GDPR Transborder data flows: How are A/NZ organisations affected?
The General Data Protection Regulation (GDPR) applies a strict regime when personal data is transferred outside EU territory. In principle, it requires that an equivalent level of protection and safeguards are still afforded to such data, when this is processed outside European soil.
In addition, the GDPR also aims to protect EU citizens’ data by applying a wider territorial scope whereby, non-EU entities offering goods or services, or monitoring the behaviour of individuals based in the EU, will also be subject to the GDPR.
The impact on Australian and New Zealand entities is two-fold since this implies that:
1) An entity based in Australia or New Zealand, offering goods or services to individuals in the EU, will be required to comply with the GDPR, apart from its own national jurisdiction; and
2) Australian or New Zealand entities on the receiving end of data transfers from EU entities would be required to ensure equivalent protection.
Adequacy findings
In the case of New Zealand, the EU has recognised such jurisdiction as ensuring an adequate level of data protection[1]. Indeed, adequacy decisions are one of the possible solutions for data transfers. These decisions are based on a detailed assessment of the data protection adequacy in the third country, and on the principle that such country provides sufficient guarantees which are essentially equivalent to those in the EU.
An adequacy decision removes any barrier for data transfers to such jurisdictions or sectors. In the case of New Zealand, such adequacy finding implies that personal data may freely flow from EU to New Zealand without any additional transfer instrument or safeguard being necessary (e.g. additional contractual clauses or binding corporate rules). The decision, which was issued by the European Commission on the basis of the Directive 95 /46EC, remains valid until reviewed, amended or repealed under the GDPR.
The situation is different for Australia, since no adequacy finding has been made. Therefore, in spite of having a robust data protection regulatory framework, Australian controllers and processor would need to ensure that personal data remains subject to the same level of data protection as afforded under the EU regime. In general, these safeguards may be put in place by using Standard Contractual Clauses issued by the Commission, which are signed between the EU and the Australian entity, involved in the data transfers, or by applying Binding Corporate Rules.
Other possible options to frame transfers within the legal boundaries, would be the transfer based on a certification scheme or code of conduct. These two are both novelties under the GDPR and one will need to assess how they will work in practice. Another possibility is to rely on derogations provided in the GDPR.
However, while this is a possible option, derogations are considered the exception to the rule and should be narrowly interpreted. In principle, relying on derogations should only take place in limited circumstances (e.g. one-off or urgent transfers) when it is not possible to resort to other safeguards.
Transferring by means of appropriate safeguards
Standard Contractual Clauses are model contracts adopted by the EU Commission with the aim of facilitating EU controllers in providing sufficient guarantees when transferring personal data to a non-EU controller or processor.
EU data controllers typically use these standard clauses either as ad-hoc contracts or as part of wider Service-Level or business related agreements, both with other intra-group entities, or with external organisations based outside EU.
Binding Corporate Rules (BCR) are a set of internal rules designed by multinational organisations to regulate the transfer and subsequent processing of personal data within group entities including those located outside EU territory. The significant advantage of BCRs when compared to Standard Contractual Clauses, is that once a BCR is approved by EU Supervisory Authorities, this implies adequacy of the data protection framework adopted by a multinational, thus implying that personal data may freely flow within the group without requiring additional safeguards or formalities.
The Australian scenario
Thinking from the Australian business perspective, a multinational having establishments in the EU would need to ensure that its data flows from its EU-based entities to Australia or other third-country jurisdiction complies with the GDPR.
If similar data flows are of a frequent nature and involve the majority of organisations across the group, then the most practical option to be considered is BCR. Although the approval of a BCR would trigger a procedure involving the EU data protection authorities, once that a BCR is approved, this would facilitate the free flow of personal data amongst the group entities covered by such authorisation.
In order to launch such procedure, the Australian multinational should identify the EU lead data protection authority where such BCR should be filed. The criteria for establishing the lead authority are principally, the EU Headquarters or the place with delegated data protection responsibilities.
Embarking on a BCR authorisation involves a procedure whereby following the reviews conducted by the lead and concerned supervisory authorities, the BCR application would then go through the consistency mechanism envisaged under the GDPR, whereby an opinion of the European Data Protection Board will be necessary.
Alternatively, if the transfer is ad-hoc or a quicker, albeit individual, solution is needed, an Australian multinational may consider the use of standard contractual clauses to regulate data transfers between its EU-based entities and their third-country receiving entities. This would solve the matter for the short-term but the use of BCRs would be ideal to deal with data transfers on a long-term basis.
More information and guidance on how to comply with the GDPR can be found in the author’s publication – A Practical Guide to GDPR