GDPR Cross-Border Data Transfer – Knowing the Boundaries   By Micky Khanna

by Jenae Reid on December 20, 2017

With the notable growth and international expansion of affiliate networks/platforms, merchants, publishers, and agencies, the territorial scope of the EU General Data Protection Regulation (which comes into force on May 25, 2018) means that organizations will need to revisit company data policies, as well as their existing cross-border business/technology partnership agreements, in order to protect the transfer (and onward transfer) of any EU Citizens’ personal data.

Under GDPR, any country other than the EU (and EEA) Member States is classed as a “third country”, and Personal Data can only be transferred to a third country if an adequate level of protection is guaranteed. An Adequacy Decision is granted by the European Commission to non-EEA countries that provide a level of personal data protection which is (in effect) equivalent to that provided in European law.

Which Countries are Deemed as Adequate?

A recent study published in quoted that “GDPR fines may affect almost 80% of US firms”, so it seemed appropriate to mention the U.S. as one of the 12 countries recognized by the European Commission as having adequate protection for EU Citizens’ personal data under the EU-US Privacy Shield, the framework that protects the personal data of anyone in the EU transferred to companies in the U.S. for commercial purposes.

This framework sets the obligations for U.S. companies receiving personal data from the EU, and gives EU individuals the right to make a complaint if they think that their personal data is not being properly protected.

U.S. organizations must self-certify annually to the Department of Commerce that it agrees to adhere to the Privacy Shield Principles (you can find the list of companies who have self-certified on the website).

Countries which are not classified as adequate (and US companies who are not certified under Privacy Shield) must have legally binding safeguards in place across their group of companies (including their employees), known as Binding Corporate Rules (BCR) or Standard Contractual Clauses, and that are in line with the Supervisory Authority of their designated EU Member State.

Countries most likely to have BCR’s in place include those within the Asia Pacific region, although the Asia Pacific Economic Co-operation (APEC) are in discussion with the EU about inclusion to the Cross Border Privacy Rules (CBPR) program (which “is analogous to the EU US Privacy Shield” – source:

Anyone Else?

We need to mention the UK and the B-word. Depending on what Brexit means, there will need to be appropriate safeguards that UK companies need to have in place, whether that is an “adequacy decision” (granted by the European Commission), Binding Corporate Rules, or Standard Contractual Clauses.

The Supervisory Authorities have already stated that they will take corrective measures which are “effective, proportionate and dissuasive” for non-compliance of the EU GDPR (both in national cases and in cases involving cross-border processing of personal data).

If you control or process any personal data of EU citizens, and haven’t reviewed your cross-border partnership agreements and data policies, you should probably do so – now.



Micky Khanna is an independent GDPR Practitioner, and founder of

This article appeared in issue 41 of FeedFront Magazine, which was published in January 2018.



Comments on this entry are closed.