If your business is located in one of the countries affected by GDPR, the likelihood is you will have to make changes to your privacy and security practices if you collect, process, share, or store the personal information of EU data subjects. The changes even have to be made if your business is located outside the EU; unless your business is located in a country that is not considered to have adequate data protection laws—in which case you might not be allowed to migrate data out of the EU at all.
Understandably, there are a number of misconceptions when it comes to discussing the countries affected by GDPR. Some individuals believe the General Data Protection Regulation applies to businesses physically located in the European Union; whereas others understand the concept of remotely collecting the personal information of an EU “data subject” in the cloud, but do not appreciate they may not be able to migrate the data out of the EU in order to process it.
Another misconception is that every member state of the EU will apply GDPR uniformly. Although this was the intention of the European Commission when the Regulation was first proposed in 2012, many member states have introduced legislation that deviates from the text of the final Regulation itself. Even though many of the deviations are relatively minor, business in countries affected by GDPR will need to be aware of them in order to avoid being penalized by the member state´s Data Protection Authority.
EU Countries Affected by GDPR
The best way to address some of the false impressions is by first listing the EU countries affected by GDPR. It is important to note the term “EU data subjects” does not mean EU citizens or EU residents. The best definition of EU data subjects is any personal information collected about an individual while they are physically within one of the EU countries affected by GDPR.
For example, if an American tourist is visiting Paris and they enter their personal information onto a French website, the data is covered by GDPR. Conversely, if a British tourist is visiting Florida, and they enter their personal information onto an American website, the data is not covered by GDPR unless it is processed or stored within the EU (including in an EU cloud region), or shared with an EU-registered business.
EU Countries Affected by GDPR
Austria
Estonia
Italy
Portugal
Belgium
Finland
Latvia
Romania
Bulgaria
France
Lithuania
Slovakia
Croatia
Germany
Luxembourg
Slovenia
Rep. of Cyprus
Greece
Malta
Spain
Czech Republic
Hungary
Netherlands
Sweden
Denmark
Ireland
Poland
United Kingdom
With regard to the United Kingdom´s forthcoming departure from the European Union, the General Data Protection Regulation has been adopted as domestic law under Clause 3 of the UK´s European Union (Withdrawal) Bill. A new Data Protection Bill with similar measures to GDPR is currently being discussed in order to achieve an “adequacy” rating from the EU Commission that will enable to UK to import data from and export data to the EU.
Regional Deviations from the General Data Protection Regulation
It was mentioned above that many EU countries affected by GDPR have introduced legislation that deviates from the text of the final Regulation. In most cases, the deviations relate to the age of consent for children. GDPR states when “information society services” are offered to a child under the age of sixteen (i.e. social media), consent to collect and process the child´s data must be obtained from a person with parental responsibility. Many states have chosen to amend the age of consent to thirteen.
More significant deviations occur in Germany, where the state´s Federal Data Protection Act 2017 stipulates employers must obtain the freely given consent of their employees before processing employee data, introduces restrictions on the Rights of Individuals to access personal information, and removes the requirement for consent when data is collected for the purposes of social security, healthcare, employment and other certain public interests.
Businesses with operations in Hungary, Ireland, Luxembourg, Slovakia, Spain and Sweden are advised to review each member state´s data protection regulations; while eleven of the twenty-eight EU member states—including Belgium, Italy and Portugal—are yet to introduce bills that will update their current data protection laws (as of May 2018). It is also recommended businesses periodically review GDPR guidelines issued by the European Commission´s Article 29 Working Party.
GDPR Adequacy and Exceptions to the Adequacy Standard
The General Data Protection Regulation places restrictions on the migration of data outside the European Economic Area (EEA). The EEA consists of the twenty-eight EU countries affected by GDPR plus Iceland, Liechtenstein, and Norway. Outside the EEA, jurisdictions have to demonstrate data protection standards equivalent to those of GDPR. As of May 2018, only twelve jurisdictions have met the standards of GDPR adequacy, and some of those with conditions attached. The twelve jurisdictions are:
Jurisdictions that have Met the Standards of GDPR Adequacy (May 2018)
Andorra
Faroe Islands
Isle of Man
Switzerland
Argentina
Guernsey
Jersey
United States (*)
Canada
Israel
New Zealand
Uruguay
(*) Only applies to certified businesses in the EU-US Privacy Shield Framework.
Although this implies countries outside the EEA that have not met the standards of GDPR adequacy will be unable to import and export the personal information of EU data subjects, there are exceptions to this prohibition. A transfer of data, or set of transfers, may be made where the transfer is:
- Made with the individual’s informed consent (does not apply to public authorities)
- Necessary for the performance of a contract between the individual and a business
- Necessary for reasons of public interest, or to establish, exercise or defend legal claims
- Necessary to protect the data subject´s interests where they are incapable of giving consent
- Made from a register which, under EU law, is intended to provide information to the public
These exceptions are subject to regional deviations from the General Data Protection Regulation and it may be necessary for the business importing the data to inform the relevant supervisory authority—usually the Data Protection Authority of the member state in which the data was collected. Further exceptions exist for one-off or infrequent data transfers concerning one or relatively few individuals subject to the following conditions:
- The data transfer is not being made by a public authority in the exercise of its powers
- The data transfer is necessary for legitimate and compelling interests of the business
- Suitable safeguards are in place to protect the integrity of the data in transit and at rest
- Similar transfers are not made on a regular basis
These exceptions do not help businesses that operate in the cloud and who archive data in jurisdictions (regions and availability zones) that have not met the standards of GDPR adequacy. In order to be GDPR-compliant, businesses with a presence in the cloud will have to conduct a comprehensive audit to determine where in the cloud data is processed and maintained, and then possibly relocate data to a jurisdiction which meets the EU´s adequacy standards.
More about the EU-US Privacy Shield Framework
The EU-US Privacy Shield Framework is a mechanism designed to provide the secure transfer of data between the European Union and the United States. It was adopted in 2016 after the European Court of Justice ruled the U.S.´s existing data protection laws were not up to EU standards. Subsequently, if a U.S. business wants to migrate data from the EU, it has to join the EU-US Privacy Shield Framework and comply with the Framework´s requirements.
Businesses that do not join the Framework, subsequently withdraw from the Framework, or fail to comply with the Privacy Shield Principles will be unable to migrate data from the EU except when the exceptions mentioned above apply. As GDPR-covered entities in the EU are required to conduct due diligence on any business they share data with, most businesses in the U.S. that trade in Europe will be required to join the EU-US Privacy Shield Framework.
These conditions not only apply to brick-and-mortar U.S. businesses, but also to those with publicly accessible websites, publicly accessible software applications and publicly available software services. Indeed, most businesses that operate in the cloud will be subject to GDPR unless they geo-block access to their websites, applications and software services, and delete any personal information they maintain relating to EU data subjects. In our opinion, compliance is the more realistic option of the two.
