Insights

The territorial scope of GDPR

Image for The territorial scope of GDPR

GDPR aims to establish consumer trust in complex data ecosystems, like messaging. The result will be that businesses can inhabit and operate within the digital economy with a clear understanding of how trust must be nurtured, and not abused.

Today’s enterprise messaging use cases include a huge amount of communications that consumers now consider to be ‘the norm’. Everything from two-factor authentication messaging when you create a new online account, to customer service notifications, marketing and promotional deals, the list is endless.

Communication tools including SMS, MMS, voice, and video right through to more recent messaging platforms like RCS and OTT, in fact anywhere where personal data is stored will be impacted by the new GDPR regulations.

And it’s not only businesses in the EU that need to take note, those companies that sit outside the EEA region (that’s the EU + Norway, Liechtenstein & Iceland), but trade data with the EEA group will need to be compliant, or at the very least show they have ‘adequate levels of data protection’.

It is essential for all enterprises in the European Union, and those that do business with them, to examine the new rules and take the required steps to ensure they comply, in order to protect both themselves and their customers.

For companies engaged in messaging, in general terms, GDPR governs what you need to do if you store and process personal data (including metadata produced by communications), but not explicitly whether you can communicate with consumers, as this is covered under the E-Privacy legislation.

In summary, if you send or receive a message to or from an EEA resident, citizen or visitor (collectively known as Data Subjects) OR don’t communicate with any EEA Data Subjects but are incorporated within an EEA member state, then you are obligated to comply with GDPR.

So does data need to be kept in the EU?

GDPR stipulates that personal data can be stored in any country, provided that the country has adequate data protection laws. It also stipulates that personal data can flow freely within all EEA countries (EU + Norway, Liechtenstein & Iceland).

GDPR allows personal data to flow between the EU and the US under the Privacy Shield Framework, a US initiative whereby participating US companies are deemed to have adequate data protection.

Within the messaging ecosystem this is tricky, because of the dispersed nature of the messaging infrastructure. A message may be routed via India, or personal data stored in Australia. Enterprises, particularly in the Government, Banking and Financial Services sectors, are already requesting guarantees from Data Processors and Sub-Processors (CPaaS providers for example), that data remains in the EEA block – this is the only robust way of guaranteeing GDPR compliance.

The market is already responding, with companies like CLX offering new APIs that only use EU based infrastructure, and mobile network operators using a GDPR specific routing class.

How do I know if the country we store data in has adequate protections?

It should be noted that storage and access are synonymous, e.g. if technical support is located in India, then India is regarded as a country in which you store data.

The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. Adequacy talks are ongoing with Japan and South Korea, and it’s likely that the list of countries recognized as having adequate protections will expand over time.

Need to know more? Download the full CLX Guide to GDPR and Enterprise Messaging here.

Related blogs