00:13
Adam Stofsky
So, Shannon, how does the moving of data between different countries work? Because, like, in Europe, you have the GDPR, and in the US. You have like, a hodgepodge of laws. In Brazil. You have another law. China. How do companies, many companies are global now, or at least international. How do you manage that moving data around to different countries when there's all these different laws?
00:37
Shannon Yavorsky
Yeah, it's a really complex landscape. To your point, there are data protection laws that restrict or limit cross border data transfer in many different jurisdictions, including China and Brazil. And I think most people hear about the GDPR's cross border data transfer restrictions. I think I'll start with the GDPR and then talk a little bit about restrictions in other jurisdictions. So the GDPR, the default rule is that you cannot transfer personal data outside of Europe absent a legal mechanism. And I think a lot of people have trouble with just that core concept. Like, that is the default rule. So if you are going to transfer data outside of Europe, you have to look to one of these core transfer mechanisms. And there are, I think, four main ones to main mechanisms that I'll talk about. The first is called an adequacy decision.
01:38
Shannon Yavorsky
So that is where you're permitted to transfer data to a country that the European Commission has deemed offers an adequate level of protection for personal data. And there are a number of different under 20, but a number of different countries that the European Commission has said offer an adequate level of protection. There are countries like Guernsey, Jersey, the Isle of Man, Uruguay, Israel, Switzerland. And in the last couple of months, in 2023, in July, there is the EU US. Data Privacy Framework that was recently enacted which allows, for the moment, companies in Europe to transfer data to companies in the US. That have self certified to this EU US. Data privacy framework. And that's an adequacy decision that the European Commission gave to companies that have self certified to this framework.
02:39
Adam Stofsky
So wait, hang on. What does self certified mean? Can I self certify right now?
02:45
Shannon Yavorsky
So you have to go onto the Department of Commerce, EU, us. Data Privacy Framework website, and they set out all of the criteria that you need to meet in order to certify to the framework. And it's a number of different things. Essentially, things like you'll safeguard data. There is a redress mechanism in place, so it's all of the things that are articulated on the website. Obviously, you have to pay a fee and then you'll be listed on the site. So it's pretty recent. So we're going to see how that plays out and whether companies are going to join the EU US. Data privacy framework. There are some questions as to its longevity, given that the two preceding frameworks were invalidated. So before the DPF, there was the privacy shield. It was invalidated. Before the privacy shield, there was safe harbor. Also, invalidated.
03:45
Shannon Yavorsky
So there are hopes for the new framework. I just don't know how long it's going to last.
03:53
Adam Stofsky
Okay, so Shannon, that's adequacy decisions. What are some other rules around international data transfers? How else are you able to transfer data from country to country?
04:04
Shannon Yavorsky
So for Europe, there are three other main mechanisms. The second one is standard contractual clauses, which is a set of contract clauses that can't really be changed that say things like, you the person importing the data, will take steps to safeguard the data, for example, and it comes in four different flavors. There are four different modules. You have to pick the right one and then fill out the schedules appropriately, describe the data that's being processed, describe the security measures that are in place, for example, to keep the data safe. And that kind of standard contractual clauses are typically appended to a data processing agreement. So that's where that shows up. And I would say that most clients use the standard contractual clauses these days.
04:54
Shannon Yavorsky
It's probably the most common form of cross border data transfer, legal mechanism used for cross border data transfer from Europe to the US. The third one is binding corporate rules, which is typically a set of intragroup data transfer terms that have been agreed for a company to transfer data within the company group, and they have to be approved by a regulator. So it's a bit of a longer process, it can be a little bit time consuming, a little bit resource intensive. So not so many companies have binding corporate rules, but it'd be incomplete, not to mention them.
05:33
Adam Stofsky
So the standard contractual clauses are for one company moving data to another company, whereas the binding corporate what are they called?
05:43
Shannon Yavorsky
Binding corporate rules.
05:45
Adam Stofsky
The binding corporate rules are if you are sort of multinational and you have to want to move data between offices within the company. Is that right?
05:53
Shannon Yavorsky
Yeah, that's right. That's a good way to think about it. Yeah, exactly.
05:57
Adam Stofsky
Okay, what's the fourth?
05:58
Shannon Yavorsky
So the fourth is there are a couple of derogations that are set out and these are situations that don't really fit within the standard contractual clauses or the BCRs or an adequacy decision. And there are things like where the individual has consented to the transfer of the data. And the thing about using one of the derogations is that the regulators have said that they should only be used where the transfer is necessary and they really strictly interpret necessary. Like it really has to be necessary and it has to be for non continuous transfers. So really like more one off scenarios rather than this is going to be your solution for day to day data transfers. So those are the main mechanisms that I think warrant discussion in the context of transferring data from Europe to the US.
06:51
Adam Stofsky
Just to summarize sorry, it's adequacy decisions, standard contractual clauses, binding corporate rules and derogations.
06:58
Shannon Yavorsky
You got it? Yeah.
07:00
Adam Stofsky
Okay, sorry. Go on outside of Europe.
07:02
Shannon Yavorsky
So moving outside of Europe, I think it's important to note that other jurisdictions have restrictions and limitations on cross border data transfer. Like we talked about, China has their own standard contractual clauses, and Brazil has a set of rules as well in relation to cross border data transfer. It's also important to note that some companies have data localization requirements. So not only do they say you can't transfer data outside of the country without a mechanism, they say you have to store data in this country, and you cannot transfer it out of the country. So that comes up in different contexts. In places like India has certain data localization requirements with respect to certain kinds of data. Russia does as well. So you need to be mindful of jurisdictions where those data localization requirements are in effect.
07:56
Adam Stofsky
Okay, great. Anything else to say about this, or does that cover the basics?
08:00
Shannon Yavorsky
I think those are the basics, Adam. I think that's like a good round, like a high level overview of what you need to be thinking about in terms of cross border data transfer. The pitfalls for most companies come with Europe for multinationals. You really need to look at the countries in which you're operating and figure out whether you need to go to council in China or go to council india and figure out what the rails are around, how you can move data around. It's really important to find out where those bright lines are so that you don't get into trouble with the regulator.
08:33
Adam Stofsky
Great. All right, thanks so much.