An entire chapter in the General Data Protection Regulation (GDPR) is devoted to international transfers of personal data. But what exactly is an international transfer of personal data in the context of the Internet? Is that publication on the World Wide Web, sending an email abroad or data entry in a SaaS application? And what about routing and hacks?
Under the GDPR, personal data can, in principle, circulate freely within the European Union. However, the transfer of personal data to an international organisation or to a country outside the Union (a third country) is only permitted if strict requirements are met. The European legislator wanted to prevent that the legal protection that the GDPR aims to guarantee could be easily circumvented by moving data processing operations abroad.
Despite advice of the European Data Protection Supervisor (EDPS) to include a definition in the GDPR, one searches in vain for a definition of an ‘international transfer of personal data’ in the GDPR. In order to define the term, it is therefore necessary to look at case law and at opinions and guidelines of supervisors.
Suppose you place personal data on a freely accessible website that is hosted in the European Union. Anyone in the world can then access that personal data simply by typing in the URL and clicking enter. The server hosting the website will transmit the personal data to the computer that requests the website, regardless of where that computer is located. Is the act of publication an international transfer of personal data?
The Court of Justice of the European Union (hereinafter: the European Court) answered precisely that question in 2003 in the Lindqvist case. Mrs. Lindqvist had made some internet pages at home on her computer for the Swedish congregation of which she was a member. On those pages she had published personal data of herself and of some of her colleagues. After a complaint about this, the Swedish public prosecutor decided to prosecute Lindqvist for violating Swedish privacy rules, including the transfer of personal data to third countries without adequate permission. However, the European Court was of the opinion that uploading personal data on a generally accessible website cannot as such be regarded as a transfer of personal data, even if in principle that act makes the data accessible worldwide.
Sending an email containing personal data to a person or organisation outside the Union appears at first sight to be a clear example of a transfer of personal data to a third country. In practice, however, it is not so easy to apply this measure. A postal address is, by its very nature, linked to a physical location somewhere in the world. A telephone number has a fixed structure, preceded by an international access code (00 in the Netherlands) and a country code (31 for the Netherlands). An email address, on the other hand, provides much less information about the whereabouts of the user or the account’s hosting location.
An email address consists of a (self-chosen) username, the @ sign, a server or ISP name and the top-level domain. If the account has been assigned by a local ISP then you have some clue as to where the account is likely to be read and hosted. But when it comes to an account of a webmail service it is often not clear in advance where exactly you are sending the message. It is as yet unclear to what extent the sender is expected to investigate this.
Since the 10s, a lot of computing power and data processing has moved from local PCs to central servers of IT service providers. Previously this was not possible because browsers were not powerful enough and insufficient bandwidth was available for fast and reliable communication between client and server. There is little doubt that data transfers to and from the data centres operated by the likes of Microsoft, Google, Amazon and Tencent can qualify as international transfers of personal data. Due to Cloud computing, the importance of the rules on international transfers of personal data has therefore increased considerably.
If a company based in the Netherlands uses a Cloud service, then every time that company adds or changes personal data in those applications or virtual environments, there is a transfer of personal data to these service providers. The easiest solution to ensure that such transfers are allowed is to agree that the service provider will only store and process the data in data centres within the European Union.
However, data storage within the European Union is not always possible or even sufficient. For example, if a group uses a central HRM system hosted in the Union, then whenever a group company from outside the Union retrieves information from such a system, that would qualify as an international transfer of personal data. A group can bring these transfers in accordance with the GDPR by, for example, using binding corporate rules.
Data over the Internet is sent in packets. A packet contains a string of bits and bytes that are formatted in a specific format. An IP packet can contain about 65 KB of data. A longer message must therefore be cut into several packets, which are sent separately. Each of these packets travels through multiple networks, connected by gateways or routers, to their final destination. Once arrived, the packets are put in the correct order so that the original message can be delivered.
It is quite possible that if you send a message over the Internet from a Dutch server to, for example, a Portuguese server, this message – or some of its packets – will take a detour through third countries. For example, some packets could be routed through one of the Transatlantic cables to the United States, from there through local networks to Brazil and from Brazil via the Atlantis-2 cable to Portugal. Part of the message, including the personal data therein, then went through various non-EU countries. Has this been an international transfer of personal data?
According to the EDPS, this is not the case. The EDPS believes that the term ‘international transfer’ refers to intentionally or knowingly disclosing or making personal data available to a person in a third country. Because routing within and between networks does not involve knowingly disclosing data to persons in third countries, this does not fall under the concept of an international transfer, according to the supervisor.
Imagine your company network is hacked by Russian cyber criminals who steal sensitive customer data. Of course you are concerned about the consequences for your customers and the reputation of your company. Perhaps you are similarly concerned about a possible fine of the Dutch Data Protection Authority for not taking appropriate technical and organisational security measures. Would it also be necessary to worry about a fine for the unlawful transfer of personal data to a third country, namely Russia?
If it is up to the EDPS, the latter is certainly not necessary. Just like with routing of Internet traffic, in the case of hacking according to the EDPS, there is no deliberate transfer of personal data and therefore there is no transfer within the meaning of the GDPR.
Last but not least
So far, the European legislator has been reluctant to define the term ‘international transfer of personal data’. The reason for that will be obvious. It is not easy to formulate an unambiguous definition of this term. The European Court and the EDPS have already made the first steps. It would be good if the joint privacy supervisors, united in the European Data Protection Board (EDPB), now took the next step. This by drawing up guidelines for further delineation of this important concept in European privacy legislation.
Jeroen van Helden, attorney at law IT, IP & Privacy
This is a modified version of an article that appeared in the June/July 2020 edition of the AG Connect magazine.