As we continue to embrace globalisation and interdependence of our peers across the World, we are continuously reminded of the risks and benefits of engaging with countries outside of the UK, whether it be through accessing the internet or taking a trip abroad. But the same goes for businesses. What exactly do we need to be aware of when we, as a business based in the UK, think about transferring data internationally?
Defining Restricted Transfers – Do we need one?
It goes without saying that there are particular rules and regulations that apply when we look to transfer data outside of the UK – known as a ‘restricted transfer’ – but these can change and are dependent on satisfying a set of conditions.
Importantly, the data itself must first be recognised in the UK GDPR. This is likely the case for your data, so long as it comes from the UK and is relating to an identified or identifiable natural person (including name, location, factors specific to physical, mental, economic identities). To that end, the data must be sent to a receiver located outside of the UK. If you believe you are sending data under these conditions, then you are likely making a restricted transfer. But it doesn’t stop there – the next task is to establish how to make the restricted transfer within the regulations of the UK GDPR.
The first, and easiest, provision that allows you to send personal data internationally is when the destination is covered by UK adequacy regulations. Despite the fact that the Brexit wheels are beginning to accelerate, the connections with the EU are currently similar to how they were prior when it comes to transferring data. Notably, the adequacy decisions set out a list of countries that are deemed as having ‘adequate’ data protection laws in place.
These countries include:
- European Economic Area (EEA) countries – all EU member states as well as Iceland, Liechtenstein, and Norway
- European Commission adequacy decision countries & territories – Andorra, Argentina, Canada (partial, as per PIPEDA), Faroe Islands, Guernsey, Isle of Man, Japan (private sector organisations), Jersey, New Zealand, Switzerland and Uruguay
- Gibraltar and South Korea
When sending personal data to these countries, no additional safeguards are required, leaving you to transfer as you please. However, it is worth noting that the UK government will continue to keep this under review, and it is possible that changes may be made in future which could lead you to modifying your approach.
If the country you are looking to transfer personal data to is not recognised under the UK adequacy decisions, then things get a little more complicated. First of all, you are required to undertake a transfer risk assessment to help consider whether the relevant protections listed in the UK GDPR for people will be undermined. The Information Commissioner (ICO) provides a tool to help complete the assessment, which can be found here. Additionally, we at Stephens Scown can also provide guidance around completing the assessment sufficiently, as it is known to be complex in many situations.
Once you have completed the risk assessment and are satisfied, you then need to consider which safeguard, listed in Article 46 of the UK GDPR, is appropriate to your situation.
The two most common are:
- Standard data protection clauses; and
- Binding corporate rules
Standard data protection clauses are the most relevant alternative to adequacy decisions for businesses as they essentially act as a separate contractual agreement, providing directly enforceable obligations on both the holder of the data (this is called the data controller) and the receiver of the data (typically a data processor). You may be familiar with Standard Contractual Clauses (SCCs), especially if you’ve transferred data outside of the UK and EEA before. This used to be the go-to for businesses in this situation. However, as of March 2022, these were replaced by International Data Transfer Agreements (IDTAs), which align with the UK terminology set out in the UK GDPR. It is worth noting that any SCCs entered into prior to September 2022 are still valid, but only until March 2024. At this point, you are required to enter into a new contract with the data receivers on the basis of an IDTA. We at Stephens Scown are also on hand to assist with guidance on making new contracts compliant with these changes.
Binding Corporate Rules (BCRs) are particularly helpful if both you and the data receiver are part of the same multinational corporate group, group of undertakings or group of enterprises engaged in joint economic activity (including joint ventures, franchises, and professional partnerships). This safeguard is appreciated as the ‘Gold Standard’ by the ICO, and best demonstrates your commitment to compliance. In this instance, both the data holder and receiver are required to provide an extensive list of documentation, including an application form, draft binding instrument, draft BCR policy and BCR Referential Table. Whilst this may seem excessive, it subsequently provides a legally binding internal code of conduct that the parties can abide by for the duration of the business, thus proving to be a long-term benefit. More information and guidance can be found via the ICO here.
Restricted Transfer Exceptions
In the event that your transfer of data neither satisfies the adequacy regulations or appropriate safeguards, there are a number of occasions whereby you can make the transfer via an exception. This may include where you have explicit consent from the person whom the data is about, where you have a contract with the person the data is about, where the transfer is necessary for you to enter into a contract or carry out obligations, or where the transfer is a ‘one-off’ which is necessary to meet your legitimate interests.
In any of these scenarios, you are expected to satisfy a number of conditions to validate the transfer, particularly as these kinds of transfers have the potential to leave your business and the personal data being transferred most vulnerable. It is highly recommended that you endeavour to comply with an adequacy regulation or appropriate safeguard to ensure your compliance with the UK GDPR as well as the safety of the data and your business.
Whilst we maintain a healthy relationship with both the EU and US in utilising these rules and regulations, it is worth noting the current affairs between both entities themselves. Namely, there have been concerns over the adequacy of the protection afforded by the EU-US Data Privacy Framework. The European Parliament wants to ensure the framework ‘provides a solid, sufficient and future-oriented legal basis for EU-US data transfers’. Whilst this has no direct or immediate impact on our relations with both entities, situations where your business may be involved in a tri-party agreement could potentially be hampered should relations break down between the US and the EU.
Additionally, in the same way we uphold adequacy regulations in transferring data into the EEA, the EU also adopts adequacy regulations when transferring data to the UK. However, this is only to remain in place until June 2025, and will expire thereafter. If you are a receiver of personal data from the EU, this could therefore have a significant impact on your business, although the regulations could still be renewed by a Commission decision.
If you have any further enquiries regarding International Data Transfers, please feel free to contact our Intellectual Property, Data Protection & Technology team.
This article was co-written by Max Miliffe, Data Protection Specialist, and Joey Medway, Paralegal, in our Intellectual Property, Data Protection & Technology team.