Data Transfers Outside of The EEA

Transcript of the video

So, personal data transfer, and again, we're just talking about personal data here, something that identifies a living individual, like a name or an address, or an email address. Typically here, in all of these videos and Facebook lives, I'm talking about email addresses and email marketing. As a general rule, transfers of personal data to countries outside of the EEA may take place if the countries are deemed to ensure an adequate level of data protection. So, the first thing to think about is where you have got the data being transferred, where are those companies located, which jurisdiction are they in, and then to check whether they have an adequate level of data protection.

The way that it works is the European Commission assesses each country's level of data protection through what's called adequacy findings, and once an adequacy of a country has been recognized, then personal data can be freely transferred into that country without any further protective measures. That makes sense, doesn't it? European Commission is all about protection of personal data, so if they can happily say that another EU jurisdiction has the same level of protection as we do, then they're going to be quite happy for data to flow between those countries.

If they don't, they're not going to be so happy. Okay. Now, let me see if this will stick to this while I just ... oh, it's not going to. I need to get a tripod for tomorrow I think. I'll dig that out. I've got a list of the countries that already have adequacy findings. Let me just find that for you. Okay, and it's not many, actually. It is Andorra, Argentina, Canada for an organization that subjects to Canada's PIPEDA law. To be honest, don't know much about that, so I'll check into that for you. Anybody who's got things in Canada, let me know, and I'll check into that. Switzerland, randomly the Faroe Islands, if anyone's transferring data to the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and again randomly, Uruguay.

That is the only list at the moment of adequate jurisdictions, okay? Now, obviously, the one we're mainly interested in is the U.S. now, you may have heard of what is called the U.S. EU Safe Harbor, and that existed for a while, but that is no longer deemed adequate, and it's effectively been replaced by the EU U.S. privacy shield. Actually, just before I go onto this, just with those lists of countries that have adequacy findings, those are subject to review every four years. So, it's something that we'll be keeping a watching brief on, and of course, I'm sure other countries will be added to those adequacy findings as we go on, but just be aware that just because they've been approved once as having an adequate level of protection doesn't mean that those countries will always have that level of protection.

But at the moment, it's those countries that I read out. I'll just read it again because I know that was quite quickly, and I'll actually pop the list of the countries in the comments below this Facebook live. So, it's Andora, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay is the list of adequate jurisdictions, and I say that might change, subject to review. Okay, so the U.S., the U.S. was one of the most heavily debated adequacy findings, as you might expect, and where it's ended up is this EU U.S. privacy shield that replaces what we knew as the safe harbor, and what happens with that is that U.S. companies get certified by a voluntary commitment to a set of data processing principles. So, they basically self-certify, but they are subject to supervision by the U.S. Federal Trade Commission.

Now, I've had a quick look into some of the more common software providers, and particularly email service providers, and ... can't find the thing now, and I'll post it in the group, but Aweber is certified, you'll be pleased to know, as is MailChimp; however, Infusionsoft ... now, did I print that out about Infusionsoft? I'll post all these links in the comments to this video, but as of certainly the latest article that I could find from Infusionsoft, it looked like they were trying to be able to self- certify, because obviously, they have to fulfill a list of criteria to be able to do that, but they weren't there yet.

It's obviously, happily, something they're conscious of, and that they are working towards, but as of this moment, as far as I can find out, Infusionsoft are not in that privacy shield. So, Aweber is. On October 25, 2016, there was a memo from Aweber to say it's pleased to announce it's received the official EU U.S. privacy shield certification. It was the first in its industry to achieve this accreditation, placing it among a limited group of companies that meet data protection requirements in sending data between the EU and the United States.

So, Aweber was, according to them, leading the way in being part of the EU U.S. privacy shield. So, what I would recommend that you do is, in the same way that I've done, I've just Googled Infusionsoft privacy shield, and an article came up about Infusionsoft's current status with the privacy shield. So, step number one is identify all of those third- party processes that are processing personal data for you, things like Infusionsoft, Aweber, MailChimp, all those things that you listed in your comments on my laptop, before it froze, but Google the name of that entity, privacy shield, EU U.S. privacy shield, and see what comes up, and share it in the group. That'd be really valuable for you to do that so that other people don't have to repeat that exercise.

Okay, now, if they are part of that EU U.S. privacy shield, then that's great. You can happily transfer to that entity without really any further concerns. The first step is to identify what third-party processing of personal data you're doing, identify whether that's outside of the EEA. If it is outside of the EEA, what jurisdiction is it in, and then check whether that jurisdiction has an adequacy finding, and again, I'll list the list of countries that have adequacy findings or are party to the things like the U.S. EU privacy shield.

If it is party to something like that, then typically with an adequacy finding, it's just blanket for that country, but the U.S. being a special case, you need to check on an individual basis whether an individual company is party to that privacy shield. I hope that will make sense. Okay, and please, if you do find out for the third-party processes that you're checking for your own purposes, if you can share that in the group, I'm sure that will be enormously helpful for the other people in the group.

Okay, so, I hope that makes sense. I'm going to say a little bit more about that because we're going to come onto another ground for transfer of data, but I just want to try and check questions before we move on from that, and it's still not showing up on my phone, so let me try and ... I'm going to leave that there. Hopefully, it won't drop off. I'm going to go onto my computer here and see if I can mute it so I don't get feedback. Okay.

Okay. So, I can see it here, and I can see that you actually are asking questions, it's just not showing up on my phone for some reason. So, let me have a quick scan down these comments. So, Rachel says if companies say that they are currently working to be GDPR compliant, does that mean they are working on joining the privacy shield? Possibly. I don't know what is the answer, but yeah, if they're in the U.S. and they say that they're working on being GDPR compliant, then that probably means that that's what they're doing. Yes.

Great news about Aweber. Can you comment on the accounting applications such as Zero and Quick Books? No, I can't, Noel. I don't know them on an individual basis. If you do, what I suggest, and Google EU U.S. privacy shield, and Zero, then hopefully that will give you some answers, and then if you could share that in the group, that would be super. Okay. Alright, so that's all the questions I can see for now, although there is a bit of a delay between me seeing them and you posting them, so I will keep checking on those, but the next thing I want to come on to say is that there are other basis for transferring data lawfully.

If you find that your third-party processor is not within an adequate country or it's not part of the EU U.S. privacy shield, then fear not. There are other ways to be able to do that. So, I'm going to tell you about that now. Okay, so as you might expect, and there are a number of other grounds on which you can transfer data. So, particularly, for example, I'm consulting with multinationals at the moment, and the way that they transfer data particularly intragroup, where you've got hundreds and hundreds of companies across every jurisdiction in the world, the way that they transfer that data adequately is through things called binding corporate rules, and there will be changes to the way that those work, but I'm not going to go into that on this Facebook live because I'm sure that nobody on this Facebook live is in the realms of binding corporate rules. So, we're keeping it simple and relevant for what you guys need.

The other main derogation, if you like, to the general rule that you can't transfer data outside of the EEA, unless there are appropriate safeguards in place, the main one that we're concerned about is the data subject has explicitly consented to the proposed transfer after having been duly informed of the possible risks. So, there are two elements there. There's explicit consent, and that they've been dually informed of the possible risks. Where did we get this consent?

Well, the obvious place, and in fact, the place ... actually, to be fair, not much has changed as far as you're concerned, or not much will change when GDPR comes in because at the moment, there is still a general prohibition on data transfers outside of the EEA, and one of the exemptions to that is if you do gain the consent of the individual, and where we've been doing that at the moment is in our privacy policies, and certainly, if you have one of my privacy policy templates through my legal academy, then you will have noticed hopefully, in there, there is a clause saying that we may transfer data outside of the EEA.

You acknowledge and consent that we're able to do that for you. Now, in the current privacy policy, which is compliant with current law, it doesn't go as far as what we'll need to say when GDPR comes into force. We're going to have to be a lot more detailed about exactly what transfers we're making outside of the EEA, and of course, put in that risk statement to make it clear to the individual what the risks are of that data transfer into a jurisdiction that the EU, who has basically decided who isn't safe enough for the transfer of their data, and people I think, as in consumers and business customers and business prospects, are going to be getting more switched on to data protection, whereas before, people wouldn't have even bothered reading your privacy policy, and if they had and they'd seen the bit about transferring data outside of the EEA, they really wouldn't have bothered either way. They would've just carried on and not asked any questions.

I think that we will see more individuals asking more questions of companies, so I think we need to be prepared for that, and we need to be assuring people that we are protecting their personal data. So, what does explicit consent mean? So, we did a whole Facebook live yesterday about the changes to consent, and it is now, from the 25th of May when GDPR comes into force, it will no longer be okay to just link to your privacy policy at the bottom of your website, or if you've got a signup form on your website, then sometimes there's a link to the privacy policy there, and in that privacy policy, there is a general statement that says we may transfer your data outside of the EEA. That's not going to be sufficient anymore, and of course, we haven't got exact guidance on how everything is going to work, and until we see things in practice, we are trying to think of best practice here, but what I expect will happen is that we will have much more tick boxes because we need that, as we discussed yesterday, we need that for the different types of processing.

So, for example, you want to send someone a newsletter, you have a tick box for that. You want to send somebody marketing  emails; you have a tick box for that. You want to transfer your data to third parties; you have a tick box for that. You want to transfer your data outside of the EEA; you need a tick box for that. So, I think that at the least, we're going to have to change it so that we have a tick box for consent, for exporting personal data outside of the EEA if it's not to a country that has an adequacy finding or it's to a company that's in the U.S. that isn't part of the EU U.S privacy shield.

Now, what does explicit consent in this sense mean? We talked yesterday about explicit consent in terms of processing sensitive data, and for that, I was ... well, actually, that was in the context of whether you need double opt-ins. That was in the video I did a day before, and what the latest working party guidance on that has been in terms of getting explicit consent for sensitive data processing was that a double Upton might be an appropriate way of getting explicit consent. The other example it gave, well there are few examples, but the other main example was to get a written statement. If you're getting, maybe it's a medical form or something like that, maybe you're a therapist and you need details of medical details about people, that's sensitive data.

You would get them to fill in the form, and there would be a privacy statement at the bottom of that form, and they would sign that, and that would be explicit consent. Whether explicit consent here means that you would get a double Upton for the data processing or not, I don't know. Actually, I'm going to double check the guidance on that, and that specific point, and I'll do another little video or I'll post it in the comments to this because I think we need to understand exactly what explicit consent is.

Two things then, in terms of practical steps for you, number one is do an audit all of the personal data that you are transferring outside of the EEA to things like MailChimp, Aweber, Infusionsoft, Dropbox, Zero, all of those things that we talked about before, and work out which jurisdiction they're based in, check whether there is an adequacy finding for that jurisdiction, and I'm going to post the list of countries that are adequate for terms of data protection below this live video. Check that. If they are adequate, and if the country as a whole is adequate, you're okay. If we're talking about the U.S., then check whether the actual company is certified by the EU U.S. privacy shield.

There is actually, allegedly, a searchable database for the EU U.S. privacy shield, but I tried it this morning and put in Aweber, and about 1,000 ... just fallen off again. About 1,000 entries came up when I searched for Aweber, which wasn't particularly helpful. So, what I suggest you do is just a good old-fashioned Google search of the name of the entity plus EU U.S. privacy shield, and I'm sure they will have something in their own literature confirming where they're up to on that. If they have it, I'm sure they'll be shouting about it. So, that's the second thing to check.

Then, if none of that applies, I've said that I've checked the Aweber and MailChimp are part of the EU U.S. privacy shield, so you don't need to do anything for those, but if it's not an adequate country, and if they don't fall in the EU U.S. privacy shield, then really, you're reliant on consent. There are other grounds for transferring data outside the EEA, but I think the most relevant one for you guys is going to be consent, and just to remind you again, you can only transfer it if the data subject has explicitly consented to the proposed transfer after having been duly informed of that fact and of the possible risks.

Now, you might be saying, what's the language I use to inform the data subjects of that transfer and of the risks? Happily, if you're in my small business legal academy, then in the updated privacy policy, there will be that wording and the suggested wording for a tick box. So, if you're not yet in my legal academy or you want to know details about the standalone GDPR pact that I'm putting together, I will let you know about that at a future date because it's not quite there yet because all the guidance keeps changing, and I keep adding documents to the list. So, I obviously want it to be as comprehensive as possible for you guys.

It is coming. I'm getting lots of questions from my legal academy people. When is it coming? It's coming. It's just a work in progress because the guidance keeps changing and because I keep adding more to it, but its coming. Okay, so let me just check whether there's any question on that. Let me just refresh this. Oh, crap. Oh, deary me. Right, I need to get a tripod rather than this little sticky thing, which isn't very sticky. Okay. I'm just checking the questions on my laptop. Mark's saying what about data connection services such as Zapier, which pass data to one tool to another? Yes, that's a very good question, Mark, and you have to look at the first transfer, which is from you to Zapier, and I think Zapier probably based in the states, aren't they?

You need to look, firstly, at what they are doing and whether they're party to the EU U.S. privacy shield, and then ... it's complex, and I don't want to go on too long in this video, but that's a really good point, so I think I'm going to do a separate video or live about onward transfer, but it's a really good point, but it's complex, so we'll give a whole new session for that. This is now not sticking at all, so I think definitely going to have to dig out the tripod from the attic and fix that. Okay, so thanks Emma for posting the link to the active campaign.

It looks like they are within the privacy shield from your link. I will say post the searchable database for the EU U.S. privacy shield, but as I say, I couldn't really get it to work when I searched for Aweber. Did a quick Google search for Aweber and saw that they were part of it, so it might be quicker for you to do a Google search. I can't see any more questions there. If there are and I've not seen them, forgive me. I'll pick them up when I come off this Facebook live and go through the comments on the recorded version. Let me just have a quick final check. Nope.

It's a bit funny though because questions that I know have been asked have disappeared, which is worrying, but I'll go through those comments after I finish this Facebook live and reply to any that I haven't seen. So, that is it. For those of you who've joined late, the upshot, if I can summarize it in two minutes is certain countries are deemed to be adequate for the purposes of data transfers outside of the EEA. I will post a list of those countries in the comments to this video. If you're transferring personal data to companies in those countries, you're okay because the European Commission has deemed that they have adequate levels of protection for personal data.

If you're not transferring to those countries and it's the U.S., then we need to investigate the EU U.S. privacy shield, and I'm going to post in the comments to this video a searchable database to see which companies within the U.S. are in there, as to say it wasn't the most reliable when I tried it this morning, so it might be easier just to do a Google search with the name of the company and EU U.S. privacy shield. If you find the answer to whether they are or not, please post in the group. It'd be really helpful for other members. Now, if you don't have an adequacy finding, it's not an adequate country or it's not part of the EU U.S. privacy shield, then you're really down to consent, and it needs to be explicit consent, and it needs to tell the data subject the risks of that transfer outside of the EEA.

The appropriate place for that is in your privacy policy. You, more than likely will need a specific tick box for that specific consent to transferring data outside of the EEA at the point that you are collecting the data, or if once you've collected the data, something happens and you then transfer outside of the EEA, then at that point, you would need to go to all of your contacts and actually get that tick box consent to transfer outside of the EEA at that point.

Also, need to keep records. All of this consent now, it's all about keeping records of the consent as well, and on that point, because we were talking about this yesterday, how we keep records of consent, and I was talking about Infusionsoft and tagging, I have got now a couple of great videos from David Holland, who is watching. David Holland, Infusionsoft expert, hello, and we're going to show you how to do that so that you can record keep within Infusionsoft. I've not had the chance to look at them yet, but I think he sent me one for Infusionsoft, and one other platform as well, and we'll get some of the experts on who can show you how to do it for your own CRM system.

Okay, so that is the summary. I hope that all made sense. Any questions that I haven't answered because I can't see them on my phone or my laptop, then I'll go through the list. If I still haven't answered it, tag me in the group and I'll try and get around to answering it. Just as a little point here, this group is expanding exponentially on a daily basis. I think we have something like 200 requests to join overnight, and I just can't answer individual questions, okay? I'd love to, but I'm not going to be able to without driving myself insane. I do read your questions, and I will try to incorporate them in videos of Facebook lives, but I'm not going to do an instant reply to your questions in the group. People helpfully do chip in, and I've seen that already in the group that people have answered questions.

Again, if you are helpfully answering questions, just be sure that you're right before you do answer those questions because the whole reason this group was set up was because I've seen such inconsistent advice online. So, make sure that you actually really know the answer before you try and be helpful is my advice. Okay, so that's all I want to say. Thank you so much for joining me everyone. Thanks for your questions, and like I say, if you do go through the effort of checking whether your software provider is part of the EU U.S. privacy shield, then do post in the group because that will be enormously helpful for people. I Hope that has been helpful. I will decide what we're going to be talking about tomorrow some stage later today or tomorrow, and post in the group, but thanks. Thanks for joining in the discussion, and yeah, I'm excited.

I've got really good GDPR buzz going, and I hope you guys have too. Actually, I just want to finish by saying there's been a lot of comment about you've got the two camps, and in fact, Greg Elliot, who is watching, hello Gregg, just forwarded me an email from a very well respected lawyer, who I know personally, and her approach was small business owners, you just really don't need to bother with GDPR. Just rely on legitimate reasons. The words have gone completely out of my head now, legitimate interests, talking too much here. Rely on legitimate interests. You'll be fine. Gregg forwarded it to me, and I was like yeah, the reason ... I think there's a healthy middle between the two extremes isn't there?

There's one camp that is... it is hype, and as I said on my video yesterday, the information commissioner’s office does not have a vast police force of data protection officers that are going to be going around on the 25th and the 26th and 27th of May checking that all small business owners are compliant with GDPR. It's just not going to happen, but I think that we to have to take it seriously. We do have to show compliance. Yeah, it's not something to hype up. There's a few basics that you need to know, a few documents that you need to get into place, and then you can sit back and relax, and that's what I'm here to help you with. So, thanks for joining me. Share the group far and wide, and have a brilliant day.