Cross Border Transfers are Controlled by Regulatory Requirements
A cross border transfer describes the transmission of personal data from one country (jurisdiction) to another. Most privacy legislation provides regulations and guidelines for transferring information across borders. GDPR uses binding corporate rules to define how data can be transferred. These rules regulate how to transfer data within a company and/or with EU and EEA companies that have agreed to these rules.
The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The EEA states are Iceland, Norway, and Liechtenstein.
For transfers from EU businesses to companies in the United States, the rules of Privacy Shield regulate cross border transfers. In contrast, the CCPA does not specifically address cross border transfers. The Privacy Shield provides organizations the requirements and obligations for United States companies to transfer data to and from European Union states. US companies self-certify following the guidelines from the US Department of Commerce and commit to following privacy and protection principles.
What would be considered a cross border transfer?
- Data specifically moved from one country to another.
- Data that crosses boundaries during processing.
- If the processing of data could affect a data subject in another territory.