CHAPTER 6: TRANSFERS TO THIRD COUNTRIES
If personal data is transferred to countries outside the EEA (called third countries in the GDPR) or international organisations, the provisions of Chapter V of the GDPR come into play. Storing data on a Cloud provider’s system outside the EEA counts as such a transfer, even if the data is not intended to be used anywhere outside the EEA.
As discussed earlier, it is common for a Cloud application to be provided by a chain of subcontractors. It is the controller’s responsibility to examine the entire chain in order to assess whether Chapter V applies. This chapter aims to achieve an equivalent level of protection for data transferred abroad to that it would receive within the EEA.
This level of protection is automatically provided if the jurisdiction to which the data is transferred is within the EEA, which comprises the EU plus Iceland, Liechtenstein and Norway.
Beyond that, a slowly increasing number of territories have legislation that has been assessed by the EC as providing an acceptable level of protection – in other words, the Commission has made an ‘adequacy decision’ as per Article 45.22 As a special case, the US has negotiated the EU-US Privacy Shield (the successor to the Safe Harbor framework), as discussed in detail below.
This means that, at the time of writing, transfers to anywhere shown in Table 1 are treated no differently, from a data protection perspective, than a transfer within the EEA.
Table 1: Third countries to which data can be transferred under the GDPR
Approved by EC |
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan,23 Jersey, New Zealand, Switzerland, Uruguay |
Special case |
US, but only where the Privacy Shield applies |
Transfers to almost all of Europe are therefore automatically compliant with Chapter V, one way or another, but the same does not apply to many others. A few countries, including Australia, Hong Kong, Morocco, Singapore and South Korea, have their own data protection laws, but these have not yet been approved by the EC.24 It is important to reiterate that, as data controller, you need to make sure that you are aware of all countries in which the Cloud service provider operates; there is a strong possibility that the data in the Cloud moves between different locations – and you are responsible for ensuring that all these transfers are GDPR compliant.
Transfers outside the locations in the table above are only permitted if they meet one of the exemptions set out in Chapter V of the Regulation. These include:
• Having “appropriate safeguards” in place (Article 46), including binding corporate rules (Article 47) and standard contractual clauses;
• Explicit consent of the data subject, or protecting the vital interests of the data subject if they are unable to give consent;
• Necessity in connection with a contract (or prospective contract) between the data subject and the data controller, or a contract with another party at the request of the data subject;
• Necessity for reasons of substantial public interest; and
• Necessity for establishing, exercising or defending legal claims.
If you are relying on data subject consent, you must make your data subjects fully aware that you intend to transfer their data abroad, so that they can make their own decision on whether the risk is acceptable. In most Cloud computing situations, consent is unlikely to be a practicable option.
Necessity in relation to the performance of a contract is unlikely to be an acceptable claim in respect of Cloud computing, because it can always be argued that equivalent Cloud services could have been obtained from providers within the EEA.
Ensuring “adequate safeguards” are likely to be your best option and should be secured from the Cloud provider through contractual arrangements approved by the EC or supervisory authority. However, as ever, the data controller will be responsible for having to demonstrate that appropriate steps have been taken and that the terms and conditions, which the Cloud service more than likely will provide, actually do provide adequate safeguards.
A note on Brexit
At the time of writing, the UK is still part of the EU, and data can therefore be freely transferred to and from the UK under the GDPR. However, after Brexit, the UK will become a third country – despite having enshrined the Regulation’s requirements in national law. That said, the latter may help it achieve an adequacy decision, or at least help ensure that organisations already have adequate safeguards in place.
EU-US Privacy Shield
Some commentators seriously questioned whether the Safe Harbor scheme in the US provided an adequate basis for data protection compliance when using Cloud services, and even though the scheme has since been thrown out and replaced with the EU-US Privacy Shield, this new scheme has also been challenged by, among others, the Article 29 Data Protection Working Party (WP29).25
Both schemes were designed to provide a basis for transferring data between the US and Europe that did not require the US government to put a data protection regime in place. However, despite the improvements, there are several drawbacks highlighted in the Privacy Shield’s first annual review, including26:
• It is largely self-assessed and lacks clear guidance;
• The general lack of supervision; and
• The different interpretations of ‘processing activities’ by US processors and EU controllers.
Despite this, the agreement is at the time of writing still accepted by the EU as providing an adequate level of protection. If a Cloud provider based in the US is signed up to the Privacy Shield, therefore, the risk of being found in breach of Article 32 appears to be very small.
Some government data, however, is required to be held within the EEA, or even within specific Member States. There are also some data controllers that prefer not to rely on the Privacy Shield scheme. In these cases, a Cloud service where the data is guaranteed to be held only within the EEA would be preferable.
Until recently, this was easier said than done. Many of the big providers either refused to say where their data was held (for ‘security’ reasons), or explicitly stated that it would be held in the US. Now, though, many have accepted that there is a commercial advantage in providing at least the option for data to be held only within the EEA, and it is rare to find a service that holds all its data in the US, come what may. This is likely to only grow with the additional NIS Directive requirements imposed on Cloud providers offering their service in the EU, and gives even more reason for EU data controllers to look for local Cloud providers.
Data comes under the EU data protection regime as soon as it is held within Europe, even if it originates outside Europe, relates to data subjects outside Europe and is essentially only used outside Europe.
22 See https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en for the most up-to-date information.
23 The adoption procedure of Japan’s adequacy decision launched on 5 September 2018. The EC will adopt the adequacy decision on Japan once this procedure has been completed. https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
24 For an updated overview of data protection laws around the world, see www.dlapiperdataprotection.com.
25 Out-Law, “Data watchdogs threaten legal challenge to Privacy Shield unless oversight mechanisms are strengthened”, December 2017, www.outlaw.com/en/articles/2017/december/data-watchdogs-threaten-legal-challenge-to-privacy-shield-unless-oversight-mechanisms-are-strengthened/.
26 WP29, “EU – U.S. Privacy Shield – First annual Joint Review”, November 2017, http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782.