EM Law | Commercial Lawyers in Central London
International data transfers solicitors
The United Kingdom General Data Protection Regulation (UK GDPR) sets out restrictions concerning the transfer of personal data outside of the United Kingdom. Whilst originally part of the wider European regime, restricting transfers of personal data outside the European Economic Area (EEA). Post-Brexit, these restrictions are still in place. Interestingly, however, international data transfers are one of the first areas of divergence between the UK and European Union data protection regimes. Ensuring that you have everything in place prior to making a ‘restricted data transfer’ outside of the UK (and EU) is complex.
What are restricted international data transfers?
Broadly speaking, the UK GDPR restricts the transfer of data outside the UK. The ICO states that a transfer is restricted if:
- the UK GDPR applies to your processing of the personal data that you are transferring. In general, the UK GDPR applies if you are processing personal data in the UK, and may apply in certain circumstances if you are outside the UK and processing personal data about individuals in the UK;
- you are sending personal data, or making it accessible, to an importer to which the UK GDPR does not apply. Usually this is because they are located in a country outside the UK; and
- the importer is a separate organisation or individual. So, for example, a transfer from a UK based organisation to its employee working outside the UK would not be classified as a restricted transfer.
It should however be noted that “transfer” does not mean the same as transit. If personal data is simply electronically routed through another country but the transfer is actually from UK organisation to another, then it is not a restricted transfer. To give an example, a controller in Wales may transfer personal data to a processor in Scotland via a server in Australia. As there is no intention that the personal data will be accessed or manipulated while in Australia, the transfer is only to Scotland and is not classed as a restricted transfer.
If the above circumstances apply, then you will be making a restricted transfer of personal data. You must therefore have the necessary appropriate safeguards in place to ensure all personal data is protected to the same standard as the UK GDPR, and permitting data subjects to enforce their rights under that legislation.
That stated, restricted transfers are permissible without additional protections if the importer is based in a country that the UK Government determines to have ‘adequate’ protections of personal data essentially equivalent to the UK GDPR. Currently, these countries are as follows:
- The EEA states(EU nation states and its institutions plus Iceland, Liechtenstein and Norway);
- Isle of Man;
- Canada (commercial transfers only);
- Faroe Islands;
- New Zealand;
- South Korea; and
Note that the UK refers only to its constituent nations and not British Overseas Territories and Crown Dependencies unless included in the list above.
If you are transferring personal data to an international organisation based in one of these countries, then there is no need to put in place the appropriate safeguards discussed below.
How can you make restricted international data transfers in compliance with the UK GDPR?
There are various ways to implement appropriate safeguards, which are set out in Article 46 UK GDPR. Prior to selecting a safeguard, the ICO encourages, but does not require, data exporters to undertake a transfer risk assessment. This assessment aids the exporter in satisfying itself that rights and protections afforded to the data subjects under the UK GDPR are not undermined by the transfer, which is a requirement. To use one example, transfers to organisations based in countries that lack the rule of law will naturally be of a higher risk to the data subjects’ rights.
Once the data exporter has satisfied itself of the risks involved, it can then put an appropriate safeguard in place to make the restricted transfer.
The appropriate safeguards include putting in place such as Binding Corporate Rules (intra-group agreements conferring enforceable rights on data subjects against all group entities) or codes of conduct approved by the ICO.
But the most commonly used appropriate safeguards are Standard Contractual Clauses (SCCs) between the UK based data exporter and the internationally based data importer.
On 2 February 2022, the ICO published its International Data Transfer Agreement (IDTA) which is a template, freestanding agreement between the importer and exporter that incorporates the UK’s version of SCCs (available here). When the parties are to transfer personal data to each other, the IDTA provides a mechanism through which data subjects can enforce their rights even if the importer is based in, for example, Hong Kong. So if the Hong Kong based entity suffers a data breach, the UK based data subject will still have a cause of action against it (and, for the avoidance of doubt, potentially the UK based organisation!).
Both parties need to go through the IDTA carefully and ensure the relevant boxes are ticked and all of the placeholders are filled out. However, it is possible to incorporate the IDTA by reference into a wider agreement if the parties wish.
Prior to Brexit, the EU published its own EU SCCs that were applicable to the UK. They are still relevant to the current UK IDTA regime, as the IDTA is part derived from the EU SCCs. Accordingly, if there is a situation where data is being exported from the UK and/or the EEA to a third non-adequate country, UK based organisations can utilise an IDTA Addendum that incorporates the current EU SCCs and the UK SCCs.
To complicate matters further, the EU updated its SCCs on 4 June 2021 following the notable Schrems II judgment of the ECJ. If a UK based organisation entered into an agreement utilising only the old EU SCCs prior to 21 September 2022, these SCCs remain valid until 21 March 2024. After that point, the IDTA or IDTA Addendum must be used.
In the absence of an adequacy decision, or of appropriate safeguards, restricted international data transfers may still take place if they fall within one of the exceptions set out in Article 49 of the UK GDPR. Some of the exceptions include:
- Where the individual has given his or her explicit consent to the restricted transfer.
- Where the transfer is necessary for the performance of a contract with the individual.
- Where the transfer is necessary for important reasons of public interest.
- Where the transfer is necessary for the establishment, exercise or defence of legal claims.
Although useful, these exceptions should be used narrowly and only in exceptional cases. It should also be noted that the consent and contract exceptions cannot be relied upon by public authorities in the exercise of their public powers.