International Data transfer & data protection
International Data Protection is always applicable once data leaves national borders for storage or processing. For a number of digitised and outsourced processes (think of cloud computing or Software-as-a-Service) this is happening faster than expected. In case of an International data transfer, companies based in the EU must always note the level of data protection in the recipient country. In other words: Is the data to be protected equally safe there as it is over here?
Non-EU companies wishing to be active within the EU or targeting EU citizens, this in turn means that the storage and processing of the data collected in the EU represents an international data transfer. Thus, data protection regulations like the EU General Data Protection Regulation (GDPR) may apply.
Moreover, issues regarding international data protection law may also become relevant if employees of a company, a partner company or a subsidiary abroad have access to the data stored in the EU. Even though a direct transfer with other countries may not take place, the foreign location is subject to laws which are not considered adequate under EU standards. A particularly challenging example is the U.S. Freedom Act (previously: U.S. Patriot Act), through which U.S. companies can be forced to comprehensively share data with U.S. authorities.