Much has been written about the Brussels effect and how the EU is a regulatory superpower. This article is about a different aspect of European Data Protection law and geography: it is about in which countries European’s personal data can lawfully be processed by default.
Introduction
Once data has been collected in our globalised world, there is a temptation to transfer it between data centres or offices, according to the organisations priorities. If we stop for a moment and move away from our own corporate mindsets there is also a need to be aware of geopolitics or even realpolitik. Not all states have the same regard for privacy and data protection as Europe. Europe and specifically the EU is beginning to defend its own interests. One of these interests is in protecting data subjects rights even if their data is in a third country. This interest explains Chapter 5 of the GDPR and leads to the limit circumstance under which international personal data transfers can occur.
The problem
In brief the default is that transfers of data to third countries is unlawful. However EU data protection law can override that default setting in the case of three distinct groups of countries. EU Member states, EEA EFTA states and Adequacy countries.
EU Member states
There are currently 28 member states of the European Union, the GDPR applies automatically in these countries and they each have a vote on the European Data Protection Board (EDPB). Personal data can be transferred freely between these counties as they have the same high standard of data protection. In the summer of 2019 as this article is being written the shadow of Brexit hangs over the EU and especially Ireland. If the United Kingdom leaves the European Union, the assumption that personal data transfers to the UK are lawful falls away.
The complete list of member countries is: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,. Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
EEA EFTA states
This group can be a little bit difficult to understand, but they are really an integral part of the European Data Protection structure. The European Free Trade Association (EFTA) is the intergovernmental organisation of Iceland, Liechtenstein, Norway and Switzerland. EFTA has negotiated with the EU to create the European Economic Area (EEA). The EEA unites the EU Member States and the three EEA EFTA States (Iceland, Liechtenstein, and Norway) into an Internal Market governed by the same basic rules. These rules aim to enable goods, services, capital, and persons to move freely about the EEA in an open and competitive environment, a concept referred to as the four freedoms. Note: Switzerland EU relations are governed by a series of bilateral agreements and so it is not a member of this group.
The result of the structure is that GDPR applies in Iceland, Liechtenstein, and Norway. Personal data can be transferred freely between themselves as well as to and from other EU countries. The only difference is while these three countries attend EDPB meetings they do not have a vote.
Adequacy countries
The third group of countries where data can be transferred to are those who’s data protection laws are deemed adequate by the European Commission.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
Talks are ongoing with South Korea to include them in this list. You must remember that this mechanism is a European one, not bilateral. Every four years at least the Commission is required to revisit its adequacy decision and the only court of appeal is the Court of Justice of the European Union (CJEU).
Everyone else
For the remaining (~160) countries who don’t fall into one of these three camps, there is no automatic assumption that personal data can be transferred. This is not to say that data can never be transferred. As it says in Recital 101 “Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation.” But it is more difficult and requires the exporting organisation to take actively take steps and inevitably that will incur cost. For personal data transfers to these remain countries there are number of different routes which can be followed but that is the subject of a different article.
Conclusion
There are a total of 44 countries where personal data can be automatically transferred. These 44 countries fall into three categories: EU Countries, EEA EFTA countries and countries deemed adequate by the EU commission. Counties can be added or removed from each categories. For the remaining countries another mechanism must be found if personal data is to be transferred.
If you have any questions or comments about this please contact us, we would love to hear from you!
One thought on “Where can my personal data go? GDPR & Geography”