Restrictions on international transfers

Most data privacy laws impose multiple restrictions on transferring data to third parties, depending on the third party’s location and role. For instance, the GDPR’s Article 28 requires specific contractual provisions between controllers and processors, regardless of the processor’s location. Additionally, when personal data subject to the GDPR is transferred from an entity within the EU to an entity outside the EU, further compliance measures — known as “transfer mechanisms” — must be implemented. These mechanisms vary depending on the applicable law.

Transfer mechanisms

Transfer mechanisms are legal tools or frameworks that enable the lawful transfer of personal data across borders. Common mechanisms include:

• Adequacy decisions
• International frameworks, such as the EU-US Data Privacy Framework
• Consent
• Appropriate safeguards and standard contractual clauses
• Binding corporate rules

Below are details on some of the most widely used mechanisms.

Adequacy decisions

Under certain laws, a data protection authority may declare another jurisdiction “adequate,” meaning the recipient country’s data protection standards are comparable to those of the originating country. When such a decision is in place, data can generally flow between the countries without additional compliance measures. For example, the European Commission has determined that countries such as Argentina, Canada and Japan have adequate data protection regimes, allowing for the free flow of data. However, other requirements, such as Article 28 contractual obligations, may still apply.

EU–US Data Privacy Framework

Adequacy decisions may not always serve as safeguards for data transfers, particularly in the context of transfers to the United States. Initially, data transfers between the EU and the United States were governed by the EU–US Privacy Shield. Although the Privacy Shield was not technically an adequacy decision, it functioned as a program that permitted data to flow between the EU and the United States without the need for additional transfer mechanisms. In 2020, however, the Court of Justice of the European Union invalidated the EU–US Privacy Shield, finding that it did not provide sufficient protection for data subjects, especially in light of U.S. government surveillance practices.

Following this invalidation, the EU and the United States developed the Data Privacy Framework. This is a voluntary program that allows entities to enroll and self-certify with the U.S. Department of Commerce, enabling them to transfer data freely between the EU and the United States, provided they comply with the principles outlined in the framework. The European Commission issued an adequacy decision for the Data Privacy Framework in July 2023, but this decision applies only to organizations that have self-certified their compliance.

While the Data Privacy Framework offers a mechanism for organizations to transfer data freely, it is important to note that the adequacy decision could be revoked at any time by the European Commission, as was the case with the EU–US Privacy Shield. If the adequacy decision were to be revoked, organizations would need to implement an alternative transfer mechanism to continue data transfers between the EU and the United States.

Consent

Obtaining the data subject’s consent is another mechanism for certain international data transfers. However, consent must be obtained in accordance with applicable law, which typically requires it to be freely given, informed and specific. Issues may arise if consent is bundled with other purposes, such as data collection or direct marketing, so organizations must ensure that consent for international transfers is clear and separate. Some jurisdictions do not allow for consent as a transfer mechanism or have transfer requirements strict enough to make the mechanism impractical in many circumstances.

Appropriate safeguards

One of the most common mechanisms for transferring data internationally is the use of appropriate safeguards, often implemented through contracts between the transferring and receiving entities. What constitutes “appropriate” is defined by law and may be influenced by industry standards, the sensitivity of the data, and the size and market power of the organizations involved. Under Article 46 of the GDPR, appropriate safeguards include the use of standard contractual clauses, which set out key obligations such as subprocessor authorizations, data subject rights and liability. In other laws, such as Australia’s Privacy Act 1988, the entity disclosing the personal data to an overseas recipient must impose certain contractual obligations to ensure the recipient does not breach principles outlined in the Privacy Act, among other potential contractual obligations.

Standard contractual clauses

As noted above, the GDPR permits the use of standard contractual clauses as a mechanism for transferring data. These clauses are often incorporated into a data protection agreement or addendum executed between the parties. In addition to the standard clauses, the parties may also need to agree on supplementary safeguards, such as enhanced security measures, additional restrictions on subprocessors and specific provisions regarding the use of AI, among other potential protections. Standard contractual clauses are becoming increasingly popular as data protection authorities worldwide, including those in countries such as Brazil, seek to standardize the processing and transfer of data.

Impact assessments

In some cases, laws require the transferring party to assess the data protection and security laws of the recipient country. For example, both the GDPR’s Standard Contractual Clauses and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Section 17) require an assessment of the recipient country’s legal environment before data can be transferred. These assessments typically consider the adequacy of local data protection laws, the sensitivity of the data and the likelihood of government access to the data. Understanding these obligations is crucial for compliance.

Binding corporate rules

Binding corporate rules (BCRs) are binding internal policies adopted by multinational organizations to allow intra-group transfers of personal data across borders. BCRs are less common because they require pre-approval from local data protection authorities, such as under Article 47(1) of the GDPR. The approval process is rigorous and requires organizations to disclose extensive information about their data protection practices. As a result, BCRs are typically used by large corporations with numerous subsidiaries worldwide.

Consequences and considerations

Violations of international data transfer requirements generally constitute a breach of applicable data privacy laws and may result in significant fines or other penalties. For example, under the GDPR, violations related to international data transfers can result in fines of up to 4% of the organization’s total worldwide annual turnover or €20 million, whichever is higher.

Organizations that transfer data internationally should consider the following steps:

1. Data mapping: Map all data transfers into and out of the organization, including transfers to affiliates, subsidiaries, customers, vendors and service providers. Understanding what data is transferred, to whom, and where the third party is located is critical for compliance.
2. Understanding obligations: Once data flows are mapped, identify the legal obligations that apply to each transfer under relevant data privacy laws. Each jurisdiction may impose different requirements, so a thorough understanding is essential.
3. Standardizing compliance: Identify common obligations across applicable laws and standardize compliance processes throughout the organization. For example, when onboarding a new service provider that involves international data transfers, ensure that all necessary compliance steps — such as executing a data protection agreement — are taken from the outset.
4. Managing outliers and assessing risk: For data transfers that do not fit standard patterns — such as transfers to jurisdictions with unique data protection requirements — evaluate both the legal obligations and the risks of noncompliance. If the risk of enforcement is low, an organization may choose to proceed with standard compliance measures. However, if the risk is high, both financially and reputationally, it is advisable to identify and comply with all specific legal requirements.

By understanding and implementing the appropriate mechanisms and compliance measures, organizations can effectively manage the complexities of international data transfers and mitigate the risks associated with noncompliance.