What You Need to Know About Transferring Personal Data Out of the EU

If you plan on transferring EU personal data outside the EU, then you can only transfer it to countries with robust data protection regulations. In some cases, this isn't a problem because there are many countries with appropriate data protection laws in place. But sometimes things can be a bit tricky.

EU personal data must receive the same standard of care and security abroad as it receives in its home territory. As such, it's crucial that anyone storing or moving EU data outside the territory knows how to do so legally.

What does the EU hope to achieve by restricting data transfer this way? It's simple. The EU data transfer restrictions ensure that:

• EU citizens and residents control how their data is used, stored, and processed
• Companies can't take advantage of weak data protection laws in other economic territories

Essentially, EU residents and citizens have a right to know where their personal information is, and what safeguards are in place to protect it from exploitation. For example, a business can't store EU personal data data in a country where this data is freely shared with unsolicited companies without the data owner's consent.

The bottom line is that you can't know for sure which countries protect personal data to the standards required by the relevant EU laws. Transferring EU personal data outside the EU area, then, always carries a risk that the data won't be adequately protected. Before moving data from the EU, you must carefully consider:

• The nature of the information you plan on transferring
• How you're going to protect it once it's moved and stored elsewhere
• Whether it's necessary to move the data at all

Although it's incorrect to say that you can't move EU data outside the EU, it's not an easy task. The good news is that it's perfectly possible to transfer EU personal data outside the EU territory while still remaining legally compliant, as we'll demonstrate.

Who the GDPR Applies to

Most businesses are affected by the GDPR, wherever they're located. If you have customers or a user base from the EU and you collect any of their personal information - even just an email address or cookies analytics data - you'll fall under the scope of the GDPR.

Chances are, the GDPR applies to the data you're collecting. But what counts as a 'data transfer'? Let's consider this.

The EU's General Data Protection Regulation (GDPR) is the single most robust privacy policy in the world, and it gives EU citizens more control over their personal data than ever before.

Basically, the GDPR allows EU citizens to limit what personal information companies collect about them, and to control who the information is shared with. It's a very important legal framework because it harmonizes, or unifies, data protection law across the EU.

The GDPR protects EU citizens and those living in the European Economic Area (EEA). The EEA sets up a single market, or a free trade zone, between all EU Member States. Iceland, Norway, Switzerland, and Liechtenstein are also part of the EEA, although they're not Member States.

Personal Data

The GDPR is primarily concerned with personal data, or personally identifiable information (PII). It's vital to know what we mean by personal information before deciding what standards of care apply to its transfer.

The GDPR defines personal data in Article 4 as:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

As we can see, this is a broad definition. Personal data is any information which can be used to identify someone. This can be as simple as their name or address, or something confidential, such as their Social Security Number, or blood type.

Other examples include:

• Email address
• IP address
• Date of birth
• Medical records
• Dental records

Some categories are exempt from data protection rules for legal reasons, such as the criminal justice system.

Data Transfers

The GDPR applies to both data processors and data controllers. It's important to understand this distinction, because the data transfer process triggers the rules and safeguards applying to EU personal data transfer.

Controllers set out what personal information they need and why they need it. For example, a fashion retailer collects names and delivery addresses to supply a consumer with their order.

Processors take the information collected by the controllers and handle it according to the appropriate data protection guidelines.

Why is this distinction important?

Consider, for example, a UK-based retailer who uses overseas servers to host and store its information. They may also use processors, such as IT firms and managed service providers, who are based outside the EU. The moment the personal data is processed for leaving the EU territory, it's vulnerable and must be protected by GDPR-compliant safeguards.

Take Women's Best, for example. This retailer is based in the EU. It uses an external company to transmit its newsletter to subscribers. The retailer put a data processing agreement in place with the newsletter processing company to ensure personal data is handled properly, from the moment that users provide their personal information to the retailer:

The retailer, or the controller, must use a processor based in a country with strong data protection laws. Why? Because, if you plan on transferring their personal data to a country outside of the EEA, it's your responsibility to ensure that it is safe and legal to do so.

Which countries can you transfer personal data to, then, if you must comply with the GDPR?

Third Countries

Countries outside the EU and its single market territory are known as third countries. These third countries must meet stringent data protection standards if they want to store, use, or process EU personal data transferred from within the EEA.

How does the EU decide which countries have sufficient data protection policies in place? It all comes down to the EU Commission.

The EU Commission has agreed that some countries have strong data protection laws in place. The list of approved countries is updated regularly, and you can find it here. What's important for us is that businesses can transfer EU personal data to these territories without seeking approval from data protection regulatory bodies.

Twitter attracts users from all over the globe. Its Privacy Policy includes a clause outlining how it protects EU personal data that it transfers out of the EEA:

The platform has an entire page dedicated to its global data transfer policies:

Twitter explains that data protection regulations do vary between countries and, consequently, like-for-like data protection safeguards can't be guaranteed. However, at the same time, Twitter accepts that it's responsible for properly safeguarding any data that it transfers or stores outside of the EU.

So, what guidelines set these countries apart from other countries which aren't approved by the EU Commission?

GDPR Principles

Countries to which you can transfer EU personal data uphold the GDPR values in their own data laws. The GDPR Principles center around transparency and control.

The principles are:

1. Lawfulness, Fairness, and Transparency
2. Limitations on Purposes of Collection, Processing, and Storage
3. Data Minimization
4. Accuracy of Data
5. Data Storage Limits
6. Integrity and Confidentiality

Approved countries, then, must demonstrate that their own data laws demand this same standard of care. This way, EEA citizens and residents know they have equivalent rights in the country hosting or storing their personal data as they do back home.

Let's take an approved country as an example, to see how its privacy laws comply with GDPR Principles.

The USA and the GDPR

U.S. law is extremely complex because every state has a say in its own local data protection laws. This means that the EU can't guarantee that EU personal data headed for the U.S. is lawfully protected. The EU found a way around this by drafting an agreement with the U.S. government to promote cross-continent commerce, known as the U.S./EU Privacy Shield. This has been invalidated and is no longer the standard.

Currently, an EU-U.S. Data Privacy Framework has been adopted, but with ongoing negotiations and fine-tuning. Check the current status of this new framework to ensure adequate compliance with its standards and requirements at the time.

Conclusion

In summary, we can say that it is possible to transfer personal EU data to third countries, so long as these countries have appropriately solid data laws in place.

Even if you are the controller, for example the retailer, you are still responsible for the processor you work with. It is on you to ensure this controller complies with relevant GDPR provisions.

The GDPR gives EU citizens and residents two primary rights: firstly, the right to control and limit the personal data they share, and secondly, the right to remove or amend this information.

The underlying principle is transparency, and it's no longer possible to share EU personal data indiscriminately for marketing and commercial purposes, or to store the data in a vulnerable, unsafe server.

If you must host EU personal data outside the EEA, then it's your responsibility to uphold these legal safeguards.