EU: Guidance issued on Cross Border Data Transfers
The European Data Protection Board (EDPB) has issued guidance for compliance with the General Data Protection Regulations (GDPR) with the aim of protecting privacy rights of individuals regarding transfer of data across several jurisdictions.
The Guidance aims to comprehensively lay down contractual, technical and other such relevant safeguards necessary for transfer of data. It aims to uphold the fundamental principles of protection attached to the GDPR. The EDPB lays down the following steps in furtherance of the guidance;
Data exporters are required to obtain prior knowledge of where the data is being transferred prior to such transfer along with knowing the purpose of such transfer so that it can be assessed for the purpose of determining relevancy and necessity.
The tools used to transfer the data are also to be assessed, ensuring that such tools are authorized under Article 46 of the GDPR along with adherence to Binding Corporate Rules and other ad hoc contractual clauses.
Carrying out assessments of laws of other jurisdictions in order to determine whether the laws of that particular country are in consonance with the transfer tools relied upon and whether or not they might impinge the effectiveness thereof. The Data Exporter must be mindful of a varying degree of factors that involve financial, personal, sensitive data etc. Assessment of the type of data is dependent upon legality and government permissibility.
Data exporters are also required to adopt any such relevant supplementary measures that may be necessary for bringing up the level of data protection up to the EU standards. This may be in the form of essential technical safeguards which involve strong encryption and verification mechanisms to ensure that the data is being transferred to the person intended. The EDPB emphasized on the need to assess the effectiveness of these supplementary measures and imposes a responsibility on the data exporters for the same.
The GDPR lays down certain formal procedural steps that include consulting relevant supervisory authorities depending on the transfer vehicle being used.
Apart from ensuring prior assessment, imposition of safeguards etc. data exporters are also required to ensure continuous vigilance in the realm of data protection. Organizations involved in this practice must evaluate their processes of cross border transfers and create a roadmap that will ensure privacy, cybersecurity and undertake surveillance of data being transferred keeping in mind the necessity to adhere to the legal standards of each jurisdiction being dealt with in the process.