Support Centre
Data Transfers
Back

Data Transfers

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the Judgment could mean, and will be continuing to update this page to bring together all the resources needed.

OneTrust DataGuidance's Schrems II Portal provides for a Third Country Assessment Comparison, as well as the latest resources and data protection authority guidelines regarding the Schrems II Case and new SCCs to help your business understand and navigate its implications.

How Does OneTrust Help with Schrems II Challenges?

The Schrems II ruling poses a new set of challenges, as organizations must now find alternative transfer mechanisms. But don’t worry, OneTrust is here to help! With our new free Schrems II Solutions, controllers can leverage OneTrust Vendor Risk Management, Vendorpedia Exchange, Data Mapping, and DataGuidance to identify and validate data transfers.

OneTrust’s Schrems II Solutions support organizations operationalize a range of changes, including:

  • OneTrust Data Mapping: Identify data transfers and the mechanisms they rely upon
  • OneTrust Vendor Risk Management: Assess vendors that rely on SCCs with pre-built validation templates and manage contract updates as well as vendor on-boarding and off-boarding
  • OneTrust Vendorpedia Exchange: Leverage pre-completed vendor assessments and chasing services
  • OneTrust DataGuidance Regulatory Research: Stay up to date on the latest Schrems II guidance

Processors can also find the support that they need to operationalize the Schrems II decision. OneTrust Schrems II Solutions help processors implement holistic privacy programs, allowing them to track the relevant guidance and implement compensating controls for GDPR equivalency.

Data Transfer Restrictions

Data Transfer Restrictions

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.
    title
  • Law
  • Restriction
  • Exemptions
  • Localisation Requirement
  • Regulatory Guidelines
  • Transfers Note
  • Afghanistan
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Albania
    • According to Article 8(1) of the Law, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by decision of the Office of the Information and Data Protection Commissioner ('IDP'), are restricted.

    • According to Article 8(2) of the Law, data transfers are permitted when: 

      1. it is authorised by international acts ratified by the Republic of Albania and are directly applicable;
      2. the data subject has given his/her consent for the international transfer;
      3. the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
      4. it is a legal obligation of the controller;
      5. it is necessary for protecting vital interests of the data subject;
      6. it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right; or
      7. the transfer is done from a register that is open for consultation and provides information to the general public.

      In cases other than those provided above, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the KMDP. Consideration is also given to states which have ratified Convention 108.

    • No further information.

    • Guidelines on international data transfers issued by the Office of the Information and Data Protection Commissioner ('IDP') (only available in Albanian here).

    • No Transfers Note currently available.

  • Alberta
    • AB PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'sharing personal information with another entity.' According to Section 19 of AB PIPA, an organisation may disclose personal information only: 

      1. for purposes that are reasonable for meeting the purposes for which the information is disclosed; or 
      2. with the consent of the individual.
    • According to Section 20 of AB PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; 
      2. the disclosure of the information is required by law; 
      3. to a public body, debt collection agency or other organisations; 
      4. the disclosure is for the purposes of contacting the next of kind or a friend of an injured, ill or deceased individual; the disclosure of the information is reasonable for the purposes of an investigation or legal proceeding or for the purposes of the prevention, detection or suppression of, fraud, and the information is disclosed to an organisation that is permitted or otherwise empowered to carry out any of those purposes; 
      5. the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
      6. the information is publicly available, as prescribed or otherwise determined by the regulations; or 
      7. the disclosure is in accordance with Section 20.1, 21 or 22 (see below). 

      Under Section 21(1) of AB PIPA, an organisation may disclose personal employee information about an individual without the consent of the individual if the information is disclosed solely for the purposes of (a) establishing, managing or terminating an employment or volunteer-work relationship, or (b) managing a post-employment or post-volunteer-work relationship, between the organisation and the individual. The disclosure must also be reasonable for the particular purpose for which it is being disclosed, and, in the case of an individual who is a current employee of the organisation, the organisation has, before disclosing the information, provided the individual with reasonable notification that his/her personal information is going to be disclosed and of the purposes for which the information is going to be disclosed. 

      Additionally, it can disclosure personal information about an individual who is a current or former employee of the organisation to a potential or current employer of the individual without the consent of the individual if: 

      1. the personal information that is being disclosed was collected by the organisation as personal employee information; and 
      2. the disclosure is reasonable for the purpose of assisting that employer to determine the individual's eligibility or suitability for a position with that employer. According to Section 22, personal information may be disclosed for the purposes of a business transaction, if: 
        1. the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction; and 
        2. the information is necessary: for the parties to determine whether to proceed with the business transaction; and if the determination is to proceed with the business transaction, for the parties to carry out and complete the business transaction.
    • No further information.

    • Official Guidelines on the general application of AB PIPA issued by the Office of the Information and Privacy Commissioner in November 2008 and Official Guidelines on collection, use and disclosure of personal information under AB PIPA issued by the Office of the Information and Privacy Commissioner of Alberta in 2009.

  • Algeria
    • Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('the Law')

    • Data controllers cannot transfer data abroad unless it has obtained authorisation from the Algerian data protection authority and the recipient country provides an adequate level of protection for the persons affected by the transfer. In addition, it is prohibited to transfer personal data if such transfer poses a danger for the vital interests of the State or public security (Article 44 of the Law). 

    • In cases where the recipient country is not recognised as providing adequate protection and the Algerian data protection authority has not authorised the transfer, as required by Article 44 of the Law, the data controller can transfer personal data if:

      • the data subject has expressly consented to such transfer;
      • the transfer is necessary for, among others, protecting the health of the data subject, safeguarding the public interest or the execution of a contract between the data subject and the data controller;
      • the transfer takes place pursuant to a bilateral or multilateral agreement to which Algeria is party; or 
      • under the authorisation from the Algerian data protection authority, the processing falls under Article 2 of the Law.
    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Andorra
    • According to Articles 35 and 36 of the Act, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by either the European Commission or the Andorran data protection authority ('APDA'), are restricted.

    • According to Article 37, data transfers are permited when: 

      1. made with the unequivocal consent of the interested party; 
      2. made in accordance with international conventions of which the Principality Andorra is a party; 
      3. made for the purposes of international legal assistance, or for the recognition, exercise or defence of a right in the context of legal proceedings; 
      4. made for medical prevention or diagnosis, health care, social prevention or diagnosis or for the vital interest of the interested party; 
      5. made for the purpose of bank remittances or transfers of money; 
      6. necessary for the establishment, execution, fulfilment or control of legal relationships or contractual obligations between the interested party and the file manager; 
      7. necessary to preserve the public interest; or 
      8. concerned with data taken from public registries or is made in compliance with the functions and purposes of the public registries.
    • No further information.

    • Guidelines on international transfers issued by the Andorran data protection authority ('APDA') (only available in Catalan here).

    • No Transfers Note currently available.

  • Angola
    • Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here).

      Please note that the Agency for the Protection of Personal Data has not yet been established.

    • According to Section 33 of the Law, data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the National Database Protection Agency ('APD').

    • According to Section 34 of the Law, data transfers are permitted when: 

      1. The data subject has given his/her unequivocal, express and written consent; 
      2. The transfer is required by an international treaty to which the Republic of Angola is a party; 
      3. The transfer is necessary for humanitarian reasons; 
      4. The transfer is necessary for the performance of contract of for precontractual measures; 
      5. The transfer is necessary for the performance of a contract between the data controller and a third party, which is in the interest of the data subject; 
      6. The transfer is necessary for legal obligations or for legal actions; 
      7. The data subject cannot give his/her consent and the transfer is necessary for his/her vital interest; 
      8. The data are included in a publicly available source; and 
      9. If the recipients are bound by contractual agreements to ensure the same level of protection. Data transfers are also allowed when a company has internal rules ensuring the protection of data.
    • No further information.

    • The APD has not yet released any guidelines on data transfers specifically. However, in its guidance on data processing notifications (only available in Portuguese here), the APD highlights that, regarding data transfers, organisations must indicate whether the data is sent outside of Angola. If so, organisations must indicate the country, entity, data type and the respective legal basis.

    • No Transfers Note currently available.

  • Antigua and Barbuda
    • Under Section 2 of the Act, disclosure of personal data by transmission, transfer, dissemination or otherwise making it available falls under the concept of processing. Section 5(1) further states that personal data cannot be processed unless the data subejct has given his/her consent.

    • According to Section 5(2) of the Act, data may be processed without consent for the following purposes: 

      1. for the performance of a contract to which the data subject is a party; 
      2. for the taking of steps at the request of the data subject with a view to entering into a contract; 
      3. for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; 
      4. in order to protect the vital interests of the data subject; 
      5. for the administration of justice; or 
      6. for the exercise of any functions conferred on a person by or under any law.

       

      Moreover, such processing is subject, under Section 5(3) of the Act, to the requirement that it is processed for a lawful purpose directly related to an activity of the data user, that it is necessary for or directly related to that purpose, and that the personal data is adequate but not excessive in relation to that purpose.

    • International Foundations Act 

      According to Article 36 of the International Foundations Act 2007, the minutes of each council meeting shall be kept at the registered office of the foundation and shall be open to inspection by the founder, any foundation council member, any beneficiary, the Court or the Financial Services Regulatory Commission.

    • No further information.

    • No Transfers Note is currently available.

  • Argentina
    • Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') and Decree No. 1558/2001 Regulating Act No. 25.326 ('the Decree')(only available in Spanish here).

      Please note that a draft data protection amendment bill is currently being reviewed by the Government (only available in Spanish here).

    • Section 12(1) of the Act states that the transfer of any type of personal information to countries or international or supranational entities that do not provide adequate levels of protection is prohibited. 

    • Under Section 12(2) of the Act, the prohibition does not apply in the following circumstances:

      1. international judicial cooperation;
      2. exchange of medical information, when so required for the treatment of the affected party, or for an epidemiological survey, provided that the data has been anonymised;
      3. stock exchange or banking transfers, to the extent thereof, and in pursuance of the applicable laws;
      4. when the transfer is arranged within the framework of international treaties which the Argentine Republic is a signatory to; or
      5. when the transfer is made for international cooperation purposes between intelligence agencies in the fight against organised crime, terrorism and drug-trafficking.

       

      In addition, Section 12 of the Decree authorises transfers where express consent has been granted by the data subject. It also states that consent is not required when data is transferred from a public registry that is legally constituted to provide information to the public and is open for consultation by the general public or by any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions for consultation are complied with in each particular case.

      The Argentinian data protection authority's ('AAIP') Regulation 60 – E/2016 on international data transfers listing the countries to which transfers are permitted (only available in Spanish here) ('the International Transfers Regulation'). Moreover, the International Transfers Regulation contains two model contracts that can be used for international data transfers to countries that do not provide adequate levels of protection; one must be used for transfers between data controllers, and the other must be used for transfers to data processors.

    • No further information.

    • The AAIP's guidance on cross-border data transfers (only available in Spanish here).

      The AAIP's guidelines on Binding Corporate Rules (only available in Spanish here).

       

  • Armenia
    • Article 26 and 27 of the Law state that personal data may be transferred to a third party or to another state with the data subject's consent, where it is required for by law and the state has an adequate level of data protection, or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these processes. The transfer of biometric or special category personal data needs to be notified to the Personal Data Protection Agency ('the Agency').

    • Article 26(2) of the Law states that special category perosnal data can be transferred to third parties without the data subject's consent, where the data processor is considered a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection, or the transfer od data is to protect the life, health, or freedom of the data subject. 

      Moreover, according to Article 27(3) of the Law, personal data can be transferred to a state not providing adequate data protection by the permission of the Agency, where the personal data are transferred on the basis of an agreement with appropriate safeguards approved by the Agency as providing adequate protection.

    • Government Decree No. 1521-N of 26 December 2013 on Approving Minimum Requirements for Official Websites of the Internet Network (only available in Armenian here) establishes data localisation requirements for the official websites of governmental agencies.

    • No further information.

  • Aruba
    • National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data ('the Ordinance') (only available in Dutch here).

    • DataGuidance confirmed with Daniel Rasmijn, Attorney at HBN Law, that data transfers must comply with the conditions contained in Article 9 of the Ordinance if they are to be lawful:

      1. the transfer is necessary in connection with the purpose of the data recording;
      2. insofar as necessary based on legislation;
      3. if the data subject has granted their consent;
      4. in the interest of academic research, statistics or other urgent reasons, if certain specific conditions are met.

      Moreover, Article 24(2) of the Ordinance establishes a prohibition to transfer data from Aruba to a foreign country if the Ordinance is not applicable and the Minister of Justice has declared that such a transfer would be harmful to the privacy of data subjects.

    • DataGuidance also confirmed with Daniel Rasmijn that there are no exemptions that allow an international data transfer once the Minister has declared that it would harm privacy rights.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • Australia
    • Privacy Act 1988 No. 119, 1988 (as amended) ('the Act')

    • Principle 8 of the Act provides that the cross-border use or disclosure of data can happen only when the entity, which wants to transfer the data, has taken such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles ('APP') (other than Australian Privacy Principle 1) in relation to the information. In addition APP entities that disclose personal information outside Australia are liable under The Notifiable Data Breaches scheme, and must notify eligible data breaches while the information is under the APP entity control.

    • According to Principle of 8 of the Act, an entity does not have to take the reasonable steps when: 

      1. The recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; 
      2. The entity expressly informs the individual that if he/she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; after being so informed, the individual consents to the disclosure; 
      3. The disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; 
      4. A permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by an entity covered by the APP; 
      5. The entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or 
      6. The entity is an agency and both of the following apply: the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.
    • There are currently no statutory localisation or residence requirements for personal information. However, certain health information cannot leave certain States (e.g. NSW, Victoria and ACT) unless the discloser is satisfied they are going to a place with similar health information privacy laws. In particular, Section 77(1) of the Personally Controlled Electronic Health Records Act 2012 ('PCEHR') notes that operators which are subject to PCEHR are not required to hold or take records outside Australia.

      Exemptions

      Such operators are exempted from this restriction, provided that the records do not include personal information in relation to a consumer or participant in the PCEHR system or identifying information of an individual or entity.

      A mandatory comprehensive credit reporting regime is currently being considered in the form of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, which includes a localisation requirement. 

  • Azerbaijan
    • Law of 11 May 2010 No. 998-IIIQ on Personal Data (only available in Azerbaijani here) ('the Personal Data Law')

    • According to the Law, Article 14 of the Personal Data Law cross border transmissions of personal data are prohibited in the following cases:

      • when creating a threat to the national security of the Republic of Azerbaijan;
      • if the legislation of the country where the personal data is transmitted does not provide legal protection of such data at the level established by the legislation of the Azerbaijan Republic;
      • in cases where the subject agrees to the cross-border transfer of personal data, as well as the transfer of personal data is necessary to protect the life and health of the subject, the cross-border transfer of personal data may be carried out regardless of their level of legal protection; and
      • in the case of cross-border transmission of personal data, the security of this data is ensured by the owner or operator. 
    • Not applicable. 

    • Not applicable. 

    • Not applicable. 

    • No Transfers Note currently available.

  • Bahrain
    • Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Act') 

    • Under Article 12 of the Act, data transfers outside Bahrain are prohibited, unless:

      1. the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or
      2. the competent authority permits the transfer, having assessed the circumstances.
    • Under Article 13 of the Act, data transfers to a country or territory that does not provide adequate protection of personal data is permitted if:

      1. the individual gave their consent;
      2. the personal data originates from public registers; or
      3. the data transfer is necessary for the following purposes: fulfilment of a contract; protection of vital interests of the individual; implementation of a legal obligation; or legal claim purposes.
    • Central Bank Business Standards

      According to Central Bank of Bahrain ('CBB') Voume 1 Business Standards, OM 7.3.1 ('the Rule'), conventional bank licencees must maintain the following records in original form or in hard copy at their premises in Bahrain: 

      1. internal policies, procedures and operating manuals; 
      2. corporate records, including minutes of shareholders, directors and management meetings; 
      3. correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
      4. reports prepared by the conventional bank licensee's internal and external auditors; and 
      5. employee training manuals and records.
    • No further information.

    • No Transfers Note currently available.

  • Bolivia
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • British Columbia
    • BC PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'showing, sending or giving some other organisation, government or individual the personal information in question.' An organisation may disclose personal information only: 

      1. for purposes that a reasonable person would consider are appropriate in the circumstances and that the data subject has been notified of in advance, as per Section 17 of BC PIPA; or
      2. with the consent of the individual, as per Section 6(1) of BC PIPA.
    • According to Section 18 of BC PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way; 
      2. the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent; 
      3. it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding;
      4. the information is collected from certain public events; the disclosure is necessary to determine a suitability  to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or to be selected for an athletic or artistic purpose;
      5. the disclosure is necessary in order to collect a debt owed to the organisation or for the organisation to repay an individual money owed to them by the organisation;
      6. the personal information is disclosed in accordance with a provision of a treaty that British Columbia or Canada is a party to and that authorises or requires its disclosure;
      7. the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
      8. the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation, to determine whether the offence has taken place, or to prepare for the laying of a charge or the prosecution of the offence;
      9. there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates;
      10. the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
      11. the disclosure is to a lawyer who is representing the organisation; the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes; or
      12. the disclosure is required or authorised by law.

      Additionally, under Section 19 of BC PIPA, an organisation may disclose employee personal information without the consent of the individual where the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organisation and the individual, as long as it notifies the individual of the disclose, and the purposes for the dislcosure, beforehand.

      Moreover, according to Section 20 of BC PIPA, an organisation may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party to a business transaction that involves substantial assets other than the data subjects' personal information. This applies if the personal information is necessary for the prospective party to determine whether to proceed with the business transaction, and the organisation and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.

      According to Sections 21 and 22 of BC PIPA, an organisation may disclose information without consent, for research, statistical, archival or historial purposes, in certain circumstances.

    • Under Section 30 of the Freedom of Information and Protection of Privacy Act, RSBC 1996 c 165 a public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

      1. if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
      2. if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
      3. if it was disclosed under Section 33.1 (1) (i.1).
    • Official Guidelines on the general application of BC PIPA issued by the Office of the Information and Privacy Commissioner in October 2015. 

  • California
    • Not applicable.

    • Not applicable.

    • Certain public procurement contracts might impose domestic data storage as a requirement. In addition, contractors working in certain industries may be subject to certain localisation or other restrictions. For example, the U.S. Department of Defense ('DOD') requires cloud computing service providers that provide services to the DoD to store data relating to the DoD within U.S. territory, unless otherwise authorised in writing by the DoD.

    • Not applicable.

  • COPPA
    • COPPA does not contain any explicit cross-border data transfer restrictions. 

      However, §312.4 requires a website operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.

      Moreover, §312.8 requires an operator to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

    • § 312.5(c) provides verifiable parental consent is not required prior to the collection, use, or disclosure of personal information from a child: 

      1. where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent; 
      2. where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about, the child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. In such cases, the parent's online contact information may not be used or disclosed for any other purpose; 
      3. where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, and where such information is not used to re-contact the child or for any other purpose, is not disclosed, and is deleted by the operator from its records promptly after responding to the child's request; 
      4. where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child. In such cases, the operator must make reasonable efforts to ensure that the parent receives notice. 
      5. where the purpose of collecting a child's and a parent's name and online contact information, is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child's safety;
      6. where the purpose of collecting a child's name and online contact information is to (i) protect the security or integrity of its website or online service; (ii) take precautions against liability; (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and where such information is not be used for any other purpose;
      7. where an operator collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service;
      8. where an operator collects a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. 

      According to § 312.6, disclosures made in good faith and following reasonable procedures in responding to a request for disclosure of personal information to the parent of a child are allowed.

    • No further information.

    • Complying with COPPA: Frequently Asked Questions issued by the Federal Trade Commission.

  • Iraq
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Data Transfer Agreements

Data Transfer Agreements

This Comparison provides information regarding international data transfer agreements. Note that terminology varies across jurisdictions and certain agreements are non-binding.

Please see the Key for further information.

  • There are comprehensive provisions/agreements in place.
  • There are limited agreements/provisions in place.
  • There is no equivalent agreement or provision in place.

Primary Agreements:

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'): binding legal instrument requiring parties to take necessary steps to apply certain data protection principles within domestic legislation, including that a party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another party. (See Article 12 for further information).

Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows ('Treaty 181'): specifies that data may only be transferred if the recipient State or international organisation is able to afford an adequate level of protection.

Convention 108+: Convention for the Protection of Individuals with Regard to the Processing of Personal Data ('Convention 108+'): updated version of Convention 108, which amends certain principles on transborder flows, such as that a party shall not prohibit transborder flows of personal data to a subject of a jurisdiction of another party to the convention. (See Article 14 for further information).

Binding Corporate Rules ('BCRs'): data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must be legally binding and enforced by every member concerned of the group. Certain jurisdictions outside the EU also use the term BCRs to refer to binding intragroup agreements.

Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system ('APEC CBPRs'): voluntary certification system designed to facilitate cross-border data transfers between organisations based in participating jurisdictions. (See the APEC CBPR Comparison, located via the tab above, for further information).

Standard contractual clauses ('SCCs'): Model clauses for data transfer agreements, also referred to as 'model contracts' or 'model terms'. See column 7 below on Additional information.

Other Multi-Participant Agreements:

Comprehensive and Progressive Agreement for Trans-Pacific Partnership ('CPTPP'): Chapter 14 on Electronic Commerce provides that parties will establish a legal framework for the protection of personal information and allow cross-border transfers of personal information when this activity is for the conduct of a covered person.

Agreement between the United States of America, the United Mexican States, and Canada ('USMCA'): Chapter 19 on Digital Trade provides that participating Parties recognise principles of data protection, and should not restrict or prohibit cross-border data flows.

EU-Central America Association Agreement ('EU-Central America Agreement'): Article 198 provides that each party shall adopt or maintain adequate safeguards to the protection of privacy and fundamental rights, and freedom of individuals, in particular with regard to the transfer of personal data.

Deep and Comprehensive Free Trade Area ('DCFTA'): There are three DCFTAs agreed between the EU and Georgia, the EU and Moldova, and the EU and Ukraine. The DCFTAs are established as part of the Association Agreements between the EU and these jurisdictions. These agreements provide certain principles related to personal data protection, including that the parties will ensure that appropriate safeguards will be maintained regarding the transfer of personal data.

The OECD Privacy Framework ('OECD Privacy Framework'): provides non-binding guidance, including privacy principles and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

African Union Convention on Cyber Security and Personal Data Protection ('AU Convention'): provides that national data protection authorities should be responsible for authorising cross-border tansfers to third parties, and that transfers to non-Member States of the African Union should only be allowed where such states provide an adequate level of protection of privacy. (See Article 12 for further information).

The APEC Privacy Framework ('APEC Privacy Framework'): provides non-binding principles and suggestions for implementation in order to ease cross-border transfers of personal data and provide guidance to businesses on privacy issues. The APEC Framework is considered a precursor to the APEC Cross-Border Privacy Rules system, which follows the same principles (see column 3).

ASEAN Framework on Personal Data Protection ('ASEAN Framework'): non-binding agreement which notes that before transferring personal data to another country or territory, the organisation should either obtain the consent of the individual for the overseas transfer or take reasonable steps to ensure that the receiving organisation will protect the personal data consistently with the principles of the Framework.

ASEAN Framework on Digital Data Governance ('ASEAN Digital Governance Framework'): sets out principles for cross-border data flows among ASEAN nations, including that a mechanism will be developed and that restrictions on cross-border flows will be minimised.

Standards for Personal Data Protection for Ibero-American States ('RIPD Standards'): provide non-binding guidance for regulatory initiatives, including rules for transferring personal data.

Digital Economy Partnership Agreement ('DEPA'): agreement between Chile, New Zealand, and Singapore, signed on 12 June 2020, which provides commitments related to data transfers. One such commitment is that each party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.

    title
  • EU/EEA, EU Adequacy, Privacy Shield
  • Convention 108
  • APEC CBPRs
  • BCRs/Intragroup Agreements
  • Whitelists/Requires Adequate Protection
  • Other Multi-Participant Agreements
  • Additional
  • Afghanistan
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Albania
    • Not applicable.

    • Convention 108 (reservations and declarations available here and here)

      Treaty 181

    • Not applicable.

    • No further information available.

    • The Information and Data Protection Commissioner ('IDP') has issued Decision No. 8 of 31 October 2016, on the Countries with Adequate Level of Protection for Personal Data (only available in Albanian here).

    • No further information available.

    • No further information available.

  • Algeria
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • Under Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) the national authority may authorise international data transfers where the receiving State is deemed to provide an adequate level of protection of life, privacy and fundamental rights and freedoms of individuals with regard to the processing to which the data is subject or can be the subject.

    • No further information available.

    • No further information available.

  • Andorra
    • Convention 108 (reservations and declarations available here and here)

      Treaty 181

      Signed Convention 108+ on 28 January 2019, but has yet to ratify.

    • Not applicable.

    • No further information available.

    • Article 35 of the Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Act') provides that no international data communication may be effected unless the current regulations in the country of destination establish a level of personal data protection at least equivalent to that established in the Act. Article 36 of the Act further provides that the following have a level of protection equivalent to the Act:

      a) Member countries of the European Union.

      b) Countries declared by the European Communities Commission as countries with protection equivalent.

      c) Countries declared as such by the Andorran Data Protection Agency.

    • RIPD Standards

    • No further information available.

  • Angola
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • According to Section 33 of the Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here), data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the Agency for the Protection of Personal Data, which has not yet been created.

    • No further information available.

    • No further information available.

  • Anguilla
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Antigua and Barbuda
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Argentina
  • Armenia
    • Not applicable.

    • Convention 108 (declaration available here)

      Treaty 181

      Signed Convention 108+ on 2 October 2019, but has yet to ratify.

    • Not applicable.

    • No further information available.

    • A whitelist was released on 11 February 2020 (only available in Armenian here), which includes:

      • Albania
      • Andorra
      • Argentina
      • Austria
      • Belgium
      • Bosnia and Herzegovina
      • Bulgaria
      • Canada
      • Croatia
      • Cyprus
      • Czech Republic
      • Denmark
      • Estonia
      • Finland
      • France
      • Georgia
      • Germany
      • Greece
      • Hungary
      • Iceland
      • Republic of Ireland
      • Italy
      • Israel
      • Latvia
      • Liechtenstein
      • Lithuania
      • Luxembourg
      • Macedonia
      • Malta
      • Moldova
      • Monaco
      • Montenegro
      • Netherlands
      • New Zealand
      • Norway
      • Poland
      • Portugal
      • Romania
      • Russia
      • San Marino
      • Serbia
      • Slovakia
      • Slovenia
      • Spain
      • Sweden
      • Switzerland
      • UK & Northern Ireland
      • Ukraine
      • Uruguay and
      • USA

       

      Personal data may be transferred to another state without the permission of the authorised body where, the State ensures an adequate level of personal data protection. An adequate level of personal data protection will be considered to be ensured where personal data is transferred in compliance with international agreements or where personal data is transferred to a State that is included in the published whitelist.

    • No further information available.

    • For further information see: Armenia - Data Transfers

  • Australia
  • Azerbaijan
    • Not applicable.

    • Convention 108 (declaration avaliable here)

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Bahrain
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • Under Article 12 of Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Law') data transfers outside Bahrain are prohibited, unless:

      the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or

      the competent authority permits the transfer, having assessed the circumstances.

      The Data Protection Authority ('the Authority') shall issue a statement published in the Official Gazette containing a list of countries and territories to which data transfers is permissible. The Authority will issue such list after taking into consideration territories which have applicable data protection legislation and regulations that are deemed satisfactory to the extent which ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories. Please note that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority ('the Authority')'s resolution(s) are yet to be issued.

    • No further information available.

    • No further information available.

  • Bolivia
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • California
    • Please note that, as a result of the Court of Justice of the European Union's decision on 16 July 2020, the EU-US Privacy Shield was declared invalid.

      The EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield frameworks were designed by the U.S. Department of Commerce, and the European Commission and the Swiss Administration respectively to transfer personal data between the EU and the United States, or between Switzerland and the United States, while complying with data protection requirements in the EU and Switzerland. 

    • Not applicable.

    • The APEC Cross-Border Privacy Rules system is used a valid mechanism to facilitate cross-border information transfers while protecting personal information and it implements the APEC Privacy Framework, a principles-based framework designed to encourage the development of privacy protections while ensuring the free flow of information in the Asia-Pacific region.

    • Not applicable.

    • Not applicable.

    • The United States has entered into various international agreements that prohibit discriminatory practices including data localization measures. For example, both the United States-Japan Digital Trade Agreement and the United States-Mexico-Canada Agreement specifically prohibit data localisation measures that restrict where data can be stored and processed as a condition for conducting business in that territory.

    • Not applicable.

  • Canada Federal
  • Iraq
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • USA Federal
    • Please note that, as a result of the Court of Justice of the European Union's decision on 16 July 2020, the EU-US Privacy Shield was declared invalid.

      Swiss-US Privacy Shield, which is a self-certification system in which US organisations can commit to following to comply with the Swiss-US Privacy Shield's framework. Compliance with the requirements of the Swiss-US Privacy Shield becomes enforceable under US law after this commitment. For further information, please see: USA - Privacy Shield.

    • Not applicable.

    • Participant in the APEC CBPR system and APEC PRP system, with two Accountability Agents. See: USA - APEC CBPR Overview

    • No further information available.

    • No further information available.

    • USMCA

      OECD Privacy Framework

      APEC Privacy Framework

      The Agreement Between the United States of America and Japan Concerning Digital Trade, which provides that neither Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means, if this activity is for the conduct of the business of a covered person (Article 11.1).

    • No further information available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

With new and updated privacy regulations introduced with increasing frequency, complying with data residency requirements has become more challenging and time-consuming. OneTrust DataGuidance’s Data Residency research tool can help you keep track of the latest residency and localization requirements. By leveraging OneTrust DataGuidance Residency research, you can gain a better understanding of how global data residency and localization requirements may impact your ability to transfer data from country to country and stay up to date on the latest regulatory developments. 

What are Data Residency Requirements? 

Data residency requirements stipulate measures that must be taken to protect personal data due to geographical location. These requirements may regulate the following: 

  • Locations of data storage and processing 
  • Data transfers 
  • Sector specific data (e.g., Germany’s localization law for health data) 

How Can OneTrust DataGuidance Support Compliance with Data Residency Requirements? 

OneTrust DataGuidance has launched a new Data Residency tool to help support your privacy research and keep track of the latest residency and localization requirements. By leveraging the world’s most in-depth source for privacy and regulatory research, you can gain a greater understanding of the implications of data residency requirements on your privacy program. This knowledge makes it easier to build and maintain a compliant program, and understand how this may impact your ability to transfer data from country to country.  With OneTrust DataGuidance Residency research you can: 

  • Understand how data residency requirements may impact your ability to transfer data from country to country  
  • Leverage granular descriptions of where data must be stored and specific data transfer criteria  
  • Stay up-to-date with global residency and localization requirements across regulated data types 

The residency research tool features include: 

  • Granular descriptions of where data must be stored   
  • Specific criteria for data transfer 
  • Statutory v. recommended requirements   
  • Links to live legal source requirements   
  • Plain-language legal citations 

Next steps on data residency compliance: 

EU Adequacy

EU Adequacy

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.

This Comparison provides information about the status and progress of third countries in becoming recognised as providing adequate protection for personal data by the European Commission.

Adequacy Decisions: The European Commission must adopt an adequacy decision regarding the level of personal data protection in that country before personal data can flow between the EU and said country without the need for any additional safeguard. Adequacy decisions can be maintained, amended or withdrawn at any time. The process for adequacy can be a lengthy process. It involves a proposal from the European Commission, an opinion of the Article 29 Working Party ('WP29'), now the European Data Protection Board ('EDPB'), approval from representatives of EU countries, and the adoption of the decision by the European Commission. Further information can be found on the European Commission's website here.

Third Countries: Non-EU countries which require an adequacy decision in order to transfer data to or from the EU (including Norway, Liechtenstein and Iceland).

Passenger Name Records ('PNR') Agreements: PNR is the personal information such as passenger names, seats and general check-in information collected by airlines for the provision of their services. PNR agreements can allow the transfer of PNR data between countries for the purposes of crime detection. Further information can be found on the European Commission's website here.

    title
  • Adequacy
  • Documentation
  • PNR

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mechanisms for Data Transfers under the GDPR:

The European Commission describes adequacy decisions as follows:

'The European Commission has the power to determine, on the basis of Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • a proposal from the European Commission;
  • an opinion of the European Data Protection Board;
  • an approval from representatives of EU countries; and
  • the adoption of the decision by the European Commission.

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.'

The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan (private sector)
  • Jersey
  • New Zealand
  • Switzerland (under review)
  • Uruguay
  • UK

Adequacy talks with South Korea are also currently ongoing.

For further information see the EU Adequacy Tab in the Data Transfers Portal.

Appropriate safeguards include standard contractual clauses ('SCCs') adopted by the Commission and SCCs adopted by a supervisory authority and approved by the Commission (Article 46(2)(c) and (d) of the GDPR). These SCCs may be included in a contract with another party as a means of providing protection for personal data. While the CJEU Decision ruled that SCCs were valid, it also noted that they do not on their own necessarily provide an adequate level of protection. This means that an assessment of the transfer should be made and that supplementary measures may need to be utilised alongside standard SCCs in order to ensure there is adequate ongoing protection.

The assessment is the responsibility of the exporter and importer and should determine whether the third country provides adequate protection. Since the CJEU Decision emphasised surveillance laws and public authority access to personal data in the US, guidance on assessments has tended to similarly highlight public authority access to data. Supplementary measures may involve amendments to the standard SCCs, or technical/organisational security measures such as encryption, however further guidance on this matter is expected from the EDPB and supervisory authorities.

Prior to the CJEU Decision, the Commission issued the following decisions on EU controller to non-EU or EEA controller and EU controller to non-EU or EEA processor SCCs:

Finalised new SCCs

The Commission released, on 12 November 2020, revised SCCs for public consultation.

On 4 June 2021, the Commission announced that it had adopted two sets of new SCCs having taken into account the Schrems II judgment, the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during the public consultation and the opinion of Member States' representatives. The new SCCs consist of:

  1. SCCs between controllers and processors; and
  2. SCCs for the transfer of personal data to third countries.

For further information, see the Schrems II Portal.

Binding corporate rules ('BCRs') are considered an appropriate safeguard under Article 46 of the GDPR.

BCRs are approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR, provided that they (Article 47(1) of the GDPR):

  • are legally binding and apply to and are enforced by every member concerned in the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
  • expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
  • fulfil the requirements laid down in Article 47(2) of the GDPR.

Processes for approving BCRs can be time consuming, however they have proved to be a popular mechanism for large multinational organisations and are becoming more common around the world.

Article 47(2) of the GDPR establishes information a BCR must specify, see EU - GDPR - Data Transfers.

The CJEU Decision, however, impacts BCRs in a similar manner to SCCs. BCRs are required to meet the same threshold for the ongoing adequate protection of personal data as SCCs. Therefore, the EDPB has noted that jurisdiction assessments and supplementary measures may be required for BCRs in the same fashion as they are for SCCs.

For further general BCR information see the following procedural documents endorsed by the EDPB:

The Commission provides an overview list of certain companies for which the EU BCR cooperation procedures is closed, last updated on 25 May 2018, and the EDPB provides a register of selected BCRs since 2019.

Article 40 of the GDPR sets out provisions for codes of conduct. Codes of conduct are voluntary tools developed by associations or other representative bodies that cover certain data protection issues and tend to apply within sectors. International data transfers is one of the topics that a code of conduct as recognised under the GDPR can cover. Codes of conduct must be approved by a supervisory authority, and supervisory authorities are also tasked with generally encouraging the use of codes of conduct.

There are several requirements for the information contained in a code of conduct, including that a mechnism is established for monitoring compliance. Article 41 of the GDPR details how a body may be accredited by a supervisory authority to monitor compliance with a code conduct. Organisations do not need to be subject to the GDPR in order to be an adherent to a code of conduct.

A code of conduct for international data transfers will need to ensure that relevant provisions on cross-border transfers, such as ongoing adequate protection of personal data, are complied with. Similarly to BCRs, the CJEU Decision impacts codes of conduct used for cross-border transfers as it sets a new threshold for what should be considered in assessing adequate protection.

For further information on codes of conduct, see the General Data Protection Regulation Portal.

Article 42 of the GDPR establishes processes for certification. Certification functions in a similar manner to codes of conduct, in that it too is a voluntary system that is monitored or regulated through an accredited body and is used by organisations as a means of demonstrating compliance. Article 43 of the GDPR sets out provisions for accreditation of certification bodies. Certification must be renewed at least every 3 years, and all certification mechanisms and data protection seals and marks are collected in a register by the European Data Protection Board ('EDPB'). Supervisory authorities within Member States as well as the EDPB have been steadily issuing guidance, opionions, and decisions on certification (see here).

Similarly to BCRs and codes of conduct, the CJEU Decision impacts certification mechanisms by setting a new threshold for cross-border data transfers.

For further information on certification mechanisms see:

Article 49 of the GDPR establishes that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 46, including BCRs, SCCs, codes of conduct or certification, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; 
  • the transfer is necessary for important reasons of public interest; 
  • the transfer is necessary for the establishment, exercise or defence of legal claims; 
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

The EDPB has noted that, 'derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule.'

The EDPB also stresses that the derogations under Article 49 are for specific situations and should be 'occasional' and 'not repetitive'. As such, Article 49 derogations should not be utilised as a mechanism for recurring international data transfers.

In regard to consent, the EDPB has further specified that consent must be:

In relation to other derogations, the EDPB emphasises the importance of a 'necessity test' and the complexities of assessing whether a transfer can be considered necessary. In general terms, the EDPB strongly encourages the use of other mechanisms than Article 49 derogations wherever possible.

Following the CJEU Decision, several EU Member State supervisory authorities noted that transfers to the US, or to other third countries deemed not to provide adequate protection, were still possible under Article 49 derogations, at least on a temporary basis. However, these authorities also tend to note that Article 49 should not be relied upon for repeating or regular transfers.

For further information on Article 49, see the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.

Please note that, as a result of the Court of Justice of the European Union's decision on 16 July 2020, the EU-US Privacy Shield was declared invalid. For further information, see the Schrems II portal.

1. INTRODUCTION

1.1. Issuing body

The EU-US Privacy Shield Framework ('the EU-US Privacy Shield') and the Swiss-US Privacy Shield Framework ('the Swiss-US Privacy Shield') (together, 'the Privacy Shield') were designed by the U.S. Department of Commerce ('Department of Commerce') and the European Commission ('the Commission') and the Federal Council of Switzerland. The Privacy Shield serves as a valid commitment towards certain data privacy requirements, and as a blueprint towards meeting various GDPR obligations. 

This Guidance Note offers an overview of the Privacy Shield, with section 1.4. dedicated specifically to the Swiss-US Privacy Shield.

1.2. Foundations and purpose

Under EU and Swiss data protection law, the transfer of personal data outside the EEA and Switzerland is prohibited unless the data is transferred to a country which ensures adequate protection for that data, other Commission-approved adequate safeguards are put in place to protect that data, or a specific derogation applies. Given the different approach that the US takes to privacy to that taken by the EU and Switzerland, the Privacy Shield (which took effect in 2016) was designed to be one mechanism to satisfy EU and Swiss requirements for adequate protection when transferring personal data outside the European Economic Area ('EEA') and Switzerland to the US.

However, on 16 July 2020, the Court of Justice of the European Union declared that the EU-US Privacy Shield is no longer a valid mechanism to satisfy adequate protections for transfers from the EEA (including the UK) to the US as a result of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). On 8 September 2020, the Federal Data Protection and Information Commissioner ('FDPIC') followed suit, declaring that the Swiss-US Privacy Shield is no longer valid as a mechanism to satisfy Swiss requirements.

These decisions mean that the Privacy Shield can no longer be relied upon to transfer personal data to the US and that other mechanisms, such as the standard contractual clauses ('model clauses') and Binding Corporate Rules ('BCRs'), must be relied upon instead. The Schrems II Case imposed a number of caveats on the use of the model clauses and BCRs for data transfers to the US (and other destinations). Broadly, organisations are required to assess whether relevant US laws (as applicable in the context of each data transfer on a case-by-case basis), in combination with the relevant model clauses or BCRs, ensure adequate protection for the personal data being transferred, and to put in place additional safeguards where necessary.

Notwithstanding the invalidation of the Privacy Shield as a transfer mechanism, the Department of Commerce is continuing to administer the Privacy Shield, including processing applications for certification and re-certification, and maintaining the Privacy Shield List.

The Department of Commerce and the Commission are engaged in discussions to evaluate the potential for an enhanced EU-US Privacy Shield to comply with the Schrems II Case. On 25 March 2021, the EU Commissioner for Justice and the U.S. Secretary of Commerce issued a joint statement indicating that these negotiations will be intensified and stated that "these negotiations underscore […] our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies". Despite the increased focus, given that the EU-US Privacy Shield took over two years to negotiate, it could still be some time before an enhanced or replacement EU-US Privacy Shield is finalised.

1.3. Compliance benefits

The EU-US Privacy Shield is a voluntary self-certification scheme, administered by the Department of Commerce. As described above, the Department of Commerce is continuing to administer the Privacy Shield, notwithstanding the invalidation of the Privacy Shield as a transfer mechanism. Therefore, participation in the Privacy Shield still has some limited value, e.g., in signalling adherence to certain data protection standards and, in some cases, in fulfilling contractual commitments to maintain participation. In addition, Privacy Shield participation creates a foundation for compliance with the GDPR and data privacy requirements across other jurisdictions. Organisations that continue to participate in the Privacy Shield are not relieved of their obligations and public commitments under those frameworks, and risk enforcement action if they remain a member of the programme but fail to comply (see section 1.3.2., specifically regarding enforcement, below).

1.3.1. Verifying Privacy Shield organisations

Anyone can verify whether an organisation is Privacy Shield certified via the Privacy Shield List. The Privacy Shield List includes, for each certified organisation, the organisational entities covered by the certification, the types of data collected, details about the dispute resolution procedure chosen, and a link to the organisation's privacy policy.

1.3.2. Enforcement

1.3.2.1 Supervisory authorities and cooperation procedures

Organisations and their selected independent recourse mechanisms (see section 8 below) must respond promptly to inquiries and requests by the Department of Commerce for information relating to an organisation's compliance with the Privacy Shield. Organisations that have chosen DPAs (or, for the Swiss-US Privacy Shield, the FDPIC (see section 1.4.)) must respond directly to such authorities with regard to the investigation and resolution of complaints. While organisations are required to provide all data subjects with the contact information of their chosen independent recourse mechanism provider, the Principles recommend that organisations encourage data subjects to resolve their complaints by first contacting the organisation directly, and then using the independent recourse mechanism if the issue has not been resolved. If no resolution is reached at the level of the independent recourse mechanism provider, complaints can then be brought to arbitration (see Annex I of the Principles).

1.3.2.2 Sanctions for non-compliance

The remedies issued by the independent recourse mechanism provider should ensure that any data processing activities of the organisation that are not in compliance with the Principles are brought into compliance. Dispute resolution bodies, including independent recourse mechanism providers and arbitration panels (see Annex I of the Principles), have discretion to implement sanctions corresponding to the severity of the violation. Such sanctions could include publication of findings of non-compliance, the requirement to delete certain personal data, suspension or removal of a seal, financial compensation for data subjects for losses incurred, and injunctions. Dispute resolution bodies must notify the Department of Commerce, and either the FTC or the DOT, as applicable, of an organisation's failure to comply with sanctions.

The FTC may choose to seek an administrative cease-and-desist order, or file a complaint in federal court against an organisation that it has reason to believe has violated Section 5 of the FTC Act of 1914 prohibiting unfair or deceptive practices. Such violations may include failure to adhere to the Principles, or falsely claiming to be EU-US Privacy Shield certified. Since the EU-US Privacy Shield came into effect in 2016, the FTC has initiated enforcement actions against numerous companies. These have focused on companies falsely claiming that they are certified when they either have never been certified or they have allowed their certification to lapse but continued to claim participation in the EU-US Privacy Shield framework.

Where a dispute resolution body has found that an organisation persistently fails to comply with the Principles, the organisation must promptly notify the Department of Commerce of such facts. Failure by the organisation to do so may be actionable under the False Statements Accountability Act of 1996. The Department of Commerce will remove organisations from the Privacy Shield List (see section 1.3.1. above) in response to persistent failures to comply with the Principles or issued sanctions. Organisations will be provided 30 days' notice and an opportunity to respond before being removed.

1.3.3. Practical considerations for preparing for self-certification

Under the Privacy Shield frameworks, organisations must have the Privacy Shield requirements in place before completing the self-certification process and should budget several months for preparation. In practice, the steps for an organisation to undertake, in preparing for self-certification, include:

  1. deciding which organisational entities will be included in the self-certification and the types of personal data that will be covered (i.e., HR data or only non-HR data (see section 4.1.1. above);
  2. updating the organisation's privacy policy;
  3. identifying all contracts between the organisation and third-party controllers and agents that include transfers of personal data, including both existing signed contracts and contract templates used by the organisation;
  4. updating such contracts to include the required Privacy Shield protections (see section 9 below), which typically involves preparing data processing addendum templates to provide to third parties in relation to existing signed contracts, as well as adding the required language to the organisation's templates (also using a data processing addendum or otherwise);
  5. reviewing the organisation's current procedures for providing individuals the ability to exercise their rights to choice and access under the Principles;
  6. selecting from the available independent recourse mechanisms and registering with a provider, if applicable;
  7. selecting a verification mechanism and registering with a provider, if applicable; and
  8. reviewing the organisation's current data security mechanisms to ensure the organisation is providing adequate protection of personal data.

Of the above, the process for updating relevant contracts (i.e., steps 4–5 above) is typically the most time-consuming for an organisation, both in terms of identifying all relevant contracts across the organisation and in terms of updating existing signed contracts with third parties (given the potential lack of response or cooperation from the third party, or potential attempts by the third party to negotiate the updated contract). In addition, if the organisation's data security mechanisms are out of date or have not been recently reviewed, the organisation should expect that this internal review and update process will require significant time and resources to complete.

1.4. Related legislation, frameworks, standards, and supplemental resources

Swiss-US Privacy Shield

As described in section 1 above, the FDPIC invalidated the Swiss-US Privacy Shield on 8 September 2020, meaning that the Swiss-US Privacy Shield can no longer be relied upon to transfer personal data from Switzerland to the US. However, as with the EU-US Privacy Shield, the Department of Commerce is continuing to administer the Swiss-US Privacy Shield program. The Swiss-US Privacy Shield largely follows the framework and requirements of the EU-US Privacy Shield, but with a few key distinctions (as outlined below).

1.4.1 Key distinctions between the Swiss-US Privacy Shield and the EU-US Privacy Shield

Organisations interested in certifying for both the EU-US Privacy Shield and the Swiss-US Privacy Shield should note the following distinctions between the frameworks:

1.4.1.1 FDPIC

Under the Swiss-US Privacy Shield, the FDPIC replaces the DPAs as the authoritative regulatory agency. Thus, organisations that process personal data in both Switzerland and EU Member States will be subject to the regulatory authority of multiple agencies.

There is no annual fee for the FDPIC being the independent recourse mechanism provider, unlike the $50 that organisations must pay under the EU-US Privacy Shield (see section 8).

1.4.1.2. Definition of 'sensitive data'

Under the Swiss-US Privacy Shield, the definition of 'sensitive data' is slightly broader than under the EU-US Privacy Shield, and includes 'ideological or trade union related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings'.

1.4.1.3. How to certify

Organisations can certify for the Swiss-US Privacy Shield when they certify for the EU-US Privacy Shield. The link to self-certify can be found here. Organisations that have already self-certified to the EU-US Privacy Shield may add the Swiss-US Privacy Shield to their certification by logging into their existing EU-US Privacy Shield account and selecting the Swiss-US Privacy Shield self-certification option. Organisations that self-certify for the Swiss-US Privacy Shield will be required to pay a separate annual fee to the International Trade Administration ('ITA') in order to participate, equal to half the amount of the Annual EU-US Privacy Shield Fee (see section 13 below regarding fees).

2. SCOPE OF APPLICATION

2.1 Eligibility to join EU-US Privacy Shield

Certification is available to any US organisation that processes personal data in connection with an activity that is subject to the jurisdiction of the Federal Trade Commission ('FTC') or the Department of Transportation ('DOT'). This covers most US organisations, although generally excludes banks, federal credit unions, savings and loan institutions, telecommunications and interstate transportation common carriers, labour associations, most non-profit organisations, most organisations involved in packer and stockyard activities, and most insurance companies. Organisations that fall under these regulatory categories should seek further guidance from legal counsel before applying for the EU-US Privacy Shield. Non-US organisations (including organisations incorporated in the EU) cannot certify for the EU-US Privacy Shield, because they are not subject to the jurisdiction of either the FTC or the DOT.

Where to self-certify

Once all requirements have been completed (for preparing for certification, see section 1.3.3 above), organisations can self-certify here.

Re-certification

Organisations must complete an annual re-certification application to continue participation in the Privacy Shield. The information required during re-certification is identical to the information required during the initial self-certification process. Organisations should submit their re-certification application before their current certification lapses, however there is currently a 'grace period' of 30 days in which the Department of Commerce still accepts an organisation's re-certification application. As described below, the FTC has been active in its enforcement actions against companies that continue to claim to be Privacy Shield certified after allowing their certification to lapse without applying for re-certification.

2.2 The EU-US Privacy Shield and the UK

The UK formally left the EU on 31 January 2020 and entered into a transition period that ended on 31 December 2020. Notwithstanding the fact that the UK is no longer part of the EU, the invalidation of the EU-US Privacy Shield applies to the UK, meaning that the EU-US Privacy Shield cannot be relied upon to transfer personal data to the US from the UK. An alternative data transfer mechanism, such as the model clauses, is therefore required for such transfers under the UK's data protection regime. Organisations that continue to participate in the EU-US Privacy Shield in relation to data transfers from the UK must update their privacy policies (and any other public commitments) to state that the commitment extends to personal data received from the UK. If an organisation plans to receive HR data from the UK, it must also update its HR privacy policy. Model language for these updates is set out in the FAQs on the Privacy Shield and the UK.

In addition, organisations that have publicly committed to cooperate and comply with the DPAs under the EU-US Privacy Shield will be understood to have committed to cooperate and comply with the UK Information Commissioner's Office ('ICO'), and so should remain abreast of updates and guidance published by the ICO.

3. KEY DEFINITIONS | BASIC CONCEPTS

Key terms used in the Privacy Shield largely mirror the GDPR, and include the following:

Controller: means a person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Personal data and personal information: means data about an identified or identifiable individual that are within the scope of the Directive, received by an organisation in the US from the EU, and recorded in any form.

Processing: means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

Sensitive data: means any data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual.

The Privacy Shield is built on the following key Principles:

  • Notice: Organisations must publish privacy notices containing certain information about their privacy practices, their use, collection and sharing of personal data, and their participation in the Privacy Shield.
  • Choice: Individuals must have a mechanism for opting out of having their personal data disclosed to a third party or used for a different purpose than that for which it was provided.
  • Accountability for onward transfer: Organisations must have contracts with third parties who process personal data for and on behalf of the organisation, that contain certain commitments.
  • Security: Organisations must take reasonable and appropriate measures to protect personal data from misuses, loss, unauthorised access, disclosure, alteration and destruction.
  • Data integrity and purpose limitation: Organisations must take reasonable steps to limit processing for the purposes for which it was collected and ensure that personal data is accurate, complete and current.
  • Access: Organisations must provide a method by which data subjects can request access, correct, amend or delete information the organisations hold about them.
  • Recourse, enforcement and liability: There must be recourse for individuals affected by an organisation's non-compliance, including consequences for such organisations

4. DATA PROCESSING

4.1 Privacy policy

Organisations must adopt a clear, concise, and easy-to-understand website privacy policy that complies with the Privacy Shield Principles ('the Principles'). The privacy policy must include the following:

  • a statement that the organisation adheres to the Principles;
  • a link to the Privacy Shield website (accessible here); and
  • a link to the website or complaint submission form of the independent recourse mechanism chosen (see section 8 below).

The process for first-time applicants in relation to implementing their privacy policy is as follows:

  1. The organisation provides the privacy policy (in draft) to the Department of Commerce, including information about the intended location, e.g., website address where the privacy policy will be made available (but must not make the privacy policy publicly available online or otherwise at this point);
  2. The Department of Commerce will review the application, including the privacy policy, and (if applicable) confirm that the organisation fulfils all certification requirements;
  3. Once confirmed, the organisation makes its privacy policy public; and
  4. The organisation then notifies the Department of Commerce that it has made its privacy policy public.

4.2 Key considerations regarding certain types of data

Organisations that are considering applying for the EU-US Privacy Shield should give special consideration to HR data, sensitive personal data, and law enforcement access requests.

4.2.1. Human resources data

Organisations that choose to extend the EU-US Privacy Shield benefits to human resources ('HR') personal data transferred from the EU for use in the context of an employment relationship must indicate this when self-certifying. If the self-certification will cover HR data, then the organisation must agree to use DPAs as an independent recourse mechanism with respect to such data (see section 8 below). For an EU-US Privacy Shield certification to cover HR data, there must be an HR privacy policy with the same requirements as the website privacy policy. Like the website privacy policy, organisations must make a copy available as part of the certification and re-certification processes. However, unlike the website privacy policy, an organisation is not required to make the HR privacy policy publicly available on their website (although it can do so if it wishes, either combined with the website privacy policy or as a standalone).

The requirements for onward transfers (see section 9 below) also apply to HR data, but exceptions may be made for occasional employment-related operational needs of the organisation that involve minimal transfers of personal data to third parties (such as booking a flight or hotel room for an employee).

4.2.2. Sensitive personal data

If the personal data processed by an organisation includes sensitive personal data, organisations must obtain affirmative express consent from individuals if such information is to be either: disclosed to a third party (see section 9 below), or used for a purpose other than as originally collected or as otherwise expressly authorised by the individual.

However, an organisation is not required to obtain affirmative express consent where the processing is:

  • in the vital interests of the data subject or another person;
  • necessary for the establishment of legal claims or defences;
  • required to provide medical care or diagnosis;
  • carried out in the course of legitimate activities by a foundation, association, or any other non-profit body with a political, philosophical, religious, or trade-union aim, and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects;
  • necessary to carry out the organisation's obligations in the field of employment law; or
  • related to data that is manifestly made public by the individual.

In all cases, an organisation should treat as sensitive any personal data received from a third party where the third party identifies and treats it as sensitive.

4.2.3. Law enforcement access requests

Organisations must inform individuals that personal data may be disclosed in response to lawful requests by public authorities, including for the purposes of meeting national security or law enforcement requirements. This disclosure is typically included in the organisation's public-facing privacy policy.

5. MANAGEMENT SYSTEM

Preparing for Privacy Shield self-certification requires an organisation to take several steps in relation to the organisation’s data governance and management system, including updating its privacy policy, reviewing current procedures for providing rights to choice and access, and reviewing data security mechanisms to ensure adequate protection. Although not specifically required by the Principles, organisations will be assisted in achieving and maintaining certification by developing related internal policies and procedures and providing training to employees on Privacy Shield and related data privacy and security compliance.

In addition, the Verification Principle requires organisations to provide follow up procedures for verifying that the organisation's attestations and assertions they make about their Privacy Shield privacy practices are true and that those practices have been implemented as represented and in accordance with the Principles. An organisation must verify such attestations and assertions either through registering with a third-party assessment program, or commit to performing an internal annual assessment to verify such compliance. Most organisations choose to perform this annual compliance check themselves. There are specific requirements for verification depending on whether the organisation uses a third-party assessment program or performs internal assessments. In both cases, organisations must retain their records on the implementation of their Privacy Shield practices and make the records available upon request in the context of an investigation or complaint about non-compliance.

6. DATA SECURITY

Organisations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal data. The Privacy Shield does not provide any specifics regarding what form those measures may or must take. However, they should be reasonable and appropriate under the circumstances. If an organisation's data security measures are out of date or have not been recently reviewed, the internal review (and any updates required) may require significant time and resources to complete.

7. ACCOUNTABILITY AND RECORDKEEPING

Organisations must provide a Privacy Shield contact, that is the name and contact information of the designated individual nominated to be a Privacy Shield point of contact for data subjects and responsible for handling:

  • inquiries;
  • requests to access, amend or delete personal information that the organisation holds;
  • complaints; and
  • any other issues arising under the Privacy Shield;

The Privacy Shield Contact should, amongst other things, maintain a record of any questions or complaints received from data subjects, and how each question or complaint is resolved.

As described above (section 5.1), organisations must verify annual compliance with the Principles, through either self-assessment or outside compliance reviews. Organisations must maintain records relating to their Privacy shield implementation and compliance as part of this verification process, and make their records available upon request in the context of an investigation or complaint about non-compliance. Records may include documents such as:

  • the organisation's Privacy Shield privacy policy;
  • any relevant internal policies and procedures;
  • any relevant third party contracts or contract addendums;
  • employee training materials relevant to privacy or security;
  • findings of any privacy or security audit or related gap analysis report; and
  • the organisation's signed verification form.

Additionally, if an organisation leaves the Privacy Shield but retains information received under the Privacy Shield, it must annual certify its commitment to apply the Principles to such information, or provide 'adequate' protection for the information by another authorised means.

8. DATA SUBJECT RIGHTS

Right of Access

Under the Privacy Shield, data subjects have the right to:

  • obtain from an organisation confirmation of whether or not the organisation is processing personal data relating to them;
  • have communicated to them such data so that they can verify its accuracy and the lawfulness of the processing; and
  • have the data corrected, amended, or deleted, where it is inaccurate or processed in violation of the Principles.

Organisations must make good faith efforts to provide access. If access is to be restricted in any particular instance (e.g., certain information needs to be protected from disclosure and can be redacted), the organisation should provide the individual with an explanation of why it made that determination, and a contact point for further inquiries. The right to access may be restricted only in limited, exceptional circumstances. Organisations may charge a fee that is not excessive, e.g., if the request is manifestly excessive due to its repetitive character.

Right to limit the use and disclosure of personal data

Organisations must offer data subjects the opportunity to choose whether personal data about them is to be disclosed to a third party or to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorised by the data subject (i.e., opt out). However, the provision of choice is not necessary if disclosure is made to an agent performing tasks on behalf of and under the instruction of the organisation.

For sensitive information, organisations must obtain affirmative express (i.e., opt in) consent from individuals if such information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised through the exercise of opt-in choice.

Independent recourse mechanism

Organisations must choose an independent recourse mechanism and register with the recourse mechanism provider, if required (see below). This is necessary to comply with the EU-US Privacy Shield's requirement to provide a third-party investigative body to address data subjects' unresolved complaints regarding the organisation's compliance with the Principles. The recourse mechanism must be provided at no cost to data subjects. Organisations have two options for satisfying this requirement:

  1. registering with a private-sector privacy program; or
  2. committing to cooperate and comply directly with the EU data protection authorities ('DPAs').

If the self-certification will cover HR data, then the organisation must agree to cooperate and comply with DPAs with respect to such data, i.e., must choose option two in relation to such data. Organisations choosing option two are subject to an annual fee of $50 (there is no need to register with a DPA). For organisations that chose to register with a private sector privacy program, registration must be complete prior to submitting the EU-US Privacy Shield application. Private sector programs typically charge either: annual fees, ranging from $300 to $7,000 per year, (depending on the organisation's annual revenue); or a fee-per-dispute, ranging from $500 to $2,250 per dispute.

The Principles encourage data subjects to raise any complaints they have with the relevant organisation before proceeding to the organisation's independent recourse mechanisms, and organisations must respond to a consumer within 45 days of receiving a complaint.

9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION

Onward transfers

The Privacy Shield sets out certain requirements for the onward transfer of personal data to third parties. Meeting this these requirements will require the organisation to review (and possibly update contracts) with those third parties to include certain required provisions. The requirements differ according to whether the third party will be acting as a controller or an agent (the Privacy Shield's terminology for 'processor'). 

For transfers to third party controllers, organisations must:

  • give individuals notice and the opportunity to opt out, or, in case of sensitive data (see section 4.1.2. above), obtain their consent prior to the transfer; and
  • enter into a contract which provides that data may only be processed for limited and specified purposes consistent with the consent provided by the individual, and that the third party will provide the same level of protection as the Principles, will notify the organisation if it makes a determination that it can no longer meet this obligation and, if so, cease processing or take other reasonable and appropriate remedial steps.

For transfers to third-party agents, organisations must:

  • transfer personal data only for limited and specified purposes;
  • ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
  • take reasonable and appropriate steps to ensure that the agent effectively processes the personal data in a manner consistent with the organisation's obligations under the Principles;
  • require the agent to notify the organisation if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and, if so, take reasonable and appropriate steps to stop and remediate unauthorised processing; and
  • provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

As described above, the requirements for onward transfers also apply to HR data, but exceptions may be made for occasional employment-related operational needs of the organisation that involve minimal transfers of personal data to third parties (such as booking a flight or hotel room for an employee).

10. VENDOR MANAGEMENT

As described above (section 9), when transferring personal data to a third-party agent (e.g., a vendor or other company processing personal data for or on behalf of the organisation), the organisation must take certain steps to ensure that the agent processes personal data in a manner consistent with the organisation's obligations under the Principles, enter into a written contract with the agent, and include certain information in that contract.

11. INCIDENT AND BREACH

The Principles do not require any specific steps in relation to security incidents or breaches. However, a security incident or breach may be evidence of the organisation's non-compliance with the Security Principle (i.e., the requirement that organisations take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction).

12. PRIVACY BY DESIGN

The Privacy Shield does not specifically require organisations to implement Privacy by Design ('PbD'). However, compliance with several of the Principles could facilitated by a PbD approach.

13. ADDITIONAL REQUIREMENTS

In addition to taking steps outlined above, organisations must provide the following information in their application for Privacy Shield participation:

  • EU-US Privacy Shield contact: Name and contact information of the designated individual nominated to be a EU-US Privacy Shield point of contact for data subjects;
  • description of the organisation's data processing activities: A description of the organisation's data processing activities, a description of the types of personal data the self-certification covers, the purposes for which the personal data is processed, and the types of third parties with whom the organisation discloses personal data;
  • organisational entities included in the application: A list of all US entities (affiliates and subsidiaries) within the organisation's corporate group that are adhering to the Principles and are covered under the organisation's self-certification; and
  • annual revenue: The organisation's annual revenue (to calculate the annual fee; see section on fees directly below).

Fees

Organisations must pay the following fees, calculated by reference to the organisation's annual revenue:

  • · Annual EU-US Privacy Shield Fee (paid upon submission of application); and
  • · One-time EU-US Privacy Shield Arbitral Fund Fee for the Annex I Binding Arbitration Mechanism (this fee may be paid here).
Annual Revenue of Organisation Annual EU-US Privacy Shield Fee One-time EU-US Privacy Shield Arbitral Fund Fee
$0 to $5 million $250 $250
Over $5 million to $25 million $650 $500
Over $25 million to $500 million $1,000 $1,000
Over $500 million to $5 billion $2,500 $5000
Over $5 billion $3,250 $10,000

 

Concluding Remarks

Even though the Privacy Shield can no longer be relied upon for transferring personal data from the EEA, the UK, and Switzerland to the US, some organisations may find that participation still has some limited value.

For organisations that decide to undergo Privacy Shield self-certification, a thorough review of the requirements and a structured plan, including a timeline, for implementing these requirements, are essential first steps in the process. In addition, certified organisations will need to look to other mechanisms to transfer personal data from the EEA, the UK, and Switzerland to the US, such as model clauses and BCRs.

APEC CBPR

APEC CBPR

    title
  • Letter of Intent
  • Enforcement Map
  • JOP Findings Report
  • Accountability Agents
  • PRP System
  • Australia
  • Canada Federal
  • Japan
  • Mexico
  • USA Federal

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.