The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens. 

The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous.

The main challenge for corporations will be assessing their current information collection and storage systems against the new regulations and ensuring compliance before the deadline. Accountability is critical, and concepts such as pseudonymisation will become commonplace under the new regulations.

In addition, the cross-border transfer of EU residents’ data outside the region will be become much harder. The EU Commission will assess third countries’ level of protection by carrying out "adequacy" assessments binding to all member states. They will then carry out reviews every four years to ensure continued compliance.

Any businesses that collect sensitive personal information will need to carry out and regularly update gap analyses, data protection impact assessments, privacy audits and data breach roadmaps in order to stay on the right side of GDPR.

This series aims to highlight the profound level of impact this new GDPR legislation will have on organizations. Nine data protection experts from Germany, Belgium, The Netherlands, Italy, U.K., U.S., Luxembourg, Sweden, and France discuss how they are helping their clients reach GDPR compliance and emphasize some of the structures businesses should put in place to avoid a crippling fine.

How will GDPR affect the transfer of data outside the European Union in your opinion?

Germany — Kathrin Schürmann
From my point of view, there are not that many changes, but one big thing, of course, is the change of liability in the controller-processor relationship. The data processor is now more liable for the data transfer and processing. Most of everything else is still the same, since we still need the adequacy level for other countries among other things.

In Germany, there has always been a strict view on data transfers outside the EU and a lot of cases where the data protection authorities issued fines against controllers and against companies. For example, if they had a data processing agreement without a detailed description of the technical measures taken by the data controller.

The higher fines under GDPR will mean more effort to put proper contracts in place, and check security standards. It will be easier for companies that have some kind of certifications, like the ISO 27001 standards, making it easier to comply with GDPR, and easier to work within the EU and comply with technical standards.

Companies have to ensure there is a contract in place and they have an overview of the technical standards of data controllers.

The Netherlands — Bart Sujecki
I agree with the German point of view, that there will be a big liability issue around contract negotiations, and there will be competition between the different systems. Certain companies will say they don’t want to do business within the EU because it’s too strict, so they might avoid the EU market.

U.S. — William Shawn
Implementing best practices internationally is going to require some substantial changes in the U.S. We are usually an opt-out jurisdiction, but this will be an opt-in, so there will also be prohibitions, with consent required for some things (children under 16 using Twitter, for example). It will be a sea change for our cyber world, but ultimately these type of requirements will apply to all U.S. companies, so it’s going to be a matter of time, and we lawyers are going to part of the solution.

England and Wales — Kerry Beynon
GDPR won’t prohibit the transfer of data outside the EU, but we just might have to do things in a different way. I think we will see data controllers paying more attention to the due diligence around the companies they are doing business with. We are generally seeing push back on the contractual apportionment of liability, with quite a few businesses asking for clauses requiring data centers to be based in Europe. I don’t think it will stop people from engaging, they just want to do things slightly differently, with more attention on the contracts and due diligence. Of course, the GDPR sets out a clear position on when you can transfer data outside the EU, and also on the safeguards you have to have in place when sending personal data outside the EU, so those requirements must be adhered to.

Sweden — Anna Fernqvist Svensson
Actually, we had a big scandal in Sweden recently to do with the Swedish Transport Agency. The authority for rail, sea, and road transport was using foreign companies for their IT operations, and information about private individuals leaked. Since the scandal, there has been more focus on security and the human side of the problem. We are only human beings dealing with this information, and it’s an important aspect to have staff training and to really explain to everyone involved how important this is. It’s also important to have everyone aware of the rules around GDPR.

Belgium — Steven de Schrijver
In principle, personal data transfers to countries outside the EEA can only take place on the condition that these third countries guarantee an "adequate" level of data protection. The EU Commission will assess third countries’ level of protection by carrying out "adequacy findings," which are binding to all member states. After the adequacy of the data protection legislation of a third country has been acknowledged, international data transfers from EU member states to this recognized country can take place without further protective measures being required.

As of May 2018, these adequacy decisions of the Commission are subject to periodic review every four years, after which adequacy decisions can be repealed, amended, or suspended.

The GDPR also adds a new legal ground for cross-border data transfers, meaning they are only lawful and enforceable if founded on an existing bi- or multilateral agreement between the third country and the EU or EU member state.

In this regard, data controllers and processors involved in transferring personal data outside the EU should regularly identify and locate all of their data streams and verify for each of these streams whether the receiving country is an EEA member state or a third country recognized by the EU Commission as an "adequate" country.

Luxembourg — Cecile Porcher
In Luxembourg, the transfer of information outside the EU was, as a basic principle, possible only if the country to which the data was to be sent had an adequate level of protection. This was except for occasional derogations for very specific cases (for example: consent of the data subject, higher public interests, preservation of the vital interest of the data subject, imperative necessity for executing the contract, etc.). As the evaluation of the adequacy level rested upon the shoulder of the data controller, it was a huge responsibility to take the decision to transfer the data or not.

Now, with GDPR, we have two kinds of situations for cross-border data transfers (Articles 45 and 46 of the GDPR) In the first one, we will now have standard adequacy decisions taken by the EU Commission. The other point of advantage is that it puts in place a general framework regarding corporate data storage rules and what is to be understood as an appropriate safeguard. In my opinion, this is a step toward better protection for data transfers and it might actually be a tool which makes it easier to transfer outside the EU.

France — Alexander Roth
On the same day that the EU data protection regulation 2016 679 was adopted, there were, within that packet, two other directives that had a security aspect, motivated by the Paris and Brussels attacks. They were to do with passenger name records and airline safety and the prevention and detection of criminal offenses.

They affect firms here in France and abroad, for example travel agencies and aviation companies, because it is one exception to certain prohibitions of data collection as set out in the GDPR.

Italy — Ruggero Rubino Sammartano
I believe there is a duty to apply the new GDPR to the data treatment of EU citizens, even those living abroad. Transferring data outside the EU should not permit companies to avoid the data protection rules.

Of course, there is the possibility of leaks and mistakes in the treatment that may lead to liabilities and sanctions, so, in our experience, it is important that the corporation be insured for this kind of liability, in order to transfer the risk to the insurance company.

While the responsibility for any mismanagement might lie with the company, having reliable and certified external service providers can actively reduce the likelihood of accidents, as well as the ultimate liability of the company

photo credit: Move The World via photopin (license)