A US company is conducting a global internal investigation. To carry it out, the company plans to transfer documents and emails held by its French subsidiary to the company’s US servers for review and analysis. Aware that Europe has stringent data privacy rules, the US in-house counsel is looking for specific guidance on whether the data transfers contemplated here are subject to those rules.
This scenario likely implicates the General Data Protection Regulation (the “GDPR”), which was implemented on May 25, 2018. In theory, one of the primary goals of the GDPR is to “preserv[e] the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.” In practice, the GDPR presents a significant compliance obstacle for companies moving data to jurisdictions outside the European Economic Area (the “EEA”), including to the United States.
At bottom, companies (data exporters) that transfer personal data from Europe to recipients (data importers) located outside of the EEA may do so under the GDPR only if (i) the recipient is located in a country that the European Commission has determined offers adequate data protection, (ii) appropriate safeguards are in place, or (iii) a derogation applies under the GDPR. In order to permit the flow of necessary information, data exporters developed transfer procedures designed to ensure compliance with the GDPR requirements.
There has been significant litigation recently concerning the impact of the GDPR on data transfers, culminating in a July 2020 decision by the Court of Justice of the European Union that invalidated one of the principal ways in which organizations in the EEA had been able to transfer data to the United States (the “EU-US Privacy Shield”).
Following that decision, in November 2020, the European Data Protection Board (the “EDPB”) published new recommendations on the measures to be taken to supplement the personal data transfer tools companies currently rely on to ensure compliance with the GDPR.
The recommendations are particularly relevant for businesses that rely on so-called “standard contractual clauses,” binding corporate rules or other “appropriate safeguards” in Article 46(2) of the GDPR to transfer personal data outside the EEA to locations (such as the United States) that the European Commission has determined do not offer adequate data protection.
The recommendations make it even harder for companies to transfer and process European personal data outside of Europe because of the requirement to conduct an assessment of the local law in the jurisdiction where the European personal data is transferred to and implement supplementary technical measures for such transfers. The recommendations may ultimately lead to companies having to locate more European personal data in Europe.
The recommendations became effective in November 2020, subject to a public consultation. They are applicable to the United Kingdom and may have to be considered for transfers of personal data from the EEA to the United Kingdom following the end of the Brexit transition period if the European Commission does not make an adequacy decision for the United Kingdom.
Organizations in the United States will need to evaluate whether the GDPR—and specifically the new recommendations—will impact their ability to lawfully transfer data out of Europe and onto their US servers. Companies previously might have relied on “standard contractual clauses” to ensure compliance with the GDPR for these kind of intra-group transfers. In the wake of the recommendations, however, a company’s standard contractual clauses might need to be updated, and, in any event, they might not be sufficient to allow the company to make the transfer, especially if the data will be unencrypted on the US servers.
For the US company mentioned above, one alternative to consider is to conduct a portion of the internal investigation on-site in France. Doing so may eliminate the need to transfer data outside the EEA, which could significantly reduce the GDPR compliance burden.
For more detail on these recent developments, please see the following articles prepared by our Mayer Brown colleagues:
- European Data Protection Board publishes recommendations on the supplementary measures to be taken for international personal data transfers from Europe
- New requirements for transferring personal data from Europe: a detailed analysis of the new draft Standard Contractual Clauses published by the European Commission