The court decision has highlighted the complexities around protecting personal data in translation content.
New guidance funded by the EUATC and to be jointly produced with one of the EUATC’s founding members, the Association of Translation Companies (ATC), aims to provide language industry specific guidance and resources for managing personal data in translation for transfers outside of the EU and EEA countries.
“GDPR regulates the transfer of personal data from the EU and EEA areas to ‘third countries’. Major corporations transferring large amounts of personal data between the EU and the US have moved to plug the hole left by the invalidation of the Privacy Shield, but what about the language services industry?” asks Raisa McNab, the ATC’s CEO, who will be leading on the EUATC-ATC GDPR Guidance initiative.
“For our industry, the issue is not the Privacy Shield per se. Rather, this latest news simply serves to highlight the challenges in our fairly uniform but, at the same time, hugely complex supply chains, specifically when it comes to the question of how to protect personal data in translation content.
“Personal data in translation content is a challenge because, although, for example, we may not transfer personal data in the form of large databases of subscriber details, we do transfer large amounts of individual documents to third countries for translation. Those documents may or may not contain personal data, and as such may or may not fall under GPDR regulations.
“And we don’t just transfer data for translation to a single third country, or a single processor. We transfer it to multiple third countries, to hundreds and thousands of individual sub-processors – typically overseas freelance translators.
“This causes a host of challenges around our existing client and supplier contractual relationships when it comes processing personal data in translation.”
The language industry’s challenges exist at every stage of the translation process:
- with client-controllers who may not identify content in translation as having potential GDPR implications and thus requiring controller-processor contracts;
- with language service companies acting as processors who haven’t had sufficient industry specific guidance to manage personal data in translation content adequately; and
- with freelance translators in third countries acting as sub-processors who by and large are not in a position to advise whether legal requirements in their country would contravene GDPR and the contracts they enter into.
Heike Leinhäuser, President of the EUATC, said:
“The EUATC had no hesitation in agreeing to support this important initiative from the Association of Translation Companies. The decision of the European Court of Justice has far reaching implications for our sector and industry-specific guidance is urgently needed.
“These issues and challenges around GDPR compliance when it comes to processing personal data in content for translation affect every single language service company at a European level, as well as their suppliers globally, so this initiative exactly fitted our funding criteria.”
Concluding Raisa McNab also points out, “Any global language service company handling personal data in content for translation originating in the EU, and their suppliers, will be equally affected.”
The joint EUATC–ATC project aims to plug this gap, and to provide language industry-specific guidance on managing personal data in translation for transfers outside of the EU, as well as resources for the contractual management of the complex controller-processor-sub-processor relationships specific for the translation supply chain.
The guidance will be delivered free-of-charge to all of the EUATC’s national association network members by the end of 2020.