Data transfer outside EU
Personal data is a part of a person’s private life. Because of the technological development, this data can be collected and disclosed anywhere in the world. As we want to protect this data, different sets of laws and regulations have been put into place in the European Union. An important issue that these laws and regulations address is the transfer of personal data. This is essential to make sure that personal data is protected worldwide.
In 1995 the directive 95/46/CE of the European Parliament and of the Council provided that personal data could not be transferred outside the European Union except when there were sufficient guarantees protecting personal data. However, certain tools have been suggested to allow for sufficient guarantees to transfer of the data. One example of a tool are standard contractual clauses from the European Commission. These are types of clauses that allow the company to enter in personal data contracts with subcontractors or other partners. Another tool are Binding Corporate Rules (BCR), which allows the sharing of personal data within a holding company. Additionally, some countries have similar types of data protection measures, which give them the right to the same data sharing measures that are in place in the EU. In this case data can be transferred without the use of a specific tool. The same is true in some exceptional cases, which were listed in the directive and, nowadays, in article 49 of the Data Protection Regulation. The United States is a special case that deserves further emphasis. From the year 2000 until its invalidation from the European Commission in 2015, the Safe Harbor decision allowed American firms to transfer European personal data. Once a company is part of the Safe Harbor it is said to sufficiently protect personal data. In 2016 the Privacy Shield replaced the Safe Harbor to facilitate the transfer of data to the United States.
In 2016 the general data protection and regulation (GDPR) was adopted. Since the 25 May 2018 this regulation applies to all the controllers or subcontractors who are either in the European Union or who process personal data of residents of the European Union. This regulation also addresses personal data transfers outside the European Union. The principle which concerns personal data transfers outside the European community (the legal entity of the European commission has been transferred to the European Union since the Lisbon treaty of 2009) has changed. Henceforth, the possibility to transfer personal data is the principle. The tools of transfer discussed above are maintained, nevertheless the protection level needs to adapt to the GDPR which is more protective than pre-existing measures. The GDPR creates new tools such as the certification mechanism and codes of conduct as approved by the European Commission.