What You Need to Know About Transferring Personal Data Out of the EU

by Jennifer L. Legal writer.
What You Need to Know About Transferring Personal Data Out of the EU

If you plan on transferring EU personal data outside the EU, then you can only transfer it to countries with robust data protection regulations. In some cases, this isn't a problem because there are many countries with appropriate data protection laws in place. But sometimes things can be a bit tricky.

EU personal data must receive the same standard of care and security abroad as it receives in its home territory. As such, it's crucial that anyone storing or moving EU data outside the territory knows how to do so legally.

What does the EU hope to achieve by restricting data transfer this way? It's simple. The EU data transfer restrictions ensure that:

  • EU citizens and residents control how their data is used, stored, and processed
  • Companies can't take advantage of weak data protection laws in other economic territories

Essentially, EU residents and citizens have a right to know where their personal information is, and what safeguards are in place to protect it from exploitation. For example, a business can't store EU personal data data in a country where this data is freely shared with unsolicited companies without the data owner's consent.

The bottom line is that you can't know for sure which countries protect personal data to the standards required by the relevant EU laws. Transferring EU personal data outside the EU area, then, always carries a risk that the data won't be adequately protected. Before moving data from the EU, you must carefully consider:

  • The nature of the information you plan on transferring
  • How you're going to protect it once it's moved and stored elsewhere
  • Whether it's necessary to move the data at all

Although it's incorrect to say that you can't move EU data outside the EU, it's not an easy task. The good news is that it's perfectly possible to transfer EU personal data outside the EU territory while still remaining legally compliant, as we'll demonstrate.

Who the GDPR Applies to

Who the GDPR Applies to

Most businesses are affected by the GDPR, wherever they're located. If you have customers or a user base from the EU and you collect any of their personal information - even just an email address or cookies analytics data - you'll fall under the scope of the GDPR.

Chances are, the GDPR applies to the data you're collecting. But what counts as a 'data transfer'? Let's consider this.

The EU's General Data Protection Regulation (GDPR) is the single most robust privacy policy in the world, and it gives EU citizens more control over their personal data than ever before.

Basically, the GDPR allows EU citizens to limit what personal information companies collect about them, and to control who the information is shared with. It's a very important legal framework because it harmonizes, or unifies, data protection law across the EU.

The GDPR protects EU citizens and those living in the European Economic Area (EEA). The EEA sets up a single market, or a free trade zone, between all EU Member States. Iceland, Norway, Switzerland, and Liechtenstein are also part of the EEA, although they're not Member States.

Personal Data

The GDPR is primarily concerned with personal data, or personally identifiable information (PII). It's vital to know what we mean by personal information before deciding what standards of care apply to its transfer.

The GDPR defines personal data in Article 4 as:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

As we can see, this is a broad definition. Personal data is any information which can be used to identify someone. This can be as simple as their name or address, or something confidential, such as their Social Security Number, or blood type.

Other examples include:

  • Email address
  • IP address
  • Date of birth
  • Medical records
  • Dental records

Some categories are exempt from data protection rules for legal reasons, such as the criminal justice system.

Data Transfers

The GDPR applies to both data processors and data controllers. It's important to understand this distinction, because the data transfer process triggers the rules and safeguards applying to EU personal data transfer.

Controllers set out what personal information they need and why they need it. For example, a fashion retailer collects names and delivery addresses to supply a consumer with their order.

Processors take the information collected by the controllers and handle it according to the appropriate data protection guidelines.

Why is this distinction important?

Consider, for example, a UK-based retailer who uses overseas servers to host and store its information. They may also use processors, such as IT firms and managed service providers, who are based outside the EU. The moment the personal data is processed for leaving the EU territory, it's vulnerable and must be protected by GDPR-compliant safeguards.

Take Women's Best, for example. This retailer is based in the EU. It uses an external company to transmit its newsletter to subscribers. The retailer put a data processing agreement in place with the newsletter processing company to ensure personal data is handled properly, from the moment that users provide their personal information to the retailer:

Women's Best Privacy Policy: External service provider email newsletter clause

The retailer, or the controller, must use a processor based in a country with strong data protection laws. Why? Because, if you plan on transferring their personal data to a country outside of the EEA, it's your responsibility to ensure that it is safe and legal to do so.

Which countries can you transfer personal data to, then, if you must comply with the GDPR?

Third Countries

Countries outside the EU and its single market territory are known as third countries. These third countries must meet stringent data protection standards if they want to store, use, or process EU personal data transferred from within the EEA.

How does the EU decide which countries have sufficient data protection policies in place? It all comes down to the EU Commission.

The EU Commission has agreed that some countries have strong data protection laws in place. The list of approved countries is updated regularly, and you can find it here. What's important for us is that businesses can transfer EU personal data to these territories without seeking approval from data protection regulatory bodies.

Twitter attracts users from all over the globe. Its Privacy Policy includes a clause outlining how it protects EU personal data that it transfers out of the EEA:

Twitter Privacy Policy: Transfer personal data outside the EU clause

The platform has an entire page dedicated to its global data transfer policies:

Twitter: Global operations and data transfer page

Twitter explains that data protection regulations do vary between countries and, consequently, like-for-like data protection safeguards can't be guaranteed. However, at the same time, Twitter accepts that it's responsible for properly safeguarding any data that it transfers or stores outside of the EU.

So, what guidelines set these countries apart from other countries which aren't approved by the EU Commission?

GDPR Principles

Countries to which you can transfer EU personal data uphold the GDPR values in their own data laws. The GDPR Principles center around transparency and control.

The principles are:

  1. Lawfulness, Fairness, and Transparency
  2. Limitations on Purposes of Collection, Processing, and Storage
  3. Data Minimization
  4. Accuracy of Data
  5. Data Storage Limits
  6. Integrity and Confidentiality

Approved countries, then, must demonstrate that their own data laws demand this same standard of care. This way, EEA citizens and residents know they have equivalent rights in the country hosting or storing their personal data as they do back home.

Let's take an approved country as an example, to see how its privacy laws comply with GDPR Principles.

The USA and the GDPR

The USA and the GDPR

U.S. law is extremely complex because every state has a say in its own local data protection laws. This means that the EU can't guarantee that EU personal data headed for the US is lawfully protected. The EU found a way around this by drafting an agreement with the US government to promote cross-continent commerce, known as the US/EU Privacy Shield.

Thanks to this policy, companies can self-certify their willingness to comply with the GDPR and adequately protect data transferred to its territory. It should be noted that these companies must all have a Cookies Policy, and a Privacy Policy, as per the GDPR guidelines.

Guiding Principles

In total, there are 23 Privacy Shield Principles that regulate how US businesses undertake commerce within the EEA. You will see that these Principles place obligations on US companies that are very similar to the GDPR obligations.

Before an organization can gather or receive EU-based personal data, it must commit to the Privacy Shield Principles. If the company fails to honor the Principles, the aggrieved party can take legal action against them.

The first seven Principles are the most important. Let's take a look at what they require.

Notice

The business must tell users that it participates in Privacy Shield and adheres to the Principles. It must also tell users why it's collecting their information, how users can revoke their consent to data collection, storage, or transfer, and who users can contact with complaints and queries.

This is all accomplished in a Privacy Policy.

This Principle is equivalent to the GDPR Principles of lawfulness, fairness, and transparency.

Choice

Simply put, the U.S. company must give users the freedom to opt out of the company transferring their data to other third parties. If the company plans on using the personal data for new, previously undisclosed purposes, then users must consent to this.

Here's how 23andMe explains who they share data with and what controls the user has:

23andMe Privacy Policy: Control: Your Choices clause

Consent is at the heart of the GDPR, and the Privacy Shield also prioritizes consent.

Accountability for Onward Transfer

If data will be transferred to a third party controller or agent, then the company must specify this, explain why it's necessary and explain what purpose the transfer serves.

Here's an example from 6sense. It specifies that, for example, if it merges with another company, this new company will have access to shared data:

6sense Privacy Policy: Merger Sale or Other Asset Transfer clause

This aligns with the importance that the GDPR places upon accuracy and purpose limitation.

Security

The company must take reasonable steps to keep data safe from cyber attacks, leaks, and damage.

CoCalc has a great clause for this. The company doesn't warrant that information is 100% safe, because this is an impossible guarantee to give. However, the company intends to honor its legal obligations as far as reasonably practicable:

CoCalc Privacy Policy: Security of Your Information clause excerpt

Data Integrity and Purpose Limitation

You should only hold data for a reasonable length of time and for a specific purpose. Sometimes, however, there are exceptions to this. For example, you might need to anonymize data for statistical research, or retain some information after a dissatisfied customer deletes their account so you can process their complaint or query.

Adobe makes it clear that in very specific circumstances it holds data for longer than customers might expect. It explains exactly why it holds this data. For example, if a customer opts out of marketing, Adobe holds this information to respect and adhere to the request:

Adobe Privacy Policy: Data retention clause

Access

Your users must be able to access the information held about them and modify it when appropriate. They also must be informed of this right.

Here's an example of a clause from Atlantic Media that explains this right and how users can exercise it:

Atlantic Media Privacy Shield Policy: Access and Correction clause

Recourse, Enforcement and Liability

U.S. Privacy Shield businesses must provide EU customers with a free dispute resolution process for handling privacy complaints. Here's how CafePress addresses this by providing the relevant information for users:

CafePress Terms and Conditions: Arbitration clause excerpt

Conclusion

In summary, we can say that it is possible to transfer personal EU data to third countries, so long as these countries have appropriately solid data laws in place.

Even if you are the controller, for example the retailer, you are still responsible for the processor you work with. It is on you to ensure this controller complies with relevant GDPR provisions.

The GDPR gives EU citizens and residents two primary rights: firstly, the right to control and limit the personal data they share, and secondly, the right to remove or amend this information.

The underlying principle is transparency, and it's no longer possible to share EU personal data indiscriminately for marketing and commercial purposes, or to store the data in a vulnerable, unsafe server.

If you must host EU personal data outside the EEA, then it's your responsibility to uphold these legal safeguards.

Last updated on 01 May 2020

Article categories

Jennifer L.

Legal writer.