DMH Stallard Associate, Atiq Bhagwan, looks at the current law allowing the transfer of personal data to recipients outside the EEA, how these circumstances will be affected by the GDPR, and what steps businesses will need to take to comply with revised and new obligations.
Under the Data Protection Act 1998 (DPA), personal data can only be transferred lawfully outside the European Economic Area (EEA) using certain specified methods. These methods will be amended from 25 May 2018 when the General Data Protection Regulation 2016 (GDPR) comes into force.
This article outlines the current legal position, the changes which will occur under the GDPR, and the steps you can take to make sure your business complies with its obligations under the GDPR in respect of transferring personal data outside of the EEA. The potential fines the Information Commissioner’s Office (ICO) can issue under the GDPR for non-compliance are significant, so it is important to understand your new obligations under the GDPR and ensure that all transfers of personal data made by your business are lawful.
What is the current position?
Under the DPA, there is a general prohibition on transferring a data subject’s personal data outside the EEA to any third country or territory which does not ensure an adequate level of protection for the rights and freedoms of that data subject in relation to the processing of their personal data. This is known as the “adequacy requirement”.
The EC has decided the following countries do have an adequate level of protection for the rights and freedoms of individual data subjects: Andorra, Argentina, Canada, Faeroe Islands, Jersey, Guernsey, Israel, Isle of Man, New Zealand, Switzerland and Uruguay. Your business can therefore transfer personal data to entities based in these countries without falling foul of the adequacy requirement.
The factors considered by the EC in determining whether a country outside of the EEA has an adequate level of protection to allow transfer of personal data include:
- the nature of the personal data
- the country or territory of origin of the information contained in the data
- the country or territory of final destination of that information
- the purposes for which and period during which the data are intended to be processed
- the law in force in the country or territory in question
- the international obligations of that country or territory
- any relevant codes of conduct or other rules which are enforceable in that country or territory and
- any security measures taken in respect of the data in that country or territory.
You are also permitted to transfer personal data outside the EEA without falling foul of the adequacy requirement if the entity receiving the personal data has an appropriate safeguard in place. These safeguards include:
- EU-US Privacy Shield - This is a streamlined transfer mechanism which allows personal data to be sent to recipient companies in the USA if they have successfully signed up to the EU-US Privacy Shield, a scheme which is administered by the US Department of Commerce. The EC has approved the Privacy Shield as safeguarding the fundamental rights of data subjects in the EU who have their personal data transferred to the USA. You can check to see whether a US company has signed up to EU-US Privacy Shield via www.privacyshield.gov.
- Standard Model Clauses - The EC has issued standard contractual clauses which cover the transfer of personal data to data controllers or data processors outside the EEA. The EC has approved these clauses as providing adequate safeguards to protect the rights and freedoms of data subjects. Any parties using these clauses must , of course, be satisfied that they are able to comply with them.
- Binding Corporate Rules (BCRs) - BCRs are internal rules which may be adopted by a large organisation to regulate the international transfer of personal data within the same corporate group, including transfers to entities located in countries which do not provide an adequate level of protection. BCRs need approval from the organisation’s local regulator (the ICO in the UK) before being able to use them.
The DPA provides a number of derogations to its general prohibition on transfer of personal data outside the EEA. The derogations most relevant to a business operating in the private sector are:
- the individual data subject consents to the transfer (this consent must be explicit where sensitive personal data is transferred)
- the transfer is necessary for the performance of a contract to which the data subject is a party
The ICO is able to fine a business up to £500,000 if it unlawfully transfers personal data outside the EEA.
What are the proposed changes under the GDPR?
In addition to making adequacy decisions relating to countries and territories, under GDPR the EC will also be able to decide that international organisations and specific industry sectors within a third country offer adequate levels of security and protection for the transfer of personal data. This means it will be possible for a business to transfer personal data to an entity within a country that does not have an adequate level of protection for personal data, provided that this entity is an organisation or works in an industry sector that does have an adequate level of protection.
Adequacy decisions will be reviewed by the EC every 4 years, and following review these decisions may be repealed, amended or suspended (albeit not retroactively).
Countries approved under the DPA (see above) will only be able to maintain their adequacy status if they revise their laws to be compliant with the GDPR. If they don’t, they are unlikely to retain their adequacy status. We are awaiting further guidance from the EU on this.
EU-US Privacy Shield
There are aspects of the EU-US Privacy Shield which do not comply with the requirements of GDPR (eg appointing DPOs, DPIAs and privacy-by-design). It remains to be seen whether there will be further amendments made to EU-US Privacy Shield which make it compliant with GDPR.
If your business currently transfers personal data to US companies who are self-certified under EU-US Privacy Shield, you should consider whether any of the other lawful methods of transfer could be used instead in case EU-US Privacy Shield is not amended before GDPR comes into force on 25 May 2018. As yet there has been no public discussion about this by the EU or the US Government.
Standard Model Clauses
There will be new GDPR-compliant standard clauses to replace the current ones. It is anticipated that these will work in the same way. No information has been given by the EU yet on when those standard clauses will be published.
The GDPR also permits the ICO to introduce standard model clauses but these must be approved by the EU.
Binding Corporate Rules
BCRs will continue to be recognised as a valid means of transfer under the GDPR although their use is likely to continue to be limited to large international organisations.
The ICO will approve BCRs if they apply to every company within a group and confer enforceable rights to individual data subjects. The GDPR sets out the minimum requirements of what must be included in BCRs.
Codes of Conduct/Certification Schemes
The GDPR provides for the ICO to publish codes of conduct and/or certification schemes. Although no such codes or schemes have been established yet, once they are these will provide an additional lawful means of transferring personal data outside the EEA.
The derogations under the GDPR which permit transfer of personal data outside the EEA which are most relevant to private sector businesses are:
- the data subject explicitly consents to the transfer having been informed of the possible risk involved in transferring personal data where there is no adequacy decision or appropriate safeguards (unlike the requirement for the equivalent derogation under the DPA, explicit consent is required for all categories of personal data under the GDPR)
- the transfer is necessary for the performance of a contract between you (as data controller) and the data subject
Transfers not authorised under EU law
The GDPR makes it clear that it is not lawful to transfer personal data outside the EEA in response to a legal requirement from a third country, unless the requirement to transfer personal data is based on an international agreement or one of the other lawful grounds for transfer applies.
The maximum potential fines the ICO can impose on a business that breaches its obligations with regards to international data transfer under the GDPR are the greater of €20million or 4% of its global annual turnover in the preceding 12 months.
What do businesses need to do now?
Businesses should evaluate whether their transfer of personal data will be compliant with the GDPR. Just because it is compliant under the DPA doesn’t mean it will automatically be compliant under the GDPR.
Businesses should document the applicable lawful methods of transfer in their data transfer policy – this should be reviewed and updated whenever there is a change to the personal data being transferred or the ways in which it is transferred outside the EEA. Having a data transfer policy will be one of the ways to help you demonstrate that you are complying with your obligations under the GDPR.
If you use third parties to process personal data on your behalf does that involve transferring personal data outside the EEA? If you are procuring services from third parties which will involve handling personal data, you should make sure you include appropriate questions in your tender documentation.
If you would like any further information or advice on transferring personal data outside of the EEA, or the GDPR generally, please contact Atiq Bhagwan by email or call him for a free initial chat using the contact details below.