Categories
Careers Featured

Privacy work demo : how to take decisions on international data transfers

Let’s learn an awesome skill which will give you a flavour of privacy work at its best – international data transfers. 

Privacy professionals working in Big Four, MNCs, and international startups that are expanding internationally have to do this work all the time. 

How can you take a decision on international data transfer to and from the US, UK, Canada, EU, Singapore, Japan or other countries?

It is often necessary to transfer data across borders, and sometimes to 3rd party service providers, for business purposes. 

For example, when you register for this bootcamp on LawSikho/Skill Arbitrage website, we share this data with Zoom so you can receive an invite from Zoom to login and reminders as well. 

Now, this data is not being stored in India necessarily by Zoom. 

It could be stored on servers, say, in Vietnam or Indonesia. 

If India had a strict data protection law, we would have to think this through. 

Under India’s Digital Personal Data Protection Act which is yet to be formally notified even though it is enacted, cross-border transfers are fully allowed as long as the organisation imposes appropriate technical and organisational safeguards. 

This only requires some contractual safeguards and processes to be imposed by the organisation to protect such data.

Specific countries and organisations can be blacklisted as per the rules issued by the Central Government. 

That is all under Indian law. 

Foreign law principles for cross-border data transfers are different. 

Let’s say that we were operating from the EU. 

We would have to make sure that this arrangement with Zoom is not violating GDPR.

We may need to take advice from a data privacy expert before doing this. 

That could be you. 

What are the provisions under GDPR? 

Let’s say you have such a European client. 

A European startup wants you to advise if they can use Zoom, which gives the option to process data either in the US, Singapore or China. What would the startup do? 

Can they use Zoom at all or do you have to look for a software which will process data within the EU?

How would you answer this question? 

We need to see the law of the HOST country whose residents’ data is being collected. 

That law determines which transfers are permitted. 

This startup, let’s assume, is collecting data of Europeans. 

In general, the principle is this: the country where the data is transferred and the organisation which processes it must offer “adequate” protection for that data, similar to the home jurisdiction (Europe).

Data transfers from Europe to other countries

For this purpose, in the EU, there is a concept of “adequacy decision” which is issued by the European Commission based on review of the foreign laws. 

Transfers to these jurisdictions are most easily permissible. 

The following jurisdictions are recognised by EU as “adequate” so far:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection, UK and South Korea (see here) and US. 

Please note that this adequacy decision can also be revoked in future, if, say, there is a new development in the law or enforcement practices change. 

Data can be transferred to service providers in countries which are recognised as adequate.

However, organisations must still take appropriate user consent + have clauses with service providers to ensure similar protection as the home jurisdiction. 

Here is an example of a sample clause: 

The parties agree and acknowledge that <name of processor> which shall accord all protections to data that is being transferred under the contract that are provided under the EU-GDPR.  

What if the data is being transferred to a country which is not recognised as adequate? 

For example, China is not recognised under adequate decision, in that case the transfer to such countries will require additional steps. Now we will learn about these additional steps. 

Earlier US was also not recognised under adequacy decision and was considered as high risk country, however, after the “Trans-Atlantic Data Privacy Framework” that came into force on July 10, 2023 (here), and EU – US Privacy Framework has been recognised under adequacy decision from EU Commission (here). 

Under the new Trans-Atlantic Data Privacy Framework, US companies join the Trans Data Privacy Framework by complying with a detailed set of privacy obligations. 

For instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. 

A privacy professional will need to assist US companies to comply with this – compliances are sector-wise. 

If the organisation to which your company is transferring data is under the framework, then it will be very easy to transfer the data. 

What if there is no adequacy decision?

If the organisation is not within this framework, then the process considers the transfer to a high-risk jurisdiction (it’s not prohibited), the data transfer can be stopped by EU authorities. 

How can data be transferred to such countries? 

In that case, organisations need to follow certain rules: 

  1. Contractual mechanisms for 3rd party transfers: Organisations can include certain clauses in contracts, called Standard Contractual Clauses, when they are transferring data to a third party – these are “pre-approved” by the European Commission. 

The SCCs previously in use were drafted in 2010. The EU has come up with new SCCs that have replaced the old ones since 27th Dec, 2022, available here and here

  1. Internal policies within corporate groups: BCRs are internal rules that help in defining the international policies of  multinational groups of companies. 

These rules must include the principles with regard to the general data protection and enforceable rights, and must be enforced by the member companies. 

BCRs need to be specifically approved for each company by the national data protection authority under GDPR Article 63. 

This is a more elaborate process. Less than 100 companies have gone through the procedure of adoption of the BCRs. Some of them are Ebay, Hewlett Packard,  Philips, Intel.

Let us try some practice questions to see if you understood this:

Q. If data of Canadians is being transferred from Canada to Europe, which jurisdiction’s data protection requirements will be applicable?

  1. Canada
  2. Europe
  3. Neither
  4. Both

Ans: A  

Q. Can the EU revoke the adequacy decision awarded in favour of a nation?

  1. Yes
  2. No
  3. Maybe
  4. GDPR is silent on this.

Answer A, based on periodic reviews about that country

Q. If there is no adequacy decision with respect to a country, can data be transferred to a service provider in that country?

  1. No
  2. Yes, subject to Binding Corporate Rules
  3. Yes, subject to Standard Contractual Clauses
  4. Both b and c

Answer: D, Yes but subject to SCCs and BCRs

Q. Volkswagen Europe sends targeted emails to generate leads for Lamborghini cars and uses Google Analytics and Google Ads (US servers) to send ads to people who search for “best luxury car” in Europe. How can it do this legally:

  1. Volkswagen cannot do it at all
  2. Volkswagen needs consent
  3. Volkswagen needs to execute SCCs with Google Analytics and Google Ads for transfer of data
  4. Volkswagen can transfer as US is recognised as adequate 

Answer C

Q. Tata Group wants to frequently send its data from Tata Consultancy Services (TCS) Europe to TCS India and vice versa, which mechanism should they use

  1. Apply for adequacy decision 
  2. SCCs
  3. BCRs
  4. They do not require any of the above and can directly transfer. 

Answer C

Leave a Reply

Your email address will not be published. Required fields are marked *