How do I safely transfer personal data abroad

It’s no secret there’s a lot to consider when processing and transferring personal data. Since the implementation of the General Data Protection Regulation (GDPR) in 2018, many companies experienced first-hand it takes many efforts to comply with the law. For example, they must conclude processing agreements with third parties, draw up and update processing registers, and complete a data breach register when an incident occurs. All this is part of the aim to achieve an equal level of protection of personal data withing the European Economic Area (EEA).

What about transferring outside of the EEA?

In certain cases, an organization may need to share personal data with parties located outside of the EEA. Think about, for example, data that is stored in a non-European cloud environment. The rule here is that the controller or data exporter is only allowed to transfer personal data to parties that can guarantee an equal level of protection as known inside of the EEA.

To make things easier, the European Commission has issued a so-called adequacy certificate to 14 countries with an equal level. For those countries, including the United Kingdom, Switzerland, and Japan, it suffices to comply with the general provisions of the GDPR.

Of course, it is possible you must transfer data to a country without an adequacy certificate. In that case, we need to rely on contractual agreements and appropriate additional measures.

A first means are the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Unfortunately, the agreements are made between the controller and the processor, which means the local authorities of the destination country do not automatically agree they will also comply with those agreements. It’s perfectly possible for a local authority of a certain country to gain access to your personal data, legal or not. This restriction formed the basis of the Schrems II arrest, in which the Court of Justice of the EU deemed the EU-US Privacy Shield not valid and the current SCCs not sufficient for transferring data outside of the EEA.

In other words, additional obligations apply in the form of appropriate additional measures. To check whether those measures are ‘appropriate’, a Data Transfer Impact Assessment (DTIA) needs to be executed for every form of transfer of personal data outside of the EEA.

Why perform a DTIA?

A DTIA assesses the likelihood of not being able to comply with the contractual agreements made, for example because local legislations prevent this, or a local authority gains undesired access to the personal data. After the execution of a DTIA, it is possible to determine which extra measures need to be in place to transfer the data, or one could choose to not proceed with the transfer at all.

The different steps of a DTIA

For the contents of a DTIA we rely on the recommendations published by the European Data Protection Board (EDPB).

In the first instance, it must be clear which data is subject of the transfer, who is involved, and how the transfer will take place.

Next, it must be determined on which basis the transfer takes place. This may refer to the SCCs or BCRs. They then assess the likelihood of not being able to comply with the contractual agreements, for whatever reason.

Based on the results, it is determined which additional measures an organization needs to take before a transfer can proceed. A few examples of those measures are end-to-end encryption, anonymizing personal data, and limitation to the bare minimum of data.

Finally, it is assessed whether the transfer is permitted or not. If they cannot guarantee an equal level of protection as in the EEA, it is not allowed for the transfer to take place. One must look for alternatives.

In addition, it is also required to periodically repeat this exercise to check whether things have changed in the meantime, such as, for example, local legislation.

A DTIA anno 2022

Some attempts have been made to create a template to execute a DTIA, but so far those are not conclusive. The best known – the ‘Rosenthal Risk Based Approach’ – is currently on the penalty bench, because the Swiss, French, and Austrian privacy regulators have reservations about a system that works with estimated percentages.

The last has clearly not been said about this matter. However, there is unanimous agreement about the necessity of a thorough analysis preceding transfers of personal data outside of the EEA.