International data transfers

Latest news

The European Commission has issued a first draft of the proposed UK ‘adequacy decision’ to facilitate the continued free flow of personal data from the EU to the UK. The draft, which still needs to be approved and adopted by EU member states, indicates that the Commission intends to designate the UK’s data protection standards as being ‘essentially equivalent’ to those that apply in the EU.

This announcement is good news for many businesses which had been facing uncertainty over the future of EU-UK data flows after Brexit.

The EU-UK Trade and Cooperation Agreement provided a temporary solution by putting in place transitional arrangements from 1 January 2021 which permitted the continued transfer of personal data from the EU to the UK. This temporary solution, known as ‘the bridge’ expires on 30 June 2021 by which point the adequacy decision should have been adopted by the EU.

For data transfers from the UK to the EU, the UK government had already confirmed these are authorised to continue until at least 2024.

Going forward it will be important for the UK to maintain and build upon its current data protection standards in order to retain the finding of ‘adequacy’ because the Commission has the ability to suspend or withdrawal of such adequacy decisions if future changes to UK data protection law are found to reduce the level of protection afforded to data subjects.

A particular risk to the UK’s adequacy status is the surveillance powers enjoyed by UK authorities under legislation such as the Investigatory Powers Act. Privacy campaigners argue that these powers undermine data protection standards and have already taken steps to challenge similar powers in the courts. The most recent example being the Court of Justice of the EU (CJEU) decision in last year’s ‘Schrems II’ case.

The draft adequacy decision is subject to the non-binding, but authoritative opinion of the European Data Protection Board following which it will be sent for the approval of the member states representatives before being adopted into law, hopefully before 30 June.

The UK GDPR places restrictions on the transfer of personal data into and out of the UK. Transfers can take place if they are:

  • to a country on the white-list
  • made pursuant to a set of Model Clauses (also known as Standard Contractual Clauses SCCs)
  • made pursuant to binding corporate rules
  • made to an importer who has signed up to an approved code or obtained an approved certification

 

Transfers are also possible if one of the individual derogations apply.

The EU GDPR places restrictions on the transfer of personal data into and out of the EU (Norway, Liechtenstein and Iceland are outside of the EU, but inside the EEA and it is not entirely clear at this point how they will be treated under the GDPR). Transfers can take place if they are:

  • to a country on the white-list
  • made pursuant to a set of Model Clauses (also known as Standard Contractual Clauses SCCs)
  • made pursuant to binding corporate rules
  • made to an importer who has signed up to an approved code or obtained an approved certification

 

Transfers are also possible if one of the individual derogations apply.

Personal data can be transferred to countries on the ‘white-list’. Importantly for the UK and the EU, the UK and EU countries are on each other’s white list meaning that transfers between the UK and the EU are deemed to provide adequate protection.

 

The countries that the European Commission has identified as providing an adequate level of protection for personal data comprises the following countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, the United Kingdom and Uruguay.

 

The countries that the UK has identified as providing an adequate level of protection for personal data comprises the following countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, the countries in the EU and Uruguay.

Transfers to and from the EU and UK are also possible if one of the following individual derogations apply:

  • the transfer is made with the data subject’s explicit consent
  • the transfer is necessary for the performance of a contract with the data subject
  • the transfer is required on important public interest grounds or for legal claims
  • the transfer is necessary to protect the vital interests of the data subject
  • the transfer is made from a public register
  • the transfer is made under the new minor transfer exemption

Prior to July 2020 transfers were permitted to organisations in the US which had committed to the EU / US ‘Privacy Shield’. However, the Court of Justice of the European Union (CJEU) has ruled that the EU-US Privacy Shield is invalid and has raised questions about the adequacy of the protection offered to data subjects when their data is transferred to the US: https://www.crippspg.co.uk/media-and-tech/cjeu-schrems-ii-decision-what-now-for-international-data-transfers/.  

The European Commission has released a new set of SCCs to cover the transfer of personal data from the EU to “third countries” such as the US (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en ).  These new SCCs will repeal and replace the existing SCCs which date from 2001, 2004 and 2010.

 

The new SCCs reflect the GDPR requirements and place significant obligations on data importers, particularly importers acting as controllers. They also include the Article 28 GDPR processor terms, addressing a gap in the existing SCCs.

 

The new SCCs are drafted on a modular basis allowing for the following types transfers (the last two of which were not covered by the existing SCCs):

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller.

The new SCCs should be used for any new transfers from the EU and EU businesses relying on the existing SCCs should replace them with the new version by the end of 2022. However, UK businesses should continue to use the old SCCs until the new IDTA / UK SCC Addendum (referred to below) comes into force because the UK was no longer in the EU when the new SCCs were adopted.

Following the release of the new EU SCCs,  the Information Commissioner’s Office (ICO) has produced a draft set of UK-specific standard contractual clauses for restricted transfers from the UK. These UK SCCs are being referred to by the ICO as the international data transfer agreement (IDTA) and the ICO has launched a public consultation on the IDTA and related guidance (see: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/). This consultation covers the following three aspects:

  • Proposal and plans for updates to guidance on international transfers.
  • Transfer risk assessments.
  • The IDTA.

 

The IDTA can be used for many different transfer situations. In addition to allowing for the four transfer situations covered by the EU’s new SSCs as set out above, the IDTA also allows for transfers to other processors or controllers who may be unconnected (provided that this is on the instruction of the controller).

 

The IDTA is drafted using a ‘plain English’ approach and is divided into four parts:

  • Part one – Tables: including the parties, transfer details and signatures.
  • Part two – Extra Protection Clauses: This contains optional space for extra protection clauses to be added if the Transfer Risk Assessment identifies that additional measures are needed.
  • Part three – Commercial Clauses: This contains optional space for commercial clauses if the IDTA is not accompanied by a separate commercial agreement.
  • Part four – Mandatory Clauses: This contains the mandatory clauses and is the main body of the document.

 

As expected, given that both documents reflect the same GDPR requirements, the substance of the IDTA is largely similar to the new EU SCCs in terms of the concepts and commitments. The most notable differences between the two documents are:

  • The IDTA expressly allows for the existence of a separate commercial agreement between the parties and allows the parties to incorporate provisions of that commercial agreement (referred to in the IDTA as a ‘Linked Agreement’) by reference.
  • The IDTA allows the parties to negotiate their own audit provisions in a Linked Agreement and the IDTA audit provisions will only apply in the absence of such separately negotiated provisions.

In addition to the draft IDTA, the ICO’s consultation also includes a draft Addendum to the EU SCCs. This UK SCC Addendum allows UK businesses to use the new SCCs provided they are accompanied by the UK-specific addendum. This is good news for international businesses which will be keen to avoid having to use completely different documents for transfers of data from the UK and the EU. Instead they can use the new EU SCCs and UK SCC Addendum to cover all restricted transfers whether from the UK or the EU. 

 

The existence of this draft UK SCC Addendum raises the question as to whether the IDTA will actually be used in practice.

In response to the decision in the Schrems II case and the EDPB’s recommendations, the new EU SCCs require the parties to warrant that they have no reason to believe that the laws and practices in the destination country prevent the importer from fulfilling its obligations under the new SCCs and also require the parties to assess transfer risks, including those specific to the destination country.

 

Similar transfer risk assessments (TRAs) are required for restricted transfers of data from the UK and the ICO’s consultation includes a draft TRA tool and related guidance which is intended to make it easier for businesses to understand the extent of their obligations when considering making international transfers of personal data (see: https://ico.org.uk/media/about-the-ico/consultations/2620397/intl-transfer-risk-assessment-tool-20210804.pdf). 

 

SCCs are not required for the transfer of personal data between the UK and the EU as a result of the EU Commission adopting decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED) in June 2021.  In both cases, the European Commission found the UK to be adequate meaning that most data can continue to flow between the UK and the EU without the need for additional safeguards. The adequacy decisions do not cover data transferred to the UK for the purposes of immigration control, or where the UK immigration exemption applies. For this kind of data, different rules apply and the EEA sender needs to put other transfer safeguards in place.

Binding corporate rules (BCRs) are a set of binding rules adopted by multinational organisations and approved by national regulators to ensure the protection of personal data in multiple jurisdictions. BCRs have been in place for some time but the GDPR finally places BCRs on a statutory footing and also sets out uniform criteria for the approval of BCRs across the EU and removes the obligation to obtain additional approval from other data protection authorities for transfers of personal data based on BCRs. BCRs tend only to be used by very large companies with significant volumes of data, as the time and expense involved in the process is significant.

Where businesses operate across multiple EU member states, they will want to identify their lead data protection supervisory authority. This will apply where:

  • a business is established in two or more EU member states and processes personal data in relation to its activities in those member states
  • a business is only established in one EU member state but processes personal data in a way which substantially affects, or is likely to substantially affect, data subjects in more than one EU member state

In these circumstances the lead data protection supervisory authority will be the main data protection regulator (i.e. the one-stop-shop) that the business deals with in relation to its GDPR compliance issues such as registering its DPO, notifying data security breaches, handle data protection complaints and undertake enforcement activity relating to cross-border processing. To avoid ‘forum-shopping’ the EU working party tasked with data protection guidance has published Guidelines for identifying a lead supervisory authority.

If you are a UK-based controller or processor of personal data which has with no offices, branches or other establishments in the EEA but which offers goods or services to individuals in the EEA or which monitors the behaviour of individuals in the EEA, you will need to:

  • Appoint a representative in the EEA (unless you are exempt, see below). This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. Your European representative may be an individual or a company or organisation established in the EEA (for example, a law firm, consultancy or private company).
  • Put in place a service contract or other written mandate for your European representative authorising them to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
  • Update your privacy notice and website to include contact details and other information about your European representative.

 

You will not need to appoint a European representative if:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

 

A business located in the EU (or otherwise outside of the UK), but which is still required comply with the UK data protection law (for example because it offers goods or services to individuals in the UK or because it monitors the behaviour of individuals in the UK), must appoint a UK representative.