Article 44 of the GDPR prohibits the transfer of personal data beyond EU/EEA, unless the recipient country can prove it provides adequate data protection. Descriptions of acceptable proof are detailed in Articles 45 – 49.
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Article 47: Binding corporate rules
- Article 48: Transfers or disclosures not authorized by Union law (international agreements)
- Article 49: Derogations for specific situations
Article 44 recognizes the following strategies to prove a recipient country provides adequate data protection.
- Adequacy Decisions: The European Commission may decide that a non-EU/EEA country, sector within that country, or international organization provides adequate data protection. There are currently two forms of Adequacy Decisions: Whitelisted Jurisdictions and Privacy Shield Framework.
- Whitelisted Jurisdictions: The European Commission can make a finding that a non-EU/EEA jurisdiction enforces data protection laws that are essentially equivalent to the GDPR. Currently, the following jurisdictions enjoy an Adequacy Decision: Andorra, Argentina, Canada (some provinces), Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
- Privacy Shield Framework: The Framework, approved on July 16, 2016, allows U.S. organizations to self-certify to the U.S. Department of Commerce and then publically commit to comply with the Framework’s data protection requirements. The public commitment is enforceable under U.S. law.
- Appropriate Safeguards: The European Commission may allow transfers to countries where appropriate safeguards are in place. Safeguards include:
- Standard Contractual Clause (SCC): There are two sets of standard contractual clauses for transfers from Data Controllers to Data Controllers and one set for the transfer to Data Processors located outside the EU/EEA.
- Codes of Conduct and Certification: These are not yet defined or adopted by the GDPR.
- Binding Corporate Rules (BCRs): BCRs are internal rules used by a multinational company to define personal data transfers to company entities located in countries that do not provide an adequate level of protection. BCRs must specify the company’s data privacy principles (transparency, data quality, data security, etc.), effectiveness tools (data audits, training, complaint handling, etc.), and proof of the binding nature of the BCRs. BCRs cannot legitimize transfers to non-affiliated entities such as customers, suppliers, distributors, service providers, or government agencies.
- International Agreements: Personal data may be transferred or disclosed only when ordered by a court or tribunal, if based on an international agreement between the requesting country and the EU/EEA.”
- Derogations: The European Commission may allow data transfers if it is:
- Explicitly consented to by the Data Subject.
- Necessary for the performance of a contract or vital interests of a Data Subject; for reasons of public interest recognized under EU/EAA law; for establishment, exercise, or defense of a Data Subject’s legal claims; or for the vital interests of a Data Subject unable to give explicit consent.
- From a public register.
Compliance with Article 44 requires either:
- Blocking transfer of personal data outside the EU/EEA; or
- Ensuring adequate data protection
In both cases, the starting point for compliance is data discovery and classification. Data discovery provides visibility into the location, volume, and context of data on premises, in the cloud, and in legacy databases. Data classification catalogues the discovered data according to its personal data type (credit card number, email address, medical records, etc.) and its security risk level.
Blocking data transfers requires implementation of data access across borders management measures that limit which data can be accessed outside defined borders.
Ensuring adequate data protection can be achieved through:
- Change management: Monitors, logs, and reports on data structure changes. Shows compliance auditors that changes to the database can be traced to accepted change tickets.
- Data loss prevention: Monitors and protects data in motion on networks, at rest in data storage, or in use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests, and unusual activity to prevent data theft.
- Data masking: Anonymizes data via encryption/hashing, generalization, perturbation, etc. Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.
- Data protection: Ensures data integrity and confidentiality through change control reconciliation, data-across-borders controls, query whitelisting, etc.
- Ethical walls: Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.
- Privileged user monitoring: Monitors privileged user database access and activities. Blocks access or activity, if necessary.
- Secure audit trail archiving: Secures the audit trail from tampering, modification, or deletion, and provides forensic visibility.
- Sensitive data access auditing: Monitors access to and changes of data protected by law, compliance regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an audit trail for forensics.
- User rights management: Identifies excessive, inappropriate, and unused privileges.
- User tracking: Maps the web application end user to the shared application/database user to the final data accessed.
- VIP data privacy: Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.
Learn how Imperva solutions can help meet Article 44 compliance requirements.