- International cooperation
More and more research is taking place within an international context, with collaboration between research teams representing various international public and private parties. As a result, the datasets collected within these research projects may reside on servers both within and outside the EU. In this chapter, we discuss the specific regulations governing the exchange of data between EU Member States and countries outside the EU.
First and foremost, it is important to distinguish between three types of countries:
Cross-border data transfers
The GDPR recognises the need for cross-border data transfers for the expansion of international trade and international cooperation. In all cases, transfers to third countries and international organisations may only take place in full compliance with the GDPR. This implies that EU data protection does not stop at EU borders.
It is important always to determine the risks of exchanging personal data in relation to the potential impact of such an exchange on the freedoms of EU citizens. If the data exchange involves no risks, no data protection is required: in that case, the exchange is considered part of the free movement of data.
The criterion for data protection is the extent to which the fundamental rights of EU citizens are affected. This is always about the balance between the protection of fundamental human rights (Articles 7 and 8, EU Charter) and peoples’ freedoms. As we saw earlier in this context, privacy is not always the highest right; in some situations national security interests may prevail, for example. The GDPR facilitates the protection of natural persons with regard to the processing of personal data and the free movement of such data and as stated in Recital 3: ‘to ensure the free flow of personal data between Member States’.
Summarised in these images (source):
Adequacy decision
However, some countries provide safeguards that guarantee a proper level of protection, essentially equivalent to the level of protection offered within the European Union. With respect to such countries, the European Commission has drafted a so-called adequacy decision – in other words, cross-border flows of personal data from the EEA to the country in question are equivalent to the transfer of data within the EU.
However, if a country is not part of the EU or EEA and has not received an adequacy decision, we refer to it as a ‘third country’:
- For EU and EEA countries, see: https://www.government.nl/topics/european-union/eu-eea-efta-and-schengen-area-countries
- For countries that have received an adequacy decision, see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
In that case, the GDPR describes a number of lawful mechanisms to legitimise cross-border data transfers. For example, one of these lawful mechanisms is the conclusion of contracts containing standard contractual clauses (SCC).
In
the spotlight