GDPR And EU Data Location Requirements

May 04, 2018
Written by
Tom Tobin

GDPR European Union

Twilio often receives questions about the locality of data we process for our customers – where data is being stored depending on where it originates. Businesses all over the world use and trust Twilio, and they interact with their users also everywhere in the world.  

In new world of GDPR, the question of “where are you keeping my data” is coming up even more.  And, that question, (particularly, if you’re a small shop) may also be getting you down.  Maybe you’ve built your app on Twilio’s platform or use other non-European Union based service providers. Maybe your own operations are not based in the EU, but you have lots of EU-based users.  Even the spectre that you might have to re-architect your app and invest in new infrastructure in the EU just to make sure EU personal data stays in the EU could feel like an existential threat.  

Unfortunately, there is a lot of misunderstanding and misinformation on this topic. While some believe (or would try to have you believe) that EU personal data can’t leave the EU, this is simply not true.

The EU has stood for free movement of things since its start – capital, people, goods, all are free to move within the EU. And, the EU works to make their free movement possible outside the EU as well.  In the EU’s own words, “the EU is the world’s biggest trader, accounting for 16.5% of the world’s imports and exports. Free trade among its members was one of the EU’s founding principles, and it is committed to liberalising world trade as well.” Given the importance of the movement of personal data in today’s commerce, it would be anathema to the EU’s principles to enact a law that outright stopped the transfer of any personal data outside the jurisdiction.  Not many countries or jurisdictions (particularly democratic ones) actually outright prohibit cross-border transfer of personal data of their citizens.

What does GDPR say about transferring personal data out of the EU?

Chapter 5 of GDPR is titled “Transfers of personal data to third countries or international organisations” and consists of Articles 44 through 50.  (Let’s pause there for a moment… if the rule was, as some might have you believe, that EU personal data can’t leave the EU under GDPR, then why take seven Articles to say that?)  

The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR.  In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent.  (Unlike an outright prohibition on extraterritorial data transfers, this actually makes sense. No point if having rules if those rules get tossed out the window just by moving the data out of the EU.)  

This legally binding obligation can be achieved in multiple ways.  Here is a sampling:

  1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
  2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.
  3. The company has enacted Binding Corporate Rules.
  4. There is some regulatory-approved code of conduct to which the entity subscribes.

Notably, the existing law, the Data Protection Directive, already has these same cross-border transfer rules. GDPR is not actually creating a sudden sea change when it comes to data transfer.

Technically, what does a transfer mean?

A transfer may mean moving the source data to a machine outside the EU.  But, it can also be when an employee outside the EU views the data – for instance, a developer in Vietnam may be looking at the logs, or a support engineer in the Philippines may be helping a customer and view their data. At that point, the data moves, and the transfer is occurring, so to make sure there were no transfers, you have to make sure that all the machines, and all the people that could interact with the data are all in the EEA. Both storage in, processing in, and access from outside the EEA all count as transfer.  But, don’t dismay.  Remember, all of this is okay if you agree to apply GDPR data protection principles to EU personal data wherever it goes and use an approved transfer safeguard.

What about Safe Harbor – didn’t that get thrown out?

While the US-EU Safe Harbor Framework that permitted transfer from the EU to the US did get tossed, it also got replaced with a new program called the EU-US Privacy Shield framework. This program allows US-based companies to self-certify to a set of principles and submit to certain enforcement mechanisms. By participating, these companies are considered “safe” for transfers of EU personal data.   While the framework is subject to an annual review, it is currently a recognized transfer mechanism, and if you’re complying with GDPR, signing up for Privacy Shield should be a piece of cake.  Twilio participates in this framework and you can check out our Privacy Shield Statement.

What that means to you?

GDPR says a lot about how you can get the data, how you manage it, and when and for what you are allowed to use it. But it doesn’t place any absolute or insurmountable restrictions on the location of the data.  Make use of the recognized safeguards available – like certifying to the EU-US Privacy Shield Framework or executing standard contractual clauses. If you’re complying with GDPR’s principles in how you handle data, the requirements of these safeguards should not be hard to meet.  And, look for vendors, like Twilio and many others, who also offer these cross-border transfer safeguards.