Huge amounts of personal data are circulating daily around the world. The European data protection rules provide specific requirements for the transfer of personal data outside of the EU and notably to the U.S. Therefore, U.S. companies importing personal data from Europe need to identify and carefully analyze the personal data flows involved and, where necessary, put in place the safeguards or obtain the authorizations allowing them to transfer personal data out of Europe in compliance.
I. WHAT ARE THE CATEGORIES OF DATA COVERED?
Under the Data Protection Directive 95/46/EC (DPD), personal data is a broad concept. It includes not only sensitive data (data revealing notably ethnic origin, philosophical beliefs, health status, sex orientation) but also any information relating to an identified or identifiable natural person. This may include email addresses, Social Security numbers, bank accounts, professional assessments, fingerprints, etc.
II. WHAT IS AN INTERNATIONAL TRANSFER?
International transfers of personal data involve the physical transfer of data abroad, including any situations where personal data is made available in a country other than the country where the personal data was originally collected. This is the case, for example, when a multinational company allows remote access to its central database from its worldwide subsidiaries, when cloud computing services involve a user in the EU and data storage in the U.S., and when data from an EU subsidiary is transferred to its U.S. parent company (HR management, e-discovery procedure, etc.).
III. WHAT ARE THE AVAILABLE OPTIONS?
International transfer is one sort of processing that follows other sorts of processing such as collection, recording and storage. Therefore, the data processing in the country of origin, prior to the transfer, must be compliant with the requirements of the national data protection rules applicable to the data controller (being the person who, alone or jointly with others, determines the purposes and means of the data processing).
An EU entity that intends to transfer personal data abroad needs to follow a step-by-step analysis in order to know whether it has to comply with specific obligations with respect to the transfer and, if so, what the requirements are.
Situation 1 — The personal data is transferred within the European Economic Area
If the data is to be transferred to an entity located in the EEA (27 EU member states plus Norway, Iceland and Liechtenstein), there is an assumption that the level of personal data protection is equivalent in all EEA countries. Therefore, personal data may freely circulate within the EEA and no specific additional rules are to be complied with regarding the transfer.
On the contrary, when personal data is to be transferred to a non-EEA country, there is a concern that personal data might not benefit from the same protection as it does in the EEA. The DPD rules ensure that personal data remains subject to sufficient safeguards when transferred to non-EEA countries.
Situation 2 — The personal data is transferred to a non-EEA country
2.1. Transfer to an adequate country or entity
If the country of destination of the personal data is recognized as a so-called adequate country by the EU Commission as far as personal data protection is concerned, there is no restriction on the transfer.
Only a few countries fulfill the adequacy requirement, among which are Argentina, Canada and Switzerland. The U.S. is not considered “adequate” because of the lack of comprehensive data protection legislation at the federal level. For EU-U.S. data transfers, adequacy may be provided by the company that imports the data (the data importer) through its adherence to the so-called Safe Harbor framework. The Safe Harbor framework is a self-certification mechanism by which U.S. companies can publicly declare that they conform to the main EU principles of the DPD and therefore can be deemed “safe harbors” for receipt of personal data from any EEA entity. The Safe Harbor framework includes enforcement mechanisms notably by the U.S. Federal Trade Commission. It is not available to all commercial sectors.
2.2. Transfer with sufficient safeguards
For a company that intends to outsource its accounting management to an Indian contractor or for data transfers between European companies and their U.S. parent companies that are not Safe Harbor-certified, there is no external adequacy finding to rely on. In such cases, the parties involved (the data exporter in the EEA and the data importer in the non-EEA country) need to provide for sufficient safeguards of the personal data once it is transferred outside of the EEA.
They may incorporate Standard Contractual Clauses approved by the EU Commission into their contracts. Various sets of clauses are available, depending notably on the quality of the data importer. The SCCs contain the main principles of the DPD (legitimate purpose, proportionality, transparency, etc.) that the parties must abide by and provide for remedies in favor of the data subjects, although they are not parties to the SCCs.
Multinational companies can use Binding Corporate Rules for their intra-group transfers. BCRs are a code of conduct that must include the DPD principles, have legal enforceability and provide for remedies in favor of the data subjects. BCRs must be carefully drafted and approved beforehand at the EEA level.
If SCCs or BCRs are in place, personal data may freely circulate between the entities involved even if they are located in “non adequate” countries.
2.3. Other situations
As a matter of principle, it is not permitted to transfer personal data to an entity located in a country that is not recognized as adequate or, for the U.S., to an entity that is not Safe Harbor-certified, unless SCCs or BCRs are put in place to cover such transfers.
However, the DPD provides a few exceptional circumstances where international transfers are nevertheless authorized. These exceptions (which include among other things the unambiguous consent from the data subject) are of strict interpretation and are not considered appropriate for repeated, mass or structural data transfers. The national data protection authorities of the EEA member state of the data exporter may also provide for individual transfer authorizations in specific cases.