There is no question that the GDPR has made its mark on business relations around the globe. EU regulators set out to create a standard for data privacy regulation, which they accomplished not only for the EU, but also for the world. The GDPR requires countries seeking seamless cross-border data transfers to have their own privacy regulations that meet the GDPR’s strict requirements, which has spurred a worldwide increase in privacy legislation over the last year.
Article 45 of the GDPR states, “A controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards.” Therefore, before an organization may transfer EU data subjects’ information to a country outside of the EU, this country’s privacy standards must be approved by the European Commission or binding corporate rules (BCRs) must be set up. BCRs are established between the organization and either the European Commission or an EU DPA. This post looks at the GDPR’s requirements for adequacy agreements, the steps countries must take to receive one, and what has become many organizations’ “Plan B”: binding corporate rules.
To continue business relations with the EU under the GDPR, many non-EU countries have sought adequacy agreements over the past few months. Adequacy agreements greatly minimize the regulatory burden on organizations that need to transfer data internationally in order to conduct business. In order to be granted an adequacy agreement, these countries must pass their own privacy regulations that sufficiently match the requirements of the GDPR. Currently, the European Commission has recognized 11 countries or territories, including Argentina, Israel, New Zealand, and Japan, as providing adequate data protection.
To obtain an adequacy decision, a country must first evaluate whether its data protection framework meets the requirements established in Article 45 of the GDPR. There are two main factors the European Commission uses to determine whether a country has established an adequate level of protection:
After the Commission has determined that a country meets its adequacy standards, it will add that country to its “whitelist,” allowing for the unfettered cross-border transfer of data. Once this relationship has been established, the Commission has the authority to carry out a periodic review of the country’s adequacy agreement every four years, or simply whenever it deems necessary.
Binding corporate rules (BCRs) are a set of rules for data transfers established between multinational companies and EU governments. Under BCRs, an organization may transfer EU personal data abroad to their facilities outside the EU. Organizations have the ability to construct their own BCRs as long as these rules align with the European Data Protection Board’s (EDPB) standards for data protection.
BCRs significantly aid organizations with facilities in countries who do not have an adequacy agreement with the EU. Currently, there are more than 100 large companies with established BCRs – 75% of which are U.S.-based organizations. BCRs are considered the best option for organizations that are GDPR-compliant but are not established within an EU-whitelisted country.
Data is the new gold for businesses, and adequacy agreements allow countries to trade this treasured technological resource. The number of countries seeking an adequacy agreement will continue to increase, with these countries issuing their own variations on the EU’s GDPR. For organizations in countries without an adequacy agreement, building privacy and security programs that align with the GDPR and taking the necessary steps to establish a BCR agreement should be a priority.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.