law

How do startups transfer data under GDPR? (Hint: join the Privacy Shield)

Let’s talk about this because this is an area that people get confused about.

1. If you are a startup in Texas GDPR can apply to you

GDPR is a European regulation that gives directives and guidelines on data protection and privacy for “controllers” and “processors” of personal data. The EU found a need to deal with privacy issues in the wild west of data handling so they did something about it.

If you are a startup in Texas, GDPR can be applicable to your startup if you are handling data of EU individuals, or targeting them, or taking a similar action. If you are unsure whether GDPR applies to your Texas startup, read this article.

If you need a refresher on GDPR in general, then read this article.

2. Data transferring to/from Europe is restricted and you can only do it in three circumstances

GDPR restricts transfers of personal data outside of the European Economic Area (EEA) unless there are assurances that proper data protection is in place.

You can only transfer data outside of the EEA if one of the following applies: there’s been an adequacy decision by the EU Commission, there’s an appropriate safeguard, or there is a proper exception. I’ll tell you what that means below.

i. The transfer is covered by an adequacy decision

One of the three ways you can transfer data outside of the EEA is if the transfer is covered by an adequacy decision.

This means that the EU Commission said that these countries have an appropriate legal framework that protects individuals’ rights and freedoms (in other words—the data and privacy protections in that country are ‘adequate’). The Commission has given an adequacy decision for a few countries. Under European rules you can only transfer data to/from the the following places:

Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

You’ll note that the United States is not on that list. You might be surprised. We can go into why, but maybe we can have that discussion some other time. However, the EU Commission was nice enough to have partial findings of adequacy for Canada, Japan and the U.S. (see down below for transferring data between the EEA and U.S.)

ii. There’s an appropriate safeguard

You can transfer data outside of the EEA if there is an appropriate safeguard.

This means that even though there’s not an adequacy decision for the country regarding your data transfer, there are “appropriate safeguards” that individuals’ rights and freedoms will be protected. Here are the appropriate safeguards:

a. a legally binding and enforceable instrument between public authorities or bodies;

Don’t worry about this if you’re not dealing with a public authority.

b. binding corporate rules;

Binding corporate rules (BCR) is a set of rules within international (multinational) companies that sets out the procedure for data protection. BCR must be approved by an EEA supervisory authority.

c. standard data protection clauses (or model clauses) adopted by the Commission;

The Commission provides clauses for data protection that can be incorporated into a contract. If you and the receiver have these, the data transfer can take place even outside of the EEA.

d. an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;

If there’s a code of conduct approved by a supervisory authority and that code has signed by the receiver, then the transfer can take place.

e. or an approved certification mechanism together with other binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

A transfer can be made if the receiver has a proper certification. This has not been fully set-up yet.

iii. there’s an exception

Even if there is no adequacy decision and there is no appropriate safeguard you may still be able to transfer data outside of the EEA if there is an appropriate safeguard. Here are the exceptions.

a. the data subject has explicitly consented to the proposed transfer;

Remember—don’t play games with consent. You must actually get consent from an individual, not some bullshit form of consent.

b. the transfer is necessary for the performance of a contract between the data subject;

This exception can only be used for the occasional data transfer.

c. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

This exception can only be used for the occasional data transfer.

d. transfer is necessary for important reasons of public interest;

e. the transfer is necessary for the establishment, exercise of defense of legal claims;

This exception can only be used for the occasional transfer.

f. transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent;

g. transfer is made from a public register;

h. or there are compelling legitimate interests

This is for unique and special circumstances. Use this as a last resort. For a broader discussion on compelling legitimate interests as a concept under GDPR see this article.

3. You can transfer data to the U.S. under the EU-US Privacy Shield framework

I mentioned above that the EU Commission made an adequacy determination about data transfers and certain countries. Only certain nations had adequate protections. The U.S. is partially adequate; the adequacy finding for the U.S. is only for transfers covered by the EU-US Privacy Shield framework.

What is the Privacy Shield?

The EU-US Privacy Shield is a self-certification procedure that is overseen by the Department of Commerce.

A startup in Texas (or the U.S.) must join the Privacy Shield in order to comply with the adequacy determination in regards to transferring data as according to GDPR. The organization can’t simply be in the U.S. and do data transfers. That’s not good enough. If the startup is in the U.S. it needs to be part of the Privacy Shield to be adequate for data transfers.

4. How a startup can join the Privacy Shield Framework and how the Privacy Shield works

i. You have to apply to be certified

Joining the EU-US Privacy Shield is a self-certification process. There are certain requirements of the Privacy Shield and you must abide by the principles. Additionally, your startup must publicly disclose privacy policies and actually implement the principles. The company will be subject to investigatory and enforcement powers of the Federal Trade Commission (FTC) or other bodies to ensure compliance with the principles.

ii. Publicly state commitment to comply with the principles

The Privacy Shield gives a number of data protection principles that a startup must abide by in order to be properly comply. Here are the principles:

a. Notice - must inform individual about participation in the Privacy Shield, contact information, etc.

b. Choice - must offer individuals the opportunity to choose whether their personal information is to be disclosed to a third party or used for a materially different purpose

c. Accountability for onward transfer- startups must comply with notice and choice principles to transfer personal information to a third party; startups must enter into a contract with the third party controller that respects proper data protection principles

d. Security - startups handling personal information must take steps to protect the data

e. Data integrity and purpose limitation - personal information must be limited to the information that is relevant for the purposes of processing.

f. Access - individuals must access to information about them that the startup holds and be bale to amend for accessory reasons.

g. Recourse, enforcement, and liability - privacy protection must include mechanics for assuring compliance with the principles.

Supplemental principles

There are also 16 supplemental principles. You can see them starting from here and they concern:

i. Sensitive data

ii. Journalistic exceptions

iii. Secondary liability

iv. Performing due diligence and conducting audits

v. The Role fo Data Protection Authorities

vi. Access

vii. Self-certificatin

viii. Verification

ix. Human resources data

x. Obligatory contracts for onward transfers

xi. Dispute resolution and enforcement

xii. Choice - Timing of opt-out

xiii. Travel Information

xiv. Pharmaceutical and medical products

xv. Public record and publicly available information

xvi. Access requests by public authorities.

iii. Pay the appropriate fees

Fees are done by size of the organization. Here are the fees.

Organization’s Annual Revenue:               Single Framework

$0 to $5 million                                              $250

Over $5 million to $25 million                        $650

Over $25 million to $500 million                    $1,000

Over $500 million to $5 billion                       $2,500

Over $5 billion $3,250

5. Conclusion

In short, join the Privacy Shield framework if you are a startup in the U.S. and you want to transfer data out of Europe. For more information on the Privacy Shield see this site: https://www.privacyshield.gov/welcome Email me or let’s get some coffee if you have any questions.

How do Texas startups comply with GDPR?

Even if your startup is in Houston or Dallas your startup may need to comply with GDPR under certain circumstances. Here’s what to do.

  1. Figure out if GDPR applies to your company

  2. Figure out which role you play under GDPR

    You’re a controller if you decide the purposes and means of processing. You’re a processor if you—wait for it—process personal data. Keep in mind that it is possible to be both a controller and a processor.

  3. Adopt GDPR principles

    You must abide by these principles under GDPR: that data is processed lawfully & fairly, that there’s a purpose limitation, that data is not excessively collected (minimization), that the data is accurate, that you implement ideas of storage limitation, and that processing is done confidentially and with integrity,

  4. Figure out the purpose and basis for processing

  5. Implement technical and organizational safeguards

    Your startup needs be properly capable and beefed up to handle data/data processing.

  6. Make appointments under GDPR

    You may have to assign a Data Processing Officer if you regularly process data or if you handle sensitive data; also assign a representative (similar to a corporate registered agent for business filings but in the EU for data protection purposes).

  7. Allow data subjects to exercise their rights

    Under GDPR data subjects have certain rights to their data. Make sure you allow them to exercise these rights. Remember that some rights will be unavailable depending on the basis used for processing.

  8. Make sure contracts, privacy policy, etc. are properly in place

    There are relationships you’ll need to tend to—between the data subject, controller, and processor. See here for what you need in those documents.

  9. Maintain good records

    Depending on the size of your organization you may need to keep good records of processing activities. It’s a smart idea to keep records regardless.

  10. Report if you have any breaches or if there are other issues

    You have a duty to report breaches and other issues under GDPR.

    Don’t relax immediately though. You may also have to report to individuals in different states as well.

  11. Review this article to make sure you’re understanding is well-rounded

    Remember—bits and pieces of information are largely useless. Make sure you have a good organized understanding of all of this. Read this article for an overview of GDPR.