How US Companies Balance GDPR Compliance with International Data Transfers
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Ameesh Divatia of Baffle takes a closer look at the world of GDPR compliance and international data transfers.
In May, the Irish Data Protection Commission levied a hefty $1.3 billion fine against Meta — the parent company of Facebook and Instagram — for transferring data from Ireland to the U.S. in a manner that was not compliant with the EU’s General Data Protection Regulation (GDPR). Trans-Atlantic data transfers to the U.S. have been a rather nebulous prospect since 2020 when the Court of Justice of the European Union nullified the EU-U.S. Privacy Shield, which outlined rules for consumer data transfers outside of Europe.
However, in July, we saw the adoption of the long-awaited EU-U.S. Data Privacy Framework (DPF) commenced, which addressed concerns related to U.S. intelligence access to European consumer data and created the Data Protection Review Court that will address consumer complaints should intelligence agencies gain access to EU consumer data. Now, companies that earn DPF certification can legally transfer consumer data to the U.S.
Some may be under the impression that transfers can occur by simply earning DPF certification without concern of falling outside of GDPR compliance— but that would be a mistake. In 2021 — in response to the elimination of the Privacy Shield — the European Data Protection Board adopted six recommendations that companies should follow when transferring EU consumer data internationally. In addition to DPF certification, companies transferring data from the EU to the U.S. should integrate these six suggestions to ensure GDPR compliance.
Let’s take a closer look at those recommendations and what they mean.
GDPR Compliance: How US Companies are Balancing with IDTs
Know Your Transfers
This step is straightforward but can be challenging. The recommendation asserts that companies should identify every country where they plan to transfer data. While tedious, moving forward with the following five steps is only possible if you know where the data is going and, just as important, the level of protection each country offers (more on that later).
Verify Your Transfer Tool
Having the right solution provider can make GDPR compliance from the EU to another country much more manageable. It is essential to thoroughly vet your data transfer solution provider to ensure they follow stringent security measures that are also GDPR compliant. Ask the solution provider about its GDPR experience, how they support cloud-to-cloud portability, the availability of enhanced protection tools like Bring Your Own Key (BYOK), and the methods they employ for destroying data.
Assess the Destination Country’s Privacy Posture
As we know, data protection standards are not uniform from country to country. To be clear, not all laws are as stringent as the GDPR. So, it is incumbent upon an organization seeking to transfer consumer data out of the EU to understand the destination country’s level of protection. In the U.S., for example, about 20 percent of states have enacted data privacy laws, but all vary in scope.
If the destination country does not have outlined data privacy standards or standards incompatible with the EU, a transfer cannot commence. Even when standards appear to comply with GDPR requirements, there may be gray areas. This is where solid legal counsel on your compliance team is critical. They can help you understand the nuances of the many compliance standards adopted by the countries you wish to transfer data.
Identify and Adopt Supplemental Data Protection Measures
This is perhaps the most complicated of the six steps because protecting data during processing is incredibly complex. The types of data protection methods to be employed may change based on the kind of data you’re transferring, where it’s going, where it is in the data processing timeline, and how you plan to use the data.
The following are two broad categories of use cases identified as supplemental measures by the EDPB:
- Pseudonymize or encrypt the data before it leaves the jurisdiction where it is collected. This includes a backup of sensitive data stored in a different location than where it was created. It would also ensure that sensitive data is not subject to the encryption regulations in the destination country, thereby providing a ‘fail-safe’ posture.
- Deploy state-of-the-art Privacy Enhanced Computation (PEC) techniques. When feasible, these methods enable the processing of encrypted data using cryptographic approaches such as multi-party computing or homomorphic encryption. As mentioned earlier, BYOK is an emerging solution that protects encrypted data by giving owners complete control over encryption keys.
Take Formal Steps to Adopt Supplemental Protection Measures
This step requires ensuring protection measures are being implemented in a compliant manner. It is a best practice to establish and maintain lines of communication with appropriate authorities who can offer concrete counsel regarding the compliance-worthiness of protection measures. Doing so may create more work on the front end, but it is far less challenging than incurring a significant fine for non-compliance.
Companies regularly must review protection procedures to address any changes that may compromise data. New threats to data privacy emerge frequently, so it is absolutely critical to audit protection measures to ensure compliance is maintained irrespective of emerging threats before, during, or after data transfer.
As data privacy rules grow more stringent and as more businesses take on a global posture, companies must be more proactive than ever to protect consumer data— especially when leaving the EU. Organizations that follow the six recommendations by the EDPB will enjoy the fruits of global data analytics while avoiding non-compliance fines that can negatively impact an organization’s bottom line and reputation.
- How US Companies Balance GDPR Compliance with International Data Transfers - September 12, 2023