GDPR Myth Busted: EU Personal Data Must Stay in the EU

By Marcus Robinson on November 18, 2019

By Marcus Robinson

November 18, 2019

We often get questions about the locality of chat data that we process for our customers, i.e where do we physically store conversation data and does this change based on where end users are located? Our customers build chat experience that engage users everywhere in the world and Stackchat is a multi-region cloud platform, so there's always a lot of ground to cover with this question, especially when it's being asked in relation to data location requirements for GDPR.

When it comes to GDPR, the question of “where are you keeping my data” might be motivated by a variety of factors. Maybe you’ve built your chatbot in Stackchat's non-EU region or your chatbot integrates with non-EU Union based service providers. Maybe your headquarters are outside the EU, but your chatbot is targeting EU-based users. All these variables can make navigating the GDPR pretty intimidating.

Unfortunately, we come across a fair bit of misunderstanding on this topic. A common confusion we encounter regularly is the notion that EU personal (PII) data cannot leave the EU. This is not true!

There are very few democratic countries that outright prohibit cross-border transfer of their citizen's personal data. The free movement of personal data is central to our modern global economy and the EU understands this. Free trade is one of their founding principles and they are "committed to liberalising world trade" (their own words) and the GDPR has specific provisions to enable the safe and secure transfer of data outside the EU.

What does GDPR say about transferring personal data out of the EU?

The GDPR has an entire chapter dedicated to the principles for transferring data outside the EU (chapter 5: "Transfers of personal data to third countries or international organisations").

This chapter can be summarised as follows: you can transfer PII data out of the EU, but make sure it maintains the same level of security and protection it has in the EU under GDPR. This means that the company outside the EU that is receiving the PII must be bound by a legal obligation to follow data protection principles that are at least as comprehensive as GDPR itself.

What do they mean by a legally binding obligation? There are several ways this may be enacted:

  • The entity receiving the PII data is in a country that has data protection equivalent to the GDPR (as determined by the EU Commission in what they call an "adequacy decision"). Canada and New Zealand have made the adequacy cut, but Australia? Not so much.
  • The entity receiving the PII data has a legally binding contract in place to follow data protection principles in-line with the GDPR (aka "appropriate safeguards").
  • The entity receiving the PII data has enacted legally binding corporate rules that enforce data protection principles in-line with the GDPR.

What constitutes a data transfer?

The most obvious case of a transfer is when the source data is physically moved from a machine in the EU, to a machine outside the EU. But a transfer also occurs when the data is merely viewed by someone outside the EU! This makes sense, since if you have your support team in the USA logged in to your EU Stackchat Studio servers to respond to user queries or view CRM records, then the PII data is technically being transferred from the Stackchat EU servers on to that user's computer in the USA. So if you really wanted to make sure there were no transfers outside the EU, you would need to make sure that all the people and systems that interact with the PII data captured by your chatbot are all physically located in the EU Union - an unrealistic scenario. But, don’t worry! Transferring data outside the EU (even to countries not cited by an "adequacy decision") is perfectly kosher if you apply GDPR-like data protection principles to your EU PII data wherever it goes.

How does this affect my chatbot?

If your chatbot doesn't prompt your users for PII data (like name, email address and phone number), then there's nothing to worry about! You can stop reading now. If, however, you are collecting PII data via chat, then you do need to worry about how you get the data, how you manage it, and when and for what purpose you use it (and Stackchat has all the features you need to remain compliant with these standard GDPR rules).

Just remember the moral of this story is that you don't have insurmountable restrictions on the location of the PII data that your chatbot is collecting. If you’re complying with GDPR’s principles in how you handle data, and using vendors like Stackchat who offer cross-border transfer safeguards (such as data encryption at rest and in-transit), then complying with the GDPR shouldn't be difficult.