No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

GDPR and the Deemed Export Rule: Striking a Balance

Trade-compliance programs can, indeed, serve two masters when it comes to the transfer of U.S. tech to foreign nationals

by Matt Silverman
July 27, 2022
in Compliance, Data Privacy
balancing deemed export and GDPR rules

U.S. law may require your company to collect employee and contractor data in a manner that on its face would run afoul of GDPR requirements in Europe. VIAVI Solutions’ Matt Silverman explains how firms can successfully perform this high-wire act.

U.S. export laws regulate more than just the shipment of tangible goods from one country to another: They control the transfer of U.S. technology to foreign nationals, including foreign nationals within the U.S. 

This concept, known as the deemed export rule, is unique to U.S. law and requires companies with U.S.-controlled technology to collect and maintain data relating to the nationality of its employees and contractors who require access to such technology.

The EU and its collective countries do not have the concept of a deemed export within their laws. Export controls under EU law are based on geographic location, not the nationality of recipients. The EU does, however, have some of the strictest data privacy laws in the world — namely the General Data Protection Regulation (GDPR). 

Understanding that the U.S. deemed export rule requires access to nationality information and that the purpose of GDPR is to protect and often restrict access to personal data, the question often presented to trade compliance and data privacy professionals alike is: can you comply with both?

The short answer is yes, but not without qualification, as I’ll discuss. However, having worked in global trade-compliance for two European-based companies, when our department would attempt to enforce a policy or issue guidance that required the collection of and access to nationality data of EU employees, the initial response received was often, “You can’t do that; it’s illegal under GDPR.” 

So, to provide greater clarity, here is an explanation of how to navigate this seemingly fine line and where to find common ground to ensure compliance with both regulations.

What GDPR requires

GDPR outlines various rules regarding the processing — collection, storing and deleting — of personal data of EU citizens, both within and outside the EU. Personal data under GDPR is defined as “any information relating to an identified or identifiable person.” This definition is intentionally broad; if there’s a way that a piece of data can be associated with a person, GDPR likely applies. 

Therefore, nationality information of EU citizens is undeniably included within the GDPR definition of personal data. But GDPR doesn’t have any carve-outs or exceptions for nationality data, nor does it require any higher level of security or protection as compared to other forms of personal data. 

Under GDPR, companies processing personal data (including nationality data) of EU citizens must: “Implement appropriate technical and organizational measures, in relation to the nature, scope, context and purposes of their handling and processing of personal data.”

As provided in GDPR and as outlined below, this requires consent and transparency, as well as a lawful and specific purpose for the data processing. Finally, policies and procedures should be enforced to secure such data.

Consent and transparency

Under GDPR, consent must be provided by the person whose data is being processed. Consent doesn’t need to be explicitly given; rather, it can be implied, such as by the nature of employment. Employees who consent to their personal data being processed should be able to know how their data is being processed and secured. While an employee may have the right to refuse consent, such refusal may mean that their ability to access U.S.-controlled technology will be restricted or prohibited.

A lawful and specific purpose

Assuming there is consent (explicit or implicit), GDPR further requires that there be a lawful basis for processing personal data. Companies that process personal data of EU citizens must be able to demonstrate the legal basis for doing so, and that basis should have a specific purpose.

A lawful and specific purpose could be based on a contractual agreement, a regulatory obligation, a vital public interest or other reasoning. Such reasoning could and has included fraud detection, law enforcement and watchlists, cybersecurity, IP security and employment-related issues. 

Because U.S. export laws carefully regulate the transfer of U.S.-controlled technology to foreign nationals, a company in the U.S. or EU may have a lawful interest in processing the nationality data of employees (including EU citizens) who require access to such technology. Thus, the processing of nationality data provides the legal basis required to pass GDPR scrutiny.

However, even if the basis for processing nationality data is legal, there must be a specific purpose for doing so. Therefore, a company that decides, for example, to process the data of all of its employees in Europe (HR personnel, finance staff, janitorial workers, etc.), including those who have no reason or need to access U.S.-controlled technology, may be in violation of GDPR requirements. 

Trade-compliance officers should ask themselves: Is the processing of this specific person’s nationality data justified? If the answer is no, they should consider narrowing the scope of their efforts.

Policies and procedures

Effective policies and procedures must be written and enforced to ensure compliance with GDPR. This includes policies and procedures relating to the above-mentioned requirements, as well as those that relate specifically to data security and breach mitigation/prevention. Examples of best-practice policies and procedures relating to GDPR compliance and the processing and security of personal data (including nationality data) may include those that:

  • Ensure personal data is processed only for authorized purposes — e.g., lawful and specific, as described above.
  • Ensure the accuracy and integrity of the data being processed.
  • Minimize the exposure of the subjects whose data is being processed.
  • Implement strong data security measures.
  • Include a process for the deletion/expungement of personal data when it is no longer required. (Note: recordkeeping requirements under the U.S. export laws may compel company to retain nationality data even after the employee has left the company or no longer requires access to U.S.-controlled technology.)
  • Assess risks to privacy and security and demonstrate that such risks are being mitigated.
  • Explain the requirements in the event of a security breach, including notification of the authorities and the subjects.

Finally, for companies that are not processing nationality data and other personal data directly but are using a third-party service provider, contractual language may be necessary to mitigate GDPR violations. Such language might cover the type of data that will be collected, the legal justification for the collection of such data, how and when the data will be processed and the processor’s responsibility as to the accuracy, security and eventual destruction of such data.

Conclusion

While there appear to be conflicting interests between EU privacy laws and U.S. export controls, compliance with both regulatory regimes can be satisfied when companies take proactive measures. 

With policies and procedures in place and enforced to ensure the legality, legitimacy and security of nationality data that is being processed, a compliance compromise of sorts between the two regulations can be achieved. 

Companies on either side of the Atlantic that are looking for further guidance on this topic may consider joining the Privacy Shield framework (www.privacyshield.gov), a collaborative effort among the U.S., EU and Swiss authorities designed to provide a mechanism to ensure compliance with the data protection requirements of GDPR.


Tags: GDPR
Previous Post

Diverse Hiring in Financial Services: Don’t Blame Your Pipeline; Blame Your Bias.

Next Post

Them’s the Breaks: What Companies Can Learn From Boris Johnson’s Downfall

Matt Silverman

Matt Silverman

Matt Silverman is the Global Trade Director & Senior Counsel at VIAVI Solutions in Chandler, Arizona. Matt leads the VIAVI Global Trade group, providing strategic guidance to the business and management on international regulatory requirements (including customs, export controls, embargoes, sanctions and antiboycott law) enabling compliant movement and market access for the company’s products, software, technology, and services. Prior to joining VIAVI, Matt held trade compliance roles in the semiconductor, aerospace, and energy industries. Prior to his corporate compliance career, Matt worked in Washington DC on trade policy and legislation in the United States Senate and the United States Trade Representative. Matt began his legal career as a litigator in Chicago, Illinois. Matt earned his undergraduate degree from the University of Michigan, his Juris Doctor from Loyola University Chicago School of Law, and his Master of Laws in International Business and Economic Law from Georgetown University Law Center in Washington, D.C.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
boris johnson resigns as UK prime minister

Them’s the Breaks: What Companies Can Learn From Boris Johnson’s Downfall

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT