Sites
Resources for:

Get, Set… Transfer?

Three scary words

So, you’re a modern company and you want to make sure you can cooperate with the best talent from all over the world. You also want to make sure that you keep your costs down so you look at vendors globally for your needs. Additionally, you want to remain in business so you aim to accomplish all of your compliance goals. You make a plan, you have all the right people, right tools, but then… when it could be so easy… there comes your blocker because once again you need to deal with - yes, bear with me, you need to hear it - International Data Transfers. A phrase that sends shivers down the spine of compliance teams worldwide. But does it have to?

Nobody - aside from the strange breed of privacy professionals - likes to deal with international data transfers, especially if European personal data is involved. But here is the good news: we at Liferay know this - we’ve faced this problem and provided solutions to make both our Customers’ and our lives easier. This blog post aims to share some light on how we came up with this and why it is something your company can use, too. But first, let’s see what caused this headache…

Shrinking hoops to jump through

Data protection laws have existed for decades worldwide, but the European General Data Protection Regulation¹ (or how you probably encountered it: GDPR) — introduced in 2018—marked a turning point. Unlike earlier laws, GDPR brought substantial financial risks, compelling companies to prioritize compliance. As GDPR’s main focus is the protection of the rights and interests of individuals in the European Union through guarding their personal data, it also regulated what should happen to personal data when it leaves the European Economic Area (EEA). It was the first law to regulate cross-border transfers of personal data comprehensively, taking into account the rapid changes in IT and how globalization affects data flows. In very simple terms, GDPR requires additional guarantees when personal data leaves the EEA (or in other words, when personal data is transferred out of the EEA, where transfer is a disclosure by transmission or otherwise, the latter being very broad and including even the mere ability to access the data from abroad), except for in a few cases, where the European Commission deemed that the level of data protection in a non-EEA country or an international organization is essentially equivalent to the level of protection in the EEA. One of these countries now once again is the US. 

The situation is harder when the European Commission did not publish an adequacy decision for the target country. For example, if your European company wanted to send data to India. In this case, there are a lot more hurdles to conquer before the transfer can be made. These are explained below.

CONDITIONS OF PERSONAL DATA TRANSFERS OUT OF THE EEA
Adequacy decision Data transfers on the basis of appropriate safeguards Data transfers on the basis of derogations
Currently (November 2024), the following are considered adequate countries:
  • Andorra,
  • Argentina,
  • Canada (commercial organizations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Republic of Korea,
  • Switzerland,
  • United Kingdom,
  • United States (commercial organizations participating in the EU-US Data Privacy Framework²),
  • and Uruguay.

An adequacy decision is really handy for companies - if there is one, personal data can be transferred to non-EEA countries without the necessity of providing further proof that the transfer is safe (see the next columns for what these can be).

Appropriate safeguards are:

  • Standard data protection clauses issued by the EU Commission in July 2021 (SCCs);
  • Binding corporate rules (BCRs);
  • Codes of conduct;
  • Certification mechanisms;
  • Ad hoc contractual clauses.

Beware! It’s not just a “contract and done” situation! The purpose of these guarantees is to make sure the level of protection for the personal data is the same as if it never left the EU. Therefore, companies that want to apply these measures (including the most widely used, the SCCs), must perform additional tasks before they can transfer the data:

1. They need to perform a Transfer Impact Assessment (TIA) for the target country to make sure that the country does not have concerning legal provisions/practices with respect to the safety of personal data. This is an in-depth analysis and requires thorough knowledge of the third country in question. The company (the data controller) that carries out the transfer must, among others:
   a.) precisely explain which exact law(s) and which provisions of such guarantee the safety or personal data, or whether the opposite is true (e.g. the state provides public authorities wide rights to access personal data with no or little chance of redress against it, or the proportionality and necessity requirements stemming from constitutional law are not respected); 
   b.) pay attention not only to the legal text, but its implementation in practice (e.g. whether the guarantees laid down are enforced, or they rather are formal and not carried out in reality);
   c.) tying to the above, the practices of the third country’s public authorities also need to be reviewed, to ensure that the transfer tool chosen by the controller can be a sufficient means of ensuring, in practice, the effective protection of the personal data transferred.

Usually, companies don’t have this level of knowledge, and as a result, these TIAs are mostly done by external lawyers and are very costly.

2. They still must adopt supplementary measures (of contractual, technical or organizational nature) to balance out the eventually lacking guarantees in the target country, discovered within the scope of the TIA,  and that fit the risk of the actual transfer.

3. They must re-evaluate periodically (time, money, human effort…).

 Companies that want to transfer personal data from the EEA to countries which are lacking an adequacy decision or appropriate safeguards can do so occasionally, in exceptional circumstances, relying on derogations and putting additional guarantees in place.
Derogations from the ban of personal data transfers are listed in the GDPR, and include the explicit consent of the data subject as well as contractual necessity (the transfer is necessary for the performance of the contract between the data subject and the organization).
As mentioned, additional guarantees are needed, though, which themselves can be quite a challenge to provide for companies.

 

¹ By now, of course, a lot more privacy laws have appeared globally (with stringent rules for example in California, Switzerland, Brazil, Canada and most recently India), but the GDPR still remains relevant, partly because many companies that operate globally have European interests and partly because the GDPR served as the model for many of the newer regulations.

² The Privacy Shield was a framework created by the European Union and the United States to make it easier for US companies to receive personal data from EU citizens. It set certain rules that US companies had to follow to protect this data. It allowed a free flow of personal data between the EEA and the US. However, an Austrian lawyer, Max Schrems, challenged the legality of this framework and the European Court of Justice ruled in his favour in 2020. The court decision is often referred to as “Schrems-II”. As a result, companies that wanted to transfer personal data from the EEA to the US  were in trouble. The situation was hard for everyone, so after a lot of negotiations and revised guarantees, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework in 2023. One big concern outlined by the CJEU in its Schrems II court decision still keeps privacy lawyers' minds busy though: it is the requirement to conduct a TIA.

Keeping it safe

Equipped with the knowledge above, you must be eager to learn what Liferay does to make sure it supports your compliance endeavors. Our Trust Center provides the relevant details regarding  cross-border transfers in its Liferay SaaS, Liferay PaaS and Liferay Analytics Cloud sections. It highlights, among other things, the following:

  • One of Liferay’s five core principles is “Produce Excellence”. Thus, Liferay sets its own standard of privacy to match the requirements of the GDPR, the gold standard in data protection, but it is applied throughout the company group, globally. This means that Liferay decided to stick to GDPR standards for all data processing that involves international internal collaboration, even for the offices where national laws have less strict requirements.
  • As part of providing its cloud services, Liferay performs cross-border transfer of personal data. It safeguards these transfers by making sure that (i) it relies on an adequacy decision or - where those aren’t available - (ii) it relies on EU Standard Contractual Clauses. Within the Liferay company group, data transfers always fall under the scope of the GDPR: Liferay International Limited, an Irish company, is under the scope of the GDPR. This company can have two roles due to Liferay’s contracting structure: (i) it either is the entity selling the Liferay Digital Experience Platform Offerings or (ii) it is the principal sub-processor for such offerings and therefore personal data transferred from Ireland constitutes an onward transfer (to third parties and group-subprocessors). Thus, the GDPR applies to all Liferay cross-border transfers of personal data.
  • In addition, for the cases where the target country of the data transfer is in a third country which is not subject to an adequacy decision, like Brazil (where Liferay Latin America Ltda., an important Liferay affiliate is located) from the EEA, a TIA has been conducted by a reputable law firm in Brazil confirming that there is nothing in the laws in Brazil that could impede on the level of protection afforded by the EU data protection laws.
  • When Liferay utilizes a sub-processor outside of the Liferay company group, it conducts a TIA for the transfers and applies additional technical and organizational measures (smart obfuscation, BYOK encryption) in order to further reduce the risk of the cross-border transfer, where required and as feasible. Additionally, before Liferay starts using the services of a Sub-processor, each service or system provided by such a Sub-processor is reviewed and approved based on a vendor assessment, Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documentation describing the respective system protections and compliance with the applicable data protection laws.
  • Liferay applies a vast amount of technical and organizational measures to ensure the safety and security of the personal data and other confidential information.
  • Our products’ analytical features (de-activated by default) and Analytics Cloud as a standalone product are supported from the US. This also means that data collected and otherwise processed for analytical purposes may be accessed by our teams in the US. This is not a problem, though, from a data transfer standpoint: our EMEA customers can breath easy: Liferay, Inc. is certified under the EU-US and Swiss-US Data Privacy Framework and therefore any transfers of personal data from the EEA to Liferay, Inc. are subject to the adequacy decision.

See? It’s not that scary, you just need the right comrades to go battle with - partner with Liferay to simplify your compliance journey and focus on what matters most—growing your business.
1400 Montefino Avenue
Diamond Bar, CA 91765
USA
+1-877-LIFERAY
Built on Liferay Digital Experience Platform
© 2024 Liferay Inc. All Rights Reserved