The topic of cross-border data transfer: What's what in international data protection?
The topic of data protection is as complex as it is topical. Particularly when it comes to data transfer beyond the borders of Germany, it is difficult for companies/laypersons to find their way through the jungle of European data protection laws, agreements and regulations.
In our blog post, we want to shed some light on this and provide a brief overview of the most important terms and options for handling personal data in an international environment.
Data protection regulations in Germany and the EU
In Germany, the Basic Law guarantees every citizen the right to determine how their data is used and disclosed. The Federal Data Protection Act helps to implement this basic right to informational self-determination. The Act complies with the European Data Protection Directive 95/46/EC of October 24, 1995, which is intended to ensure a uniform level of data protection throughout the European Economic Area. As of May 2017, the aforementioned directive will be replaced by the General Data Protection Regulation, which also pursues the goal of uniform data protection standards throughout the EU.
Since the same data protection principles therefore apply within Europe, the same requirements apply to data transfers from Germany to countries within the EU as to transfers within Germany.
Data transfer to third countries outside the EU
However, in many cases, personal data is also transferred to third countries that are not bound by the data protection regulations that apply in the EU. This poses a particular challenge for data protection, especially if the level of data protection in these third countries falls below that of the regulations applicable in the EU. In order to nevertheless comply with the high EU security requirements, there are several options available to companies transferring personal data from an EU country to a so-called "insecure third country," which are briefly presented below:
1. EU Standard Contractual Clauses/Model Clauses.
The EU Commission's standard contractual clauses (also known as model clauses or standard contractual clauses) serve as the contractual legal basis for the transfer of personal data from an EU country and to a third country outside the European Economic Area. They regulate the rights and obligations of the signing parties in the handling of personal data in accordance with the European Data Protection Directive (95/49/EC) and thus ensure an appropriate level of data protection. The model clauses differ depending on whether commissioned data processing or transfer of functions is involved. The model clauses must be signed by the contracting parties and may not be supplemented or otherwise modified.
2 Binding Corporate Rules (BCRs).
Binding Corporate Rules are binding corporate guidelines in which rules on the handling of personal data within a multinational group of companies are laid down in a legally binding manner. Binding Corporate Rules can thus be used to ensure a uniform level of data protection. The requirements that such individual corporate rules must meet in order to ensure European data protection are set out in Article 47 of the EU General Data Protection Regulation. In addition, the Binding Corporate Rules of a group of companies must be recognized by the competent European data protection authority so that the BCRs can be used effectively.
3 Data Processing Agreements
Data Processing Agreements (DPAs) are contracts for commissioned data processing between data exporter and data processor. These must contain certain minimum requirements or regulations regarding audit rights, handling of data protection breaches, etc. and must be approved by the data protection authority of the country from which the data is transferred to a third country.
4 Individual consent of the data subjects
Theoretically, it is also possible for the data subjects whose data is at issue to individually consent to a transfer of their data to a third country with lower than European data protection standards. However, such consent without one of the contractual bases mentioned above is often not feasible in practice, as it must be given individually for each processing case and can be revoked at any time.
Excursus USA: Privacy Shield instead of Safe Harbor
Since July 2000, the European Commission's Safe Harbor decision has served as the legal basis for the transfer of personal data from the European Union to the USA. However, this was overturned by the ECJ in October 2015 in the so-called Schrems ruling. As a successor regulation, the EU-US Privacy Shield came into force in 2016, which has since been intended to ensure compliance with European security standards in data traffic between the EU and the USA. With this intention, the EU-US Privacy Shield can be used to transfer personal data to US companies that have previously registered and certified with the Department of Commerce.
Hardly any company can avoid the topic of data protection nowadays. If customer data such as contact information, purchase history and the like have to be transferred to countries outside the EU, e.g. for commissioned data processing, suitable measures must be taken to comply with European data protection standards even when transferring data to "unsafe third countries".
Binding Corporate Rules, Data Processing Agreements or Model Clauses or Standard Contractual Clauses describe various ways in which companies can regulate compliance with data protection. Which of the solutions is suitable for the respective companies and their processes must be decided on a case-by-case basis. As an agency for digital commerce, we point out how important appropriate data protection measures are in order to protect the personal rights of customers and employees and to avoid sanctions (e.g., warnings of a considerable amount). However, since we cannot and may not provide legal advice, we recommend that you seek advice from a specialist lawyer on the subject of data protection.