Navigating the European Issues
Multinational corporations increasingly have a need to share their data throughout their group. Often this will be necessary to service international clients or to coordinate marketing efforts. Sometimes international data sharing will be necessary simply to implement a cost-effective centralised IT function. However, to do so often results in the group having to navigate the data protection or privacy laws of those countries in which they operate. A prominent example of an issue that arises is the European data protection restriction on transferring protected “personal data” outside of Europe – the rules require that the data is “adequately” (in a very strict sense) protected.
With radical changes to the data protection landscape in the pipeline, in particular, the potential for European regulators to impose greater fines (current proposals will permit fines of up to 2% of an organisation’s annual global revenue), and a general awareness of the importance of good privacy practices, now is a vital time to ensure proper compliance.
We have produced a white paper in which we explore the key data protection issues that arise when European personal data is stored or otherwise processed outside of Europe, with a focus on sharing data within a group. In particular we look at the various methods available to a European entity to satisfy the obligation to ensure that data is adequately protected. In particular:
- Certain countries are on a European-approved “safe list” (examples include Argentina, Canada, and Switzerland). If data is transferred only to companies within that list, then no further transfer issue arises.
- Transfers are automatically permitted to the US if the recipient has certified to the “Safe Harbor” scheme (negotiated between the EU and the US). However, the recipient would be at risk of US enforcement action for deceptive trade practises if it breaches the rules of that scheme. Safe Harbor is not available to financial service entities.
- The exporting European entity and the recipient foreign entity can put in place authorised contract terms known-as “standard clauses”. These work well from the exporter’s point of view. However, the non-European recipient is at risk of accepting greater liability under the clauses than it may ordinarily wish.
- A UK entity could ‘self-assess’ the adequacy of protection. However, this method (approved by the UK regulator) is not available throughout most of the remainder of Europe.
- A group could put in place a set of “binding corporate rules”. These are an internal suite of documents setting out how the group intends to provide adequate safeguards to individuals whose personal data is being transferred to a third country. These must then be approved by the European regulators.
- Ad hoc transfers may be justified on the basis of “consent” of the individual or other limited grounds (such as the need to fulfil a contract or the need to establish, exercise or defend legal claims).
- Whatever solution is adopted, as transfers sometimes entail regulatory filings, a group might be open to some regulatory scrutiny. From the outset, there is often a need to undertake a basic house-keeping exercise of data protection compliance verification.
If you would like to know more please click here to access our white paper (PDF).