Rocio de la Cruz, Partner in the Technology team at BPE Solicitors, discusses what needs to be considered when transferring data to other countries.
Since the General Data Protection Regulation (“GDPR”) and supplementary domestic legislation came into force, organisations in the UK which process personal data have been working to achieve an acceptable level of compliance with the additional obligations the new data protection regime brought with it. In this journey to compliance, we have seen diversity in approaches and opinions concerning how to interpret and apply the GDPR rules. Recently, concerning what to do in the context of international transfers of data, since ensuring that data is transferred to (or accessed from), for example, the US or India, without facing risks of being issued with fines or claims for compensation has become a real challenge. To do so, a detailed Transfer Risks Assessment must be carried out. From my experience, the starting point for a Transfer Risks Assessment is going through the following steps:
- Check the GDPR legal data protection regime to which the organisation is subject: Is the company subject to UK GDPR only, or both UK and EU GDPR? Taking this step is crucial in particular if the transfer is restricted and meant to rely on Standard Contractual Clauses since, for now, and until updated mechanisms are approved in the UK, the content of valid Standard Contractual Clauses is different under each regime.
- Is the transfer, actually, an International Transfer? This is a relevant point as the term “International transfer” is broadly interpreted. For example, data hosted in the UK that is remotely accessed from a third country by a third-party contractor or group company, is an international transfer. However, if the data is accessed from the same third country by an employee of the UK entity, it is not considered an “International Transfer”. In the latter context, GDPR will still apply, but the organisation will not be subject to the rules governing international transfers of data.
- Is it a restricted transfer but to an adequate third country? The list of territories and organisations considered adequate by the UK Government can be found here. It is relevant to note that in a “law enforcement” context, the list of countries considered adequate is shorter.
- In the absence of adequacy, can the data be transferred by relying upon a legal exception? These exemptions are listed in Article 49 of both the UK and EU GDPR and can only be applied in exceptional and non-repetitive transfers.
- If none of the above apply, the exporter of the data is under obligation to put in place adequate measures, by implementing one of the mechanisms that the GDPR lists. This is where the real challenge comes for the reasons set out below. There are several mechanisms available under GDPR, some of which (such as Certification and Code of Practice schemes) are currently being progressed by regulators in order to effectively offer a wider range of options to data exporters. However, I focus on the use of Standard Contractual Clauses which is the mechanism used the most and by default.
Using Standard Contractual Clauses
Standard Contract Clauses (SCCs) are model clauses formally approved that can be put in place between the exporter and the importer as a valid mechanism to allow international transfers of data to “third countries”. By third countries I mean only those that have not been granted with adequacy decisions by the UK Government (or the European Commission – if under EU GDPR) such as the US, Australia, Colombia, China, or India, amongst others.
For now, we have different types of SCCs available depending on whether we apply UK GDPR or EU GDPR. In the UK, the Information Commissioner’s Office (“ICO”) approved a set of SCCs to be applied after Brexit. In the EU, the European Commission has recently approved an updated set of SCCs the content of which now differ from the UK clauses and these new EU SCCs have not been approved by the ICO as a valid mechanism for transfers of data under the UK GDPR. This could mean that a UK business subject to both UK and EU GDPR international transfers may need to implement both UK and EU SCC models with their customers or services providers.
I wish for a mutual recognition of UK/EU SCCs so UK and EU businesses could use either the UK or EU SCCs as valid mechanisms. This would help simplifying things while maintaining the level of protection required in both regimes. In other words, if this happens, businesses will not need to bother customers or contractors with repeated documentation that will need to be revised by legal advisers, discussed, negotiated, agreed and implemented, when one sole set of Clauses would achieve the same purpose. Until then the simplest approach that I have found is to incorporate both clauses by reference in a wrapping agreement and share the necessary details and supplementary measures, all of which is incorporated to both sets of clauses in the wrapping document.
What else must be considered?
For a complete Transfer Risk Assessment (“TRA” also known as Transfer Impact Assessment or “TIA”), the exporter of the data should take into account what laws affecting privacy rights are applicable in the third country and how they apply in practice. If risks are identified and cannot be mitigated, then the transfer isn’t able to take place unless the data protection authority (ICO in the UK) is notified of the transfer and does not object to it.
Considering the legislation applicable in each territory that affects data subjects’ rights (or the lack of it) is a more detailed exercise that, in high risk scenarios may require specialist advice to ensure that data is transferred correctly, using the appropriate measures and that any risks have been assessed and mitigated before a transfer is made.
For advice on transferring data internationally or any other data related matters, contact Rocio de la Cruz at Rocio.firstname.lastname@example.org or call 01242 248233
LinkedIn: BPE Solicitors LLP