The GDPR and Higher Education #4: International Data Transfers

We are concluding our series on the Impact of the European Union’s General Data Protection Regulation (“GDPR”) on Higher Education Institutions located in the United States.  The first post frames the application of the GDPR to higher-education institutions; the second post focuses on the two key roles under the GDPR:  data controllers and data processors; and the third post focuses on data processing and key rights under the GDPR.  This final post in the series discusses the data transfer provisions under the GDPR:  key to US-based institutions that intend to transfer data related to EU data subjects to the United States.

Data Transfers

For many US-based universities, its data will likely be transferred to a US location for data processing and storage. This is likely based on efficiency and network infrastructure designs implemented prior to developing EU locations and/or operations. By transferring data from the EU to the US, a university will trigger the GDPR’s requirements for transferring data to third countries under Articles 44 – 48.

The GDPR’s data transfer provisions apply to “any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation.” Art. 44.  There are a variety of mechanisms to allow data transfers under the GDPR, including adequacy decisions (Art. 45), appropriate safeguards (Art. 46), and binding corporate rules (Art. 47).  Each of these mechanisms require the university to conduct an assessment as to which process is feasible and practical for the situation at issue, and to generate the proper documentation for the technique utilized.  Different situations may call for different techniques, so continual analysis on the part of the university is required.

The GDPR also sets out derogations or exceptions from the GDPR prohibition on transferring personal data outside the EU without adequate protections.  Art. 49. These seven derogations include consent by the data subject to the transfer as well as that the transfer is necessary for the performance of a contract between the data subject and the controller (harkening back to the lawfulness of processing), among others.  Key to using these derogations is, again, to fully document the analysis and use of the derogations, showing that the proper assessment has been completed and that the transfer complied with the GDPR.

EU-US Privacy Shield

A brief side note on the EU-US Privacy Shield, the framework designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.  The EU-US Privacy Shield is a voluntary certification that allows companies to benefit from the adequacy determinations made by the E.U. Commission. As such, companies that self-certify under the EU-US Privacy Shield could rely on Article 45 of the GDPR to transfer personal data from the EU to the US.

However, two key points to note.  First, the self-certification to the EU-US Privacy Shield does not translate into complete GDPR compliance.  The GDPR goes much further than the Privacy Shield in its requirements for data management.

Second, current litigation that is ongoing in Ireland may call into question the EU-US Privacy Shield, and the transfer of data to the United States.  In October 2017, the Irish High Court decided to refer questions to the Court of Justice of the European Union (“CJEU”) related to the EU Commission’s three decisions that enable transfers of EU personal data to controllers and processors outside the EU on the basis of standard contractual clauses.  While the case pending in Ireland is not directly related to the EU-US Privacy Shield, it calls into question whether the US offers adequate protections to the EU data subjects’ personal data that is transferred to the US and, as such, could implicate the EU-US Privacy Shield.  Stay tuned as this case continues to develop.

In concluding this series, US-based universities face huge exposure as a result of the extensive requirements of the GDPR. When it comes to the collection and processing of data, universities need to prioritize the GDPR and conduct GDPR Compliance Assessments to develop effective plans to address how it will ready itself for the regulation.  For more detailed analysis on this topic, please contact us today for a copy of our more detailed Whitepaper on the Impact of the GDPR on US-based Higher Education.

There are less than 100 days until the GDPR goes into effect. US-based universities do not want to wait until the EU turns its enforcement eye towards academia; with the GDPR, luck favors the prepared!

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.