So much of the explosion in innovation in the music industry is around technological processes. But artists still need to focus on their art. To do so, they need to surround themselves with tech-savvy people. And hire a good lawyer.
– Gigi Johnson, Director of the Center for Music Innovation, University of California Los Angeles
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
– The Eigth Principle of the GDPR
Data controllers and data processors (I refer to both as “companies” here) send data across international borders for a variety of reasons. For example, multinational companies might need to send information between offices in different countries. Companies may also exchange data with foreign customers or suppliers, or choose to use cloud services or servers located in jurisdictions with lower labour or maintenance costs.
Spotify transfers, processes and stores information about our users on servers located in a number of countries. Your personal information may therefore be subject to privacy laws that are different from those in your country of residence. Information collected within the EEA and Switzerland may be transferred to and processed by third parties located in a country outside of the EEA and Switzerland, where you may have fewer legal rights in relation to your information.
The GDPR does not radically change existing data laws, but its introduces new accountability and transparency obligations for companies that manage personal data. To escape these new regulations, such companies may be tempted to simply move data outside of the EEA, and then store or handle the data in countries with fewer legal obligations. However, to ensure that Europeans benefit from data protection worldwide, the GDPR actually restricts how data collected in Europe can be transfered to non-EEA countries.
Some non-EEA countries are pre-approved destinations for European data, because the EU Commission considers their data laws to be “adequate” (Article 45). These countries include Canada, Switzerland, Argentina, Israel, and – under the “Privacy Shield” – the United States. But to transfer data to a non-approved country, a company must provide certain safeguards, and ensure that individuals whose data are being processed (“data subjects”) have enforceable rights and legal remedies (Article 46).
One straightforward way for a company to have these safeguards in place is to use standardised contractual clauses approved by the Commission, known as “Model Clauses” and “Binding Corporate Rules.” The GDPR also provides some exemptions from these restrictions, including instances where a data subject gives informed and explicit consent to a transfer. To obtain this consent, a company’s website would likely use a “click here to approve” notification which clearly explains the risks and protections involved in such a transfer.
My guess is that Spotify and other similar platforms will incorporate Model Clauses or Binding Corporate Rules. The GDPR will obviously impact companies differently, depending on the extent to which they engage in cross-border transfers, and the reasons they do so. In any event, I’m sure the lawyers already have their red pens (and headphones) at the ready.
I’ve written previously about GDPR implications for digital media platforms.