Wednesday, January 23, 2019
For many businesses, the international transfer of data is a critical part of day-to-day operations. The General Data Protection Regulation (GDPR) protects individuals’ personal data in this regard, meaning organisations cannot transfer personal data outside the European Economic Area (EEA) unless certain safeguards are in place. We explain below the permitted transfer mechanisms:
Is it an international data transfer?
First, you need to identify whether you are transferring personal data out of the European Economic Area (EEA). A “transfer” takes place where personal data is processed during or after the transfer to a third country. The impact of Brexit and data transfers is considered in our article GDPR and Data Transfers in the event of ‘No-Deal’ Brexit.
If personal data merely passes through a non-EEA country this is simply a “transit” of data, and is not within scope.
Here are some examples of personal data transfers out of the EEA:
The European Commission (EC) considers certain countries to provide an adequate level of data protection to EU data subjects. If you are transferring personal data to an “adequate” country then you can do this without putting further safeguards in place. The list currently includes Canada, Israel, New Zealand and Switzerland. The full list is under frequent revision and can be found on the EC’s website.
EU-US Privacy Shield
At present, personal data transfers are permitted to the USA under the EU-US Privacy Shield framework, which replaced the Safe Harbor transfer mechanism. The Privacy Shield is based on self-certification by companies. It allows companies to self-certify their compliance with data protection standards that have been found to provide an equivalent level of protection to the EU.
A list of companies who have self-certified can be found on the Privacy Shield website. If the company is on the list, at present, the transfer can take place without further safeguards.
Note: The future of the Privacy Shield mechanism is in doubt due to the fact that its effectiveness is currently being challenged. US and European companies that rely solely on Privacy Shield to comply with GDPR need to keep this under review.
Safeguards for “non-adequate” countries
Below is a snapshot of some of the other options for transferring personal data to countries without an adequacy decision:
Standard Contractual Clauses (SCCs)
SCCs are model contracts approved by the EC. They are the most popular mechanism for transferring personal data and are available to download on the, EC’s website. There are currently two sets of SCCs, one for controller-to-controller transfers and one for controller-to-processor transfers.
Note: SCCs have been challenged in the courts. While organisations can continue to rely upon this mechanism, we await a decision from the Court of Justice of the European Union as to the validity of SCCs.
Binding Corporate Rules (BCRs)
BCRs are intended to be used by large multinationals to allow for intergroup transfers of personal data. BCRs must be approved by the supervising data protection authority and then signed up to by each subsidiary that is undertaking data transfers. They tend to have limited use because they cannot be used for data transfers to third parties and due to the prior approval requirement.
While SCCs and BCRs are the main safeguards for international data transfers, GDPR does contain others. These include:
GDPR provides for limited derogations from the general restriction on international data transfers. These exceptions should be used narrowly and as a last resort after other transfer mechanisms have been considered. The European Data Protection Board guidance should also always be consulted. Consent, in particular, should be approached with care as it is a complex legal basis and consent can be withdrawn at any time. Examples of derogations include:
For more information on this topic, or if you have any questions relating to data transfers, please contact the Philip Lee Data Privacy and Technology team.