How the GDPR on data transfer affects cross-border payment institutions

The General Data Protection Regulation (GDPR) in Recital 23 brought an obligation to all companies that receive, control or process personal data of European Union (EU) residents to comply with the minimal safeguards stated in European legislation. One of the main issues is the fact that companies that are not based in the EU, which receive, store or process the personal data of EU residents are also required to provide adequate levels of security as per the GDPR standard. 

In a decade of globalisation and tech services this may become one of the most difficult compliance challenges especially for those businesses operating in the EU which provide cross-border services.  It can directly impact the relationship with a data processor based in a third-country which may be necessary for the business provision in that third-country. 

Cross-border payments

As the subject of this text is cross-border payment providers, it is important to analyse that payment providers usually operate based on a relationship with financial institutions, card processors and various other providers.  Once a payment goes from a European country to a third country and vice versa, the entity responsible for the start or the end of the payment process may be based in a third-country where GDPR is not applicable. Furthermore, the third-party processor may have sub-processors that are equally not required to comply with GDPR but with their local laws and regulations. 

GDPR states that the processor must inform the data controller if it has any sub-processors, provide full detail if any and allow the data controller to decide if these sub-processors are acceptable or not. All sub-processors must comply with the same (GDPR) safeguards that the processor is subject to. The processor is fully liable for failures of a sub-processor according to Art 28.4.  

This just increases the difficulty of getting into a contract with a provider in a third-country since the data protection requirements that must be in place are not going to affect only the processor but also its sub-processors. 

Given the right of the data controller to decide between accepting the sub-processor or not, this may become a further issue. It does not seem viable that a company which already has its own sub-processors would change all or some of them just to be able to engage in business with a European company. 

As an example, issues may arise with a card processor based in the Middle East that provides services to a European company. This processor would enable the company to process card payments for its customers, which may be European and non-European residents. In order to support the transactions, certain personal information related to the card holder may be required. The card processor itself is required to comply with its local law and regulations, the legal framework of the country where it is based in the Middle East. It will not be required to comply with the European standard of data protection unless it engages in business with a European company or provides services to European residents.  

The European regulation says that in the case of the processor not being based within the EU and in the absence of common personal data protection safeguards at a global level, cross-border flows of such data entail the risk of a breach in continuity of the level of protection guaranteed in the European Union. Art. 28(1) states the obligation of the data controller to choose only processors that comply with the GDPR. 

If the controller engages in business with a provider/processor that is not GDPR compliant, the data controller is liable. If the essential third-party provider is not GDPR compliant, how will the European cross-border payment provider continue to operate its business? 

If GDPR is applied in black and white manner, both scenarios would culminate in extremely onerous and time-consuming changes for those types of businesses. Is the European company as a data controller supposed to terminate the provision of its services in certain countries if it does not have a processor that is GDPR compliant? Or what if the data controller is unable to get GDPR compliant providers in all the areas that are needed? Often a complete business provision is not about one single third-party provider but a few of them. 

Mechanisms for the safe transfer of data to third-countries

Trying to be less prejudicial to European companies that operate internationally and facilitate the flow of such data, the EU legislator established mechanisms whereby personal data may be transferred from the European Union to a third country. 

The mechanisms which allow for the transfer of personal data to a third country are the following: (a) Countries approved by adequacy decision: In this case the transfer of data will be allowed based on the adequacy decision provided by the European Commission; (b) Standard Data Protection Clauses: The data controller may transfer personal data to a third-country if there are appropriate safeguards in place and enforceable data subjects’ rights are available. In order to facilitate this, the Commission has provided standard clauses to be inserted in a contract between the parties; (c) Binding Corporate Rules (BCRs): When a multinational group has EU entities and non-EU entities, the group may use the BCRs to transfer personal data between these entities. The group must have data protection policies in place for the transfer of data from the entity in the EU to the entity outside of the EU. It is important to note is that both entities must be part of the same group and these policies must be enforced by every member of the group. 

A different possibility, but which only applies to the transfer of data with the US is the Privacy Shield. This was an adequacy decision provided by the European Commission where it allows the free transfer of personal data from the European Economic Area (EEA) to the US for commercial purposes to companies that are certified in the US under the Privacy Shield. 

Despite of all of the benefits of the above-mentioned mechanisms, it is also important to observe that all these requirements can be laborious to achieve. 

The adequacy decision, although once guaranteed allows for the free transfer of data to the third-country in question, it still mean a long process that can take a few years to be completed. 

According to Giovanni Buttarelli, Europe’s data protection officer, Mexico, South Korea and India have shown interest in achieving Commission approval for data transfers. Joined by the UK which after Brexit will have to pass through Commission analyses. 

BCRs can be a solution for some multinational companies and their internal flows of data, but is not applicable to third-party providers. 

In this case, the last and best option are the Standard Data Protection Clauses. These can be quickly included in the provision of services agreement between the parties. Traditionally, it has been the most frequently used mechanism to legitimise international data transfers to countries that are not deemed to provide an adequate level of protection. Furthermore, there is no country segregation, unless the data importer is subject to laws that oblige it to lower data protection rules more than the restrictions necessary in a democratic society. 

Nevertheless, the standard clauses impose a considerable number of obligations on a third-party provider. Obligations that most of the time are neither part of their local legislation nor something they are required to comply with in their own country. 

One concern often raised by providers when required to comply with standard clauses contracts is the fact that they are not based in Europe and in their jurisdiction they are not required to comply with GDPR. 

Protecting business continuity

This fact just makes European companies less and less attractive to third-party providers who will have to comply with the minimum standards required by the GDPR if they decide to engage in a business relationship with a European company. 

On the one hand it is impressive to see the European legislator’s efforts to protect its citizens and their privacy rights. On the other, it is necessary to question how it is going to impact the success of European companies that operate in an international environment. A more reasonable mechanism to allow cross-border data transfers is still needed in order to ensure that business continuity is also protected. 

Although Europe is a strong economic block it cannot ignore the impact of international markets on its own economic results. To oblige third-countries to comply with European legal standards is not the most democratic way to survive in a globalised world.