Business as Usual? GDPR's Requirements on Personal Data Transfers Outside EU and Its Impact on EU-US Business

After much anticipation, EU’s ambitious and comprehensive General Data Protection Regulation (GDPR) – which has been consistently presented by EU officials as the cornerstone of EU privacy and personal data protection – was adopted more than a year ago, on 27 April 2016.

The GDPR will replace the outdated Data Protection Directive 95/46/EC and will be applied on 25 May 2018. This means that businesses and interested stakeholders were wisely allowed a transition period of two years in order to be able to adapt to the new landscape, which imposes an array of obligations both on EU companies and on businesses based elsewhere – and, even more importantly, on transactions between them.

Transferring Data Outside of Europe: The Logistics Of A New Burden Of Proof

One of the rules that will probably have a severe impact on transnational business activities and radically transform how companies interact outside the EU/EEA is the prohibition of the transfer of personal data beyond EU/EEA, unless the recipient country can prove that the level of data protection provided is adequate according to EU standards. Under articles 45 to 49 of the Regulation, the GDPR data transfer requirements are described in more detail: notable among them is the mechanism of Adequacy Decisions, which will undoubtedly play a significant role in securing continuity of business among companies based on either side of the Atlantic. According to this mechanism, it falls under the competencies of the European Commission to decide that a non-EU/EEA country, sector within that country, or international organization provides data protection that reaches the GDPR threshold.

This might happen in two ways: either by whitelisting foreign jurisdictions (at the moment, Andorra, Argentina, some provinces in Canada, Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay are part of this regime) or by virtue of the Privacy Shield Framework. The Framework allows U.S. organizations to self-certify to the U.S. Department of Commerce and then publicly commit to comply with the Framework’s data protection safeguards – a commitment that is enforceable under US law. This last option effectively means that, absent any potential for a blanket whitelisting of the US in the foreseeable future, US-based companies need to invest the time and resources to proactively self-certify with the Framework in order to continue their operations with regard to EU citizens.

Financial Implications: The Impact On EU-US Trade And The Risk Of Heavy Fines

Yet this burden of proof is not the only burden with costly financial implication that US-based enterprises have to bear. According to article 83 of the GDPR, companies are subject to fines as high as $11 million or 2% of their global annual turnover from the previous year (whichever is greater) for failure to adhere to technical and organizational requirements, or approximately $22 million or 4% of their global annual turnover from the previous year if they fail to comply with core principles of data processing, infringement of personal rights, or of the transfer of personal data to third parties.

Furthermore, the underlying trade relationship is sure to suffer a blow. It’s no secret that business and trade between the EU and the USA is booming. According to Eurostat, the official EU statistics authority, in 2013 the EU-28 positioned itself at the forefront of exports globally, reaching the amount of €1,736.6 billion, while the United States followed closely at €1,188.2 billion. The lion’s share of these transactions are with each other; the same sources at Eurostat confirm that the EU and USA are each other’s main trading partners and enjoy the largest bilateral trade relationship in the world, while they are each other's most important sources of foreign direct investment.

In light of GDPR however, operations that require data transfers outside the EU and handling of data by US-based business partners will be significantly impeded unless businesses move quickly and proactively to secure appropriate safeguards. The deadline of May 2018 is closer than it might seem.