Let’s talk about this because this is an area that people get confused about.
1. If you are a startup in Texas GDPR can apply to you
GDPR is a European regulation that gives directives and guidelines on data protection and privacy for “controllers” and “processors” of personal data. The EU found a need to deal with privacy issues in the wild west of data handling so they did something about it.
If you are a startup in Texas, GDPR can be applicable to your startup if you are handling data of EU individuals, or targeting them, or taking a similar action. If you are unsure whether GDPR applies to your Texas startup, read this article.
If you need a refresher on GDPR in general, then read this article.
2. Data transferring to/from Europe is restricted and you can only do it in three circumstances
GDPR restricts transfers of personal data outside of the European Economic Area (EEA) unless there are assurances that proper data protection is in place.
You can only transfer data outside of the EEA if one of the following applies: there’s been an adequacy decision by the EU Commission, there’s an appropriate safeguard, or there is a proper exception. I’ll tell you what that means below.
i. The transfer is covered by an adequacy decision
One of the three ways you can transfer data outside of the EEA is if the transfer is covered by an adequacy decision.
This means that the EU Commission said that these countries have an appropriate legal framework that protects individuals’ rights and freedoms (in other words—the data and privacy protections in that country are ‘adequate’). The Commission has given an adequacy decision for a few countries. Under European rules you can only transfer data to/from the the following places:
Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
You’ll note that the United States is not on that list. You might be surprised. We can go into why, but maybe we can have that discussion some other time. However, the EU Commission was nice enough to have partial findings of adequacy for Canada, Japan and the U.S. (see down below for transferring data between the EEA and U.S.)
ii. There’s an appropriate safeguard
You can transfer data outside of the EEA if there is an appropriate safeguard.
This means that even though there’s not an adequacy decision for the country regarding your data transfer, there are “appropriate safeguards” that individuals’ rights and freedoms will be protected. Here are the appropriate safeguards:
a. a legally binding and enforceable instrument between public authorities or bodies;
Don’t worry about this if you’re not dealing with a public authority.
b. binding corporate rules;
Binding corporate rules (BCR) is a set of rules within international (multinational) companies that sets out the procedure for data protection. BCR must be approved by an EEA supervisory authority.
c. standard data protection clauses (or model clauses) adopted by the Commission;
The Commission provides clauses for data protection that can be incorporated into a contract. If you and the receiver have these, the data transfer can take place even outside of the EEA.
d. an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
If there’s a code of conduct approved by a supervisory authority and that code has signed by the receiver, then the transfer can take place.
e. or an approved certification mechanism together with other binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
A transfer can be made if the receiver has a proper certification. This has not been fully set-up yet.
iii. there’s an exception
Even if there is no adequacy decision and there is no appropriate safeguard you may still be able to transfer data outside of the EEA if there is an appropriate safeguard. Here are the exceptions.
a. the data subject has explicitly consented to the proposed transfer;
Remember—don’t play games with consent. You must actually get consent from an individual, not some bullshit form of consent.
b. the transfer is necessary for the performance of a contract between the data subject;
This exception can only be used for the occasional data transfer.
c. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
This exception can only be used for the occasional data transfer.
d. transfer is necessary for important reasons of public interest;
e. the transfer is necessary for the establishment, exercise of defense of legal claims;
This exception can only be used for the occasional transfer.
f. transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent;
g. transfer is made from a public register;
h. or there are compelling legitimate interests
This is for unique and special circumstances. Use this as a last resort. For a broader discussion on compelling legitimate interests as a concept under GDPR see this article.
3. You can transfer data to the U.S. under the EU-US Privacy Shield framework
I mentioned above that the EU Commission made an adequacy determination about data transfers and certain countries. Only certain nations had adequate protections. The U.S. is partially adequate; the adequacy finding for the U.S. is only for transfers covered by the EU-US Privacy Shield framework.
What is the Privacy Shield?
The EU-US Privacy Shield is a self-certification procedure that is overseen by the Department of Commerce.
A startup in Texas (or the U.S.) must join the Privacy Shield in order to comply with the adequacy determination in regards to transferring data as according to GDPR. The organization can’t simply be in the U.S. and do data transfers. That’s not good enough. If the startup is in the U.S. it needs to be part of the Privacy Shield to be adequate for data transfers.
4. How a startup can join the Privacy Shield Framework and how the Privacy Shield works
i. You have to apply to be certified
Joining the EU-US Privacy Shield is a self-certification process. There are certain requirements of the Privacy Shield and you must abide by the principles. Additionally, your startup must publicly disclose privacy policies and actually implement the principles. The company will be subject to investigatory and enforcement powers of the Federal Trade Commission (FTC) or other bodies to ensure compliance with the principles.
ii. Publicly state commitment to comply with the principles
The Privacy Shield gives a number of data protection principles that a startup must abide by in order to be properly comply. Here are the principles:
a. Notice - must inform individual about participation in the Privacy Shield, contact information, etc.
b. Choice - must offer individuals the opportunity to choose whether their personal information is to be disclosed to a third party or used for a materially different purpose
c. Accountability for onward transfer- startups must comply with notice and choice principles to transfer personal information to a third party; startups must enter into a contract with the third party controller that respects proper data protection principles
d. Security - startups handling personal information must take steps to protect the data
e. Data integrity and purpose limitation - personal information must be limited to the information that is relevant for the purposes of processing.
f. Access - individuals must access to information about them that the startup holds and be bale to amend for accessory reasons.
g. Recourse, enforcement, and liability - privacy protection must include mechanics for assuring compliance with the principles.
There are also 16 supplemental principles. You can see them starting from here and they concern:
i. Sensitive data
ii. Journalistic exceptions
iii. Secondary liability
iv. Performing due diligence and conducting audits
v. The Role fo Data Protection Authorities
ix. Human resources data
x. Obligatory contracts for onward transfers
xi. Dispute resolution and enforcement
xii. Choice - Timing of opt-out
xiii. Travel Information
xiv. Pharmaceutical and medical products
xv. Public record and publicly available information
xvi. Access requests by public authorities.
iii. Pay the appropriate fees
Fees are done by size of the organization. Here are the fees.
Organization’s Annual Revenue: Single Framework
$0 to $5 million $250
Over $5 million to $25 million $650
Over $25 million to $500 million $1,000
Over $500 million to $5 billion $2,500
Over $5 billion $3,250
In short, join the Privacy Shield framework if you are a startup in the U.S. and you want to transfer data out of Europe. For more information on the Privacy Shield see this site: https://www.privacyshield.gov/welcome Email me or let’s get some coffee if you have any questions.