800 controls cover the GDPR requirements? If so, how much: fully or partially?
There’s no reason not; the NIST 800 publications include a good set of controls that are likely to offer coverage of all the relevant data risks.
How can the GDPR be enforced against third-country organisations? Surely the ICO couldn’t fine a company in China.
Non-EEA controllers have to appoint an EU representative – that’s the first step for a regulator in an enforcement action.
What would happen if an organisation outside the EU refused to pay the fine, believing they are outside the EU’s jurisdiction?
Enforcement action, under international treaties.
Is a server that is shared with a company in the US classed as transferring data if the server is in the UK? What about Cloud environments based within the EU but logically supported from technical support staff based outside the EEA? If the data is not exported but viewed from third countries, does the GDPR still apply?
If a third country, company or person can access data on a UK/EU server, then you are giving access to someone outside the EEA – you are allowing processing by someone outside the EEA. ‘Consultation’ and ‘use’ of data are explicitly included in the definition of ‘processing’.
In terms of practical implementation, would GDPR compliance be better led by information assurance professionals or legal/policy teams?
Usually better if led by practitioners – with lots of legal input and advice. What matters is how you implement the legal requirements, rather than how well you reflect them in your documentation.
How should companies and internal DPOs proceed in multinational companies that reach out to countries that currently do not have DP regulation or have regulations that conflict with the GDPR? Many US companies require end user details to ensure compliance with US tech laws. They are not GPDR-compliant – how will this be resolved?
International companies will be able to deal with this through the use of binding corporate rules.