International data transfers
The European Commission has issued a first draft of the proposed UK ‘adequacy decision’ to facilitate the continued free flow of personal data from the EU to the UK. The draft, which still needs to be approved and adopted by EU member states, indicates that the Commission intends to designate the UK’s data protection standards as being ‘essentially equivalent’ to those that apply in the EU.
This announcement is good news for many businesses which had been facing uncertainty over the future of EU-UK data flows after Brexit.
The EU-UK Trade and Cooperation Agreement provided a temporary solution by putting in place transitional arrangements from 1 January 2021 which permitted the continued transfer of personal data from the EU to the UK. This temporary solution, known as ‘the bridge’ expires on 30 June 2021 by which point the adequacy decision should have been adopted by the EU.
For data transfers from the UK to the EU, the UK government had already confirmed these are authorised to continue until at least 2024.
Going forward it will be important for the UK to maintain and build upon its current data protection standards in order to retain the finding of ‘adequacy’ because the Commission has the ability to suspend or withdrawal of such adequacy decisions if future changes to UK data protection law are found to reduce the level of protection afforded to data subjects.
A particular risk to the UK’s adequacy status is the surveillance powers enjoyed by UK authorities under legislation such as the Investigatory Powers Act. Privacy campaigners argue that these powers undermine data protection standards and have already taken steps to challenge similar powers in the courts. The most recent example being the Court of Justice of the EU (CJEU) decision in last year’s ‘Schrems II’ case.
The draft adequacy decision is subject to the non-binding, but authoritative opinion of the European Data Protection Board following which it will be sent for the approval of the member states representatives before being adopted into law, hopefully before 30 June.
International data transfers
The GDPR places restrictions on the transfer of personal data into and out of the EU (Norway, Liechtenstein and Iceland are outside of the EU, but inside the EEA and it is not entirely clear at this point how they will be treated under the GDPR). Transfers can take place if they are:
- to a country on the white-list
- to a US organisation which has committed to the ‘Privacy Shield’
- made pursuant to a set of Model Clauses
- made pursuant to binding corporate rules
- made to an importer who has signed up to an approved code or obtained an approved certification
Transfers are also possible if one of the following individual derogations apply:
- the transfer is made with the data subject’s explicit consent
- the transfer is necessary for the performance of a contract with the data subject
- the transfer is required on important public interest grounds or for legal claims
- the transfer is necessary to protect the vital interests of the data subject
- the transfer is made from a public register
- the transfer is made under the new minor transfer exemption
Personal data can be transferred to countries on the ‘white-list’. These are countries that the European Commission has identified as providing an adequate level of protection for personal data. This list comprises the following 11 countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
Transfers are also permitted to organisations in the US which have committed to the EU / US ‘Privacy Shield’ although these organisations are not technically considered to be on the white-list.
The GDPR continues to allow for transfers of personal data based on standard data protection clauses (the Model Clauses) adopted by the European Commission. The Commission has previously issued two sets of standard Model Clauses for transfers from data controllers to data controllers established outside the EU (C2C) and one set for the transfer to data processors established outside the EU (C2P) and these will continue to apply under the GDPR. One of the key improvements introduced by the GDPR is the abolition of the current process which requires certain transfers based on standard Model Clauses to be notified to, or approved by, data protection authorities.
Use of binding corporate rules
Binding corporate rules (BCRs) are a set of binding rules adopted by multinational organisations and approved by national regulators to ensure the protection of personal data in multiple jurisdictions. BCRs have been in place for some time but the GDPR finally places BCRs on a statutory footing and also sets out uniform criteria for the approval of BCRs across the EU and removes the obligation to obtain additional approval from other data protection authorities for transfers of personal data based on BCRs. BCRs tend only to be used by very large companies with significant volumes of data, as the time and expense involved in the process is significant.
Operations across multiple EU member states
Where businesses operate across multiple EU member states, they will want to identify their lead data protection supervisory authority. This will apply where:
- a business is established in two or more EU member states and processes personal data in relation to its activities in those member states
- a business is only established in one EU member state but processes personal data in a way which substantially affects, or is likely to substantially affect, data subjects in more than one EU member state
In these circumstances the lead data protection supervisory authority will be the main data protection regulator (i.e. the one-stop-shop) that the business deals with in relation to its GDPR compliance issues such as registering its DPO, notifying data security breaches, handle data protection complaints and undertake enforcement activity relating to cross-border processing. To avoid ‘forum-shopping’ the EU working party tasked with data protection guidance has published Guidelines for identifying a lead supervisory authority.
Post-Brexit the rules on international data transfers will become even more relevant to the UK because the UK will no longer be an EU member state (for more information see “Impact of Brexit”)