Privacy
The Fundamentals of Cross-Border Data Transfers
February 27, 2024
If, as the saying goes, “data is the new oil”, then international data transfers are the pipelines and supertankers that ensure the global economy operates smoothly without interruption. Data transfers contribute to vital business operations: communicating with customers and understanding their preferences, identifying opportunities for innovation and new offerings, creating efficiencies in operations, and making sound strategic decisions. But data transfers can pose risk to organizations as well.
While the EU’s General Data Protection Regulation stands tallest among the many regulations that govern these international data flows, other national, international, and sectoral regulations, as well as courts’ interpretations of these regulations, play a critical role in determining what transfers of data are legal. International businesses must pay keen attention to this complex web of regulations to understand if their business operations are legal and defensible–and be able to demonstrate their compliance on demand.
What Is a Cross-Border Data Transfer?
At their most basic, data transfers involve sending data from one place to another, via internet or other means, either between legal entities or between different parts of a single organization. For example, a data transfer within a single jurisdiction might consist of a data controller located in Paris emailing customer data to a service provider also located in Paris.
A cross-border data transfer is the transfer of personal data to another country or jurisdiction, for example from a data controller in Paris, France, sending data to corporate headquarters in the United States. Cross-border transfers raise valid concerns for both citizens and regulators based on:
- Where the personal data is going
- What happens to it while in transit
- What happens to it after arriving at its destination
Key Cross-Border Data Transfer Concepts
Personal data
Any data related to an identified or identifiable person, including name, birth date, gender, address, phone number, financial information, biometric information, etc.
Data controllers
The organization holding data with the ability to determine how and the means by which personal data is processed
Data processors
Also known as service providers, these entities process data on behalf of or under instructions from data controllers
Data processing
Any business activity performed on personal data, such as collecting, sorting, retrieving, consulting, disclosing. sharing, erasing, destroying, using for AI training, etc.
Adequacy of protection
Validation that any cross-border data processing meets the requirements (level of adequacy) set by the jurisdiction of origination of the data, including data protection laws, respect for human rights, and ability to get redress for privacy violations
Record of Processing Activity (RoPA)
Documentation that shows what actions a data controller or processor takes on data and confirms that it is compliant with applicable regulations, including the adequacy of protection