7. February 2023
The essential role of data transfer
The free flow of data is essential to modern international trade. Any business that operates digital products and services on an international level will almost certainly depend on transferring data across borders, often including video data. Organizations may need to transfer data for myriad reasons, such as research and development, analysis, performing business functions, or sharing data with stakeholders.
Data transfers inside the EU / EEA
As things stand, the transfer of personal data within the EU/EEA is perfectly legal. All member states share the same obligations to the GDPR and, therefore, afford the same level of protection to the personal data being transferred.
What about data transfers to non-EU/EEA countries?
International data transfers to non-EU countries play a major role in most developed economies. Taking Germany as a clear example, almost half of all the country’s companies exchange data with external service providers from non-EU countries. And in a recent survey from Germany’s digital association Bitkom, 12% of companies stated they would fall behind in the global competition for innovation if it were no longer possible to process personal data outside the EU.
An adequate level of data protection
Under Art. 45 of the GDPR, the EU Commission can decide whether or not a destination country or international organization provides an “adequate level of data protection” similar to that offered by the GDPR. Any data transfer covered by what is known as an ‘adequacy ruling’ requires no further protection.
Safe data transfer destinations
Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the UK (under the existing framework of the GDPR) and Uruguay all have adequacy rulings in place. That effectively means that transferring personal data to these countries is exactly the same as transferring data within the EU/EEA.
“The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.” – EU Commission
What about the USA?
As for the USA, the EU Commission has started negotiations to attain adequacy status, although this is unlikely to be resolved before 2024. If you’re interested, you can read the latest news and processes on adequacy processes right here.
What if the destination country doesn’t have an adequacy ruling?
Without an adequacy ruling, the personal data being transferred must be either 1) fully anonymized so that it is no longer considered personal data or 2) underpinned by pre-approved Standard Contractual Clauses (SCCs), Technical and Organizational Measures (TOMs), and any other documentation required by the local jurisdiction to guarantee the data remains fully protected. Without either of these safeguards in place, the data transfer will in all likelihood constitute a violation of the GDPR.
In other words, without sufficient contractual safeguards, any entity transferring personal data from the EU/EEA to a non-adequate destination must anonymize that data before it is sent.
Understanding and navigating the compliance requirements under the GDPR as well as other international data protection regulations for cross-border personal data transfer is a fundamental necessity for all companies engaged in transferring data such as videos or photos.
It is important to understand all the requirements of the jurisdiction of the data controller and data processor to ensure that the privacy of individuals is protected at all times and that your company is not in violation of the law, which can lead to serious penalties.
If you’d like to learn more about the GDPR and how to transfer data in compliance with privacy laws around the world, check out this whitepaper for more information.