International Transfers of Personal Data
In today’s interconnected world and given the global nature of many online services, transferring personal data from one jurisdiction to another has become inherent to majority of widely used technology solutions. Given the complexity of the rules on cross-border transfers of personal data, this article aims to provide some basic guidance on the principles applicable to such transfers as well as on the relevant mechanisms from the perspective of both the UK and EU data protection laws. Note that whilst this article aims to serve as a starting point for any considerations of cross-border data transfers, it does not aim to be an exhaustive resource, nor account for any specific contexts.
Transfers from the UK
A transfer of personal data from the UK may generally take place only on the basis of adequacy regulations, or subject to appropriate safeguards.
Transfers based on UK GDPR adequacy regulations
By adopting adequacy regulations in respect of a specific country, theUK has recognised that that country ensures an adequate level of protection of personal data. In such case, a transfer of personal data to such country may take place without any further authorisation.
A full and up-to-date list of countries covered by adequacy regulations can be found on the ICO’s website and includes allEU/EEA/EFTA countries, as well as Gibraltar,Republic of Korea, Andorra,Argentina, Faroe Islands, Guernsey, Isle of Man,Israel, Jersey, New Zealand,Switzerland and Uruguay. In addition, there are partial findings of adequacy about Canada, Japan and the US.
Note that in relation to personal data transferred to theUS, there is adequacy only in relation to data transferred under the UKExtension to theEU-US Data Privacy Framework. Entities and organisations which have signed up to the Framework will not need any further authorisation; others will need to put in place appropriate safeguards.
Transfers from the UK subject to appropriate safeguards
In absence of UK adequacy regulations about a country, a transfer can be made if it is covered by ‘appropriate safeguards.’ There is a list of appropriate safeguards in Art 46 of the UK GDPR which includes binding corporate rules, standard data protection clauses approved by the Secretary of State or the ICO, as well as an approved certification mechanism.
In practice, when making transfers subject to appropriate safeguards, companies will most likely rely on standard data protection clauses recognised or issued in accordance with UK data protection law. Standard data protection clauses impose contractual obligations on the provider and the recipient, and grant rights to individuals whose personal data is transferred. Individuals must be able to directly enforce those rights against the provider or recipient, or both.
The ICO has issued two sets of standard data protection clauses for restricted transfers which organisations can use:
1. the International Data TransferAgreement (IDTA); and
2. an International Data Transfer Addendum (Addendum) - this is an addendum to the new standard contractual clauses issued by the European Commission under the EU GDPR on 04June 2021 (new EU SCCs). The new EU SCCs are not valid for restricted transfers under UK GDPR on their own but using the Addendum will allow a UK company to rely on the new EU SCCs for its transfers under UK GDPR.
Transfers from the EU
A transfer of personal data from the EU may generally take place only on the basis of an adequacy decision, or subject to appropriate safeguards.
Transfers based on EU GDPR adequacy decision
By adopting an adequacy decision in respect of a specific country, the European Commission has recognised that that country ensures an adequate level of protection of personal data. In such case, a transfer of personal data to such country may take place without any further authorisation.
A full list of countries covered by adequacy decisions can be found on the EuropeanCommission’s website and includes Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey,NewZealand, Republic of Korea, Switzerland, the United Kingdom.
The list also includes the United States, but only to the extent that the relevant recipient commercial organisation participates in theEU-US DataPrivacy Framework. Where this is not the case, the organisation will need to put in place appropriate safeguards.
Transfers from the EU subject to appropriate safeguards
In absence of the Commission’s adequacy decision about a country, a transfer can be made if it is covered by ‘appropriate safeguards.’There is a list of appropriate safeguards in Art 46 of the EU GDPR which includes binding corporate rules, standard data protection clauses approved by the Commission ora supervisory authority, as well as an approved certification mechanism.
In practice, when making transfers subject to appropriate safeguards, companies will most likely rely on standard data protection clauses adopted by the Commission. Standard data protection clauses impose contractual obligations on the provider and the recipient, and grant rights to individuals whose personal data is transferred. Individuals must be able to directly enforce those rights against the provider or recipient, or both.
The Commission has issued a set of StandardContractual Clauses for International Transfers which organisations can use.
Next steps
Hopefully, this introduction to international transfers of personal data has provided a comprehensive overview of this complex area. If you have any follow-up questions or would like to discuss any specific concerns or queries, please don’t hesitate to reach out.
