March 21, 2019

What is the best approach to ensure that any cross-border data transfers out of the EU satisfy the rigorous requirements of GDPR?

Hypothetical:  

You are a US-based IT infrastructure company offering services to companies that have operations in the EU.  As a result, these customers use your services to process personal data subject to GDPR.  You have server farms and other data processing operations in the US, and you use vendors around the world.  What is the best approach to ensure that any cross-border data transfers out of the EU satisfy the rigorous requirements of GDPR? 

Key Considerations: 
  • What are your options?  Two of the more popular options available to organizations are the European Commission’s Standard Contractual Clauses, which can be appended to any contract and govern the handling of any personal data, and the EU-US Privacy Shield Framework, a self-certifying data protection framework managed by the US Department of Commerce.  Other options, such as binding corporate rules, typically are only appropriate in a much smaller number of circumstances because they present significant practical burdens.
  • Does European data need to leave the Europe?  One option is to simply leave the data in Europe.  Data that is not transferred outside of the European Economic Area (EEA), even if it is transferred between different European countries, does not need the additional protection of either Privacy Shield or the Model Clauses.  And EU-based customers may prefer that their data stay in the EU.  As such, companies should evaluate their options for—and weigh the risks and benefits of—keeping the data in the EU.
  • What is the scope of your cross-border data transfers?  If your company has a limited number of customers transferring data from the EU to your US servers, and you do not envision significant EU expansion, signing model clauses with the relevant customers may be easier to manage than undertaking the Privacy Shield self-certification process.  In contrast, organizations with significant cross-border traffic may find that the one-time effort for Privacy Shield certification may be a more efficient way to achieve compliance than managing numerous contracts and ensuring there are model clauses appended to all those contracts as appropriate.
  • Where are you transferring data to?   The Privacy Shield program is limited in scope to cross-border data transfers between the EU and the United States, but Model Clauses can be used for data transfers out of the EU to any country that does not already have an independent adequacy finding.  If the bulk of your cross-border data traffic is between the EU and US, Privacy Shield may still be an appropriate solution.  However, if a significant percentage of your traffic flows involve transfers to countries other than the US, you may need Model Clauses, anyway.  
  • Understand the details.  While Privacy Shield and the Model Clauses generally are designed to accomplish the same thing—protecting the rights of EU data subjects when their data is transferred out of the EU—the details of each approach may be different.  For example, both the Model Clauses and Privacy Shield provide individuals who feel their personal data has been mishandled an opportunity to seek redress.  Under the Model Clauses, such complaints may be referred to a mediator, or may be brought in the courts of the European Member State in which the data exporter is established, but under Privacy Shield disputes are typically settled via arbitration, often in the United States.  Likewise, Privacy Shield and the Model Clauses both anticipate onward transfer of the data to additional parties, but the Privacy Shield requirements are more clear and concise in how to accomplish that.