How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.

  1. Consent.  The first method to safely and legally transfer data is through consent.
  1. Standard Contractual Clauses or Model Clauses. Armstrong noted he expects to see new form clauses at some point from EU data regulators. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before.
  1. Privacy Shield. One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme.  Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”
  1. Binding Corporate Rules. Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules.

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”