Published OnFebruary 5, 2021A big data challenge looms for those outside the EU who are subject to the GDPR: how does that rule apply to data transfers? It is a big data challenge.
On November 10, 2020 , the European Data Protection Board, or EDPB, adopted recommendations geared toward helping data exporters assess the level of protection provided by third countries to personal data. Under the EU's General Data Protection Regulation (GDPR), the protections that apply to personal data in the data's region also travel with it wherever it happens to go.
Tackling Big Data Challenges
There are several elements that are key to understanding the big data challenges encountered when personal data must be shared internationally. Here are a few tips to help keep your organization operating within legal parameters.
Note: This is not legal advice.
Map Your Transfers
In its guidance, the EDPB suggests that as an initial step, data exporters subject to the GDPR should know their transfers. They should conduct a mapping exercise so they are aware of which countries’ personal data is going to so those exporters can assess whether a sufficient level of protection is provided to that data. But the Board's recommendation, in some measure, begs the question, what exactly constitutes a "data transfer"?
What Constitutes 'Data Transfer' Is Fuzzy
The EU's General Data Protection Regulation discusses data transfers at length but does not exactly define them. Yes, there are multiple Articles dedicated to transfers (such as Articles 44, 45, and 46), and dozens of uses of the words transfer and transfers throughout the entire regulation, but the definitions section of the regulation does not define them. We might collectively think we know in our heads what a data transfer is — that it is so obvious that it need not actually be defined — but consider this scenario:
Is personal data stored on a server in the EU but viewed from a computer in the United States subject to the GDPR's data transfer restrictions? Has that data actually been transferred?
Suddenly, determining exactly what a data transfer is — and consequently which rules apply — gets a bit more complicated.
Has the Data Been Accessed or Merely Routed?
The UK Information Commissioner's Office, or ICO, maintains that an entity processing personal data in the European Economic Area (EEA) that sends personal data — or merely makes it accessible — to an entity outside the EEA is making a restricted transfer. (The EEA includes EU countries as well as Iceland, Liechtenstein, and Norway.) Under GDPR, certain protective measures have to be taken for personal data to be transferred to a so-called "third country." However, the UK ICO also notes that "if personal data is just electronically routed through a non-EEA country but the transfer is actually from one EEA country to another EEA country, then it is not a restricted transfer."
Again, interpreting and applying the definition of a data transfer can be daunting. The EDPB notes in its recommendations that remote access by an entity from a third country to personal data located in the EEA is considered to be data transfer.
What's the Big Deal?
Data transfers have been a hot topic of late, in part due to a decision earlier this year by the Court of Justice of the European Union in a case referred to as Schrems II. The court determined that the EU-U.S. Privacy Shield Framework is invalid because of concern that public authorities in the United States could access personal data without appropriate due process for EU residents. Back in 2016, the European Commission had determined that the framework was sufficient to allow data transfers in compliance with EU law.
Facing big data challenges, organizations subject to the GDPR that relied on the Privacy Shield have been scrambling to take steps to put protections in place so they can continue to transfer personal data in compliance with the law.
What Are the Options?
Once an organization knows its transfers thanks to its mapping exercise, it should determine which safeguard it relies on, such as standard contractual clauses or binding corporate rules.
From there, things get even more convoluted. Pursuant to the EDPB's recommendations, an organization should determine whether laws in the third country involved might negatively impact the effectiveness of the safeguards on which the organization is relying. If so, the organization, among other things, should develop supplementary measures as needed to protect the data transfers appropriately. These supplementary measures might include encryption, only transferring pseudonymized data, or taking other steps to protect data effectively. If sufficiently protective supplementary measures cannot be developed, the organization may even need to consider halting certain transfers until adequate safeguards can be provided.
It's a lot to take in—and, indeed, it can be even more challenging to adhere to the GDPR's requirements in light of the Schrems II decision. Organizations should note, though, that the EDPB, in frequently asked questions issued shortly after the Schrems II decision, pointed out that there is no grace period during which impacted entities can continue transferring data to the United States without assessing the legal bases for the transfers. Also troubling: not long after the Schrems II decision was issued, the Ireland Data Protection Commission ordered Facebook to halt data transfers to the United States. That matter, as of press time, is still being litigated.