Some privacy laws include restrictions on transferring data to another country.
A common situation is that a company with offices in Europe shares data with a company in the US. How does the company sharing data deal with this?
Under the General Data Protection Regulation (GDPR), the default rule is that you can’t transfer data out of Europe without a legal mechanism in place.
Under the GDPR, there are 5 main legal mechanisms for cross border transfers:
- The most important is what are called “Standard Contractual Clauses” (say “SCCs” to score a few points).
Companies put these contract terms - approved by the European Commission - into a contract between the entities in Europe and the US.
This is more interesting than it sounds. Here’s what the SCCs say: kidding, you can just go read them if you want to take a deep dive.
- Another legal mechanism is called an Adequacy Decision. This means the European Commission has decided that certain countries provide adequate safeguards for data - so you can safely transfer data to those places.
Kind of like a visa waiver for that data!
- Binding Corporate Rules. These are agreements within a company that set out safeguards for data - how it is going to be kept safe - that have to be approved by a data protection regulator.
- Finally, there are a few exceptions to this (why are there always exceptions…?)
For example, if the transfer is necessary and not repetitive, a company can rely on an individual’s consent to the transfer of data outside of Europe. As another example, a company may transfer personal data where it is necessary to defend a legal claim.
A final note - some additional countries are starting to create limitations on international data transfers. For example, China, Brazil, and Russia have some restrictions on cross border data transfer.