Technology has transformed our world into a global village. Our shopping carts, communication, information sharing, and even manufacturing now transcend borders, and at speeds we have never seen before. Information flows seamlessly, and all types of data are routinely transferred from one country to another. Managing data has become an industry of its own, as businesses, governments, and other institutions all battle to store and protect the mountains of information they send and receive on a daily basis.
The global nature of data sharing has brought with it a host of complex regulatory challenges. Consumer rights watchdogs continuously lobby to ensure that organizations are mandated to use personal information ethically, particularly as this data has been misused in the past. For example, the British consulting firm Cambridge Analytica was found to have used the private data of Facebook users without their consent or knowledge to build personality profiles of voters to sell to American politicians in the lead-up to the 2016 presidential election. Facebook was ultimately fined $725 million, and Cambridge Analytica went out of business.
In the wake of that and many other examples of the misuse of personal data, most countries and industries implemented data protection laws and regulations. The European Union (EU), for example, implemented the General Data Protection Regulation (GDPR) in 2018 which controls the capture, storage, and exchange of the personal information of EU citizens.
This highly complex regulatory landscape has led to potential conflicts when data crosses national boundaries. For instance, a country with stringent data protection laws such as EU member states, might question the legitimacy of data transfers to countries with more lenient regulations, raising concerns about data privacy and security.
In this blog, we are going to look at some recently proposed changes to the GDPR in relation to cross-border transfers. Keep reading to find out more about these changes and the implications for your business.
GDPR’s Role in Cross-Border Data Transfers
The GDPR recognizes that personal data should not only be protected within the borders of the EU but also when it is transferred outside of its borders. As such, it sets stringent requirements in order to make sure that any data going to another country would get the same protection, and citizens the same rights, as if the data remained in the EU.
Before an organization can lawfully transfer personal information across its borders, it must prove that it has established a lawful basis to do so. The GDPR provides several lawful bases for cross-border transfers, such as to fulfill a contract, comply with legal obligations, or protect vital business or public interests.
Companies also have to establish that the country receiving the data provides similar levels of protection as the EU. The European Commission maintains a list of countries considered to provide an adequate level of protection and if the recipient country is not on this list, a Data Protection Authority (DPA) must be consulted.
Data Protection Authorities
Each EU member state has a DPA whose role it is to monitor and enforce data protection laws within their respective jurisdictions. When it comes to cross-border transfers of personal data, DPAs have a significant role in overseeing and regulating these transfers to ensure that data subjects’ rights are protected, regardless of where the data is being transferred. Here’s how DPAs work for cross-border transfers:
- DPAs assist the European Commission in deciding whether recipient countries have adequate data protection mechanisms.
- DPAs investigate complaints from the public and liaise with other relevant DPAs if the transfer involves multiple jurisdictions.
- DPAs have the authority to investigate and sanction organizations that violate GDPR regulations. This includes imposing fines for non-compliance, which can be substantial. For example, the Irish Data Protection Commission (DPA) recently fined Meta, Facebook’s parent company, a record 1.2 billion euros ($1.3 billion) over their transfer of EU user data to the U.S.
- DPAs provide guidance and support to organizations to help them understand and navigate the complex landscape of cross-border transfers. They offer information on the legal requirements and best practices for ensuring compliance.
- DPAs collaborate with their counterparts in non-EEA countries to facilitate cross-border enforcement and information exchange. This helps address challenges that arise when data crosses international borders.
The One-Stop Shop System
While the GDPR is an effective framework for the protection of personal information, the mechanisms through which it operates can become too complex to be effective. This is particularly true when organizations have to deal with multiple DPAs who don’t always agree with each other.
In order to combat this, the EU implemented a “one-stop shop” system to streamline and simplify the DPA system. Each organization that operates in more than one EU member state designates one DPA as its lead authority. This lead authority serves as the primary point of contact for regulatory matters concerning that organization and it is responsible for coordinating with any other relevant DPAs when needed.
The one-stop shop system did make it easier for organizations, but there were still lots of inconsistencies and problems that arose from this complex enforcement web. This was particularly true for cross-border cases when it was often not immediately clear which DPA had jurisdiction as the lead authority. The system also did not effectively address data protection concerns arising from international data transfers or interactions with countries that lack GDPR-equivalent regulations.
More generally, different DPAs also had varying approaches to enforcement and interpretation, which lead to discrepancies in regulatory outcomes. The effectiveness of the system was also largely dependent on the willingness of the different DPAs to work together. This was not always forthcoming, and it created obstacles and delays in the system.
Given these concerns, the EU has now proposed changes to some of the processes laid out in the GDPR.
The Proposed Changes
The proposed changes announced by the GDPR Procedural Regulation on July 4, 2023 do not change the substance of any of the rules or regulations set out in the GDPR, but rather aim to establish clearer guidelines around the “one-stop shop” mechanism in order to expedite the lawful cross-border transfer of data.
The proposal introduces a series of additional measures aimed at fostering early consensus between DPAs. They are also designed to identify any potential conflicts that might exist early on in the process and to mitigate them as quickly as possible.
In terms of the new guidelines, in the initial stages of an investigation, the lead DPA is required to present a concise ‘summary of key issues’ to other relevant DPAs within the EU. This summary must identify the primary focus points under investigation and establish the lead DPA’s standpoint on the case. This approach ensures that all pertinent DPAs have the necessary information and can contribute their insights promptly.
Should a DPA disagree with the lead DPA’s assessment, they can ask for a joint operation or mutual assistance mechanism. Should the DPAs still disagree, the proposal empowers the European Data Protection Board (EDPB) to arbitrate the issue early in the process.
With regards to cross-border transfer issues, the regulations aim to enhance co-operation and the quick resolution of problems for all stakeholders:
- Complainants: The regulations aim to make the process more consistent for a complaint that spans multiple countries by removing the current challenges that arise when different DPAs follow their own separate rules. They also aim to ensure that complainants are represented in the process by setting out clear rules to ensure they have a proper say in the process. The changes also allow complainants to have the right to present their side of the case when their matter is fully or partly rejected.
- Parties under investigation: The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB, and clarifies the content of the administrative file and the parties rights of access to the file.
- DPA’s: As mentioned earlier DPAs will be required to give their views on an investigation early in the process and will have access to mechanisms to help them resolve disputes. The new resolution also provides common deadlines for cross-border cooperation and dispute resolution. All of this will strengthen DPAs’ influence over cross-border cases and empower them to build consensus quickly.
It’s All Good News
The proposed changes, which are due to come into effect following its publication in the Official Journal of the European Union, do not add any undue burden onto organizations who need to transfer personal data across borders. The largely procedural changes are designed instead to make it easier for companies to navigate the complex GDPR landscape, speed up any conflict resolution that is needed, and reduce obstacles to the lawful exchange of personal information.
When it comes to managing the transfer of electronic communications data globally, LeapXpert has all the safeguards already in place. LeapXpert gives businesses a comprehensive view and full visibility of employee-customer communication without capturing employees’ private and personal messages.
With enhanced modules including Information Barriers/Ethical Walls and Data Leakage Prevention (DLP), enterprises are now able to manage business communication – messages, documents, images, or videos sent to customers, keeping everyone safe, professional, and in compliance. Book your demo now.
SUBSCRIBE TO OUR NEWSLETTER
Useful tips and helpful information.
You can unsubscribe at any time - obviously!