Use or share data from interviews outside the EU? What is allowed?
Let’s start very bluntly: In principle, you can do almost anything with the data as long as the person you are talking to agrees. This statement is not wrong. Under the GDPR, it is not initially prohibited to obtain permission to publish interviews on Facebook or YouTube. Just so as not to be misunderstood: We would not recommend this! It has a few pitfalls and raises many legal questions, but in principle it is not prohibited. And it is precisely these pitfalls that we would like to illustrate here using three specific questions as examples.
The “whitelist” for possible countries?
There are so-called adequacy decisions for the transfer of data outside the EU. These resolutions state that an appropriate level of data protection can be expected in these countries. Incidentally, the ECJ declared the Privacy Shield for US service providers to be inadequate in July 2020.
So far, so good. Conversely, this means that all countries that are not on this list are excluded in principle. If a country is on this list, you cannot start yet, you have to pay attention to additional points:
The earmarking
If I obtain consent, the purpose of the collection must be stated transparently. If I pass on data to a third-party provider who will use the data for their own purposes (we are thinking here, for example, of Google, where voice data is used for their own technical development), this does not correspond to the purpose limitation of the research project. Consent would therefore have to be given just as transparently and prominently as for the research project.
Revocation and other rights
According to the GDPR, it must be possible to withdraw consent at any time. According to Art. 7 (2), this must be as simple as the granting of consent.
In addition, the data subject has far-reaching rights to information, including about what has happened to their data. In case of doubt, it seems to us that the researcher is responsible for enforcing this claim against the service providers.
Within Europe, the GDPR provides a common basis for enforcing these rights abroad. Outside the EU, you would have to check and ensure that you are legally granted these rights in the country in question.
Storage and deletion periods
According to the GDPR, time limits for the duration of processing and erasure must be specifically agreed. Processing must not go beyond the purpose for which consent was given. In the (admittedly quite cumbersome) contracts for commissioned data processing in accordance with the GDPR, precisely such questions are discussed in detail and thus documented transparently. In our experience, however, many service providers, both within and outside the EU, do not include such information either in their general terms and conditions or in their data protection notices. We therefore consider it questionable to what extent the use can be considered GDPR-compliant under these circumstances.
Conclusion
We have given three examples that raise many questions. This list is not exhaustive. With the appropriate effort, knowledge and legal advice, it is certainly possible to process and store data outside the EU. So much for the theory. In practical terms, if you are not a data protection expert, make sure that the data you collect remains within the EU. “Within the EU” also means on servers within the EU – so be vigilant when selecting cloud providers and make sure to conclude a contract for commissioned data processing. Many providers already offer this on their own.
Just to be on the safe side: We are providing this information as social scientists with experience in dealing with the GDPR; it is not legally binding information. If in doubt, please ask your data protection officer.
Further information, e.g. our GDPR-compliant template for a declaration of consent