A Guide to GDPR International Transfers – Technology Security Information

7 mechanisms you can rely on for restricted transfers

The UK GDPR (General Data Protection Regulation) offers a high standard of data protection – but its scope is limited to organisations based or operating in the UK.

So, what happens if you transfer the personal data outside the country?

The GDPR requires UK residents’ data to be offered the same level of protection, whether processed at home or abroad.

How? By demanding that organisations put adequate safeguards in place for ‘restricted transfers’ of personal data.

This blog explains what restricted transfers are, and the safeguards you’re allowed to rely on under the UK GDPR. I’ll also touch on the EU GDPR, where appropriate.

In this guide

What is a ‘restricted transfer’ under the UK GDPR?

To send personal data outside the UK – i.e. to make a ‘restricted transfer’ – data controllers and processors must provide an adequate level of security to protect:

The personal data being processed; and
The rights and freedoms of data subjects.

Organisations subject to the UK GDPR must also consider relevant laws of the countries involved, and ensure the personal data can’t be accessed by other entities* without the data subject’s knowledge.

There are three conditions for the transfer to be considered ‘restricted’ under the UK GDPR:

The personal data you want to transfer is subject to the UK GDPR.
You’re initiating and agreeing to send personal data to (or make it available to) a recipient outside the UK.
The recipient is a separate, legally distinct organisation (or individual) from you.

Restricted transfers can include Cloud storage, automated systems for data processing, and even analytics providers.

*These ‘other entities’ include law enforcement agencies, which are more prone to accessing people’s data under local national laws. For example, the FBI uses FISA Section 702 to collect ‘foreign intelligence information’ from non-US residents. The UK GDPR doesn’t allow this without the person’s knowledge.

How different is that from the EU GDPR?

The requirements are broadly the same, but looking at it from an EEA rather than a UK perspective:

The data controller/processor linked to processing activity is subject to the EU GDPR.
The controller/processor transfers the data, or makes it available to, another organisation.
That organisation is outside the EEA, or it’s an international organisation.

Let’s look at seven mechanisms for international personal data transfers under the UK and, where applicable, EU GDPR.

Mechanism #1: Adequacy decisions

Relying on an adequacy decision is usually the easiest safeguard to rely on for international transfers.

The UK’s adequacy regulations grant countries or territories deemed to provide ‘adequate’ protection to personal data, and to data subjects’ rights and freedoms, an adequacy decision.

That means personal data may flow freely between the UK and these ‘adequate’ countries. The EU GDPR offers an equivalent mechanism under Article 45 (‘transfers on the basis of an adequacy decision’).

Under the UK GDPR’s adequacy regulations, the EEA and all countries with an adequacy decision under the EU GDPR are covered. These are:

Andorra
Argentina
Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Faroe Islands
Finland
France
Germany
Gibraltar
Greece
Guernsey
Hungary
Iceland
Ireland
Isle of Man
Israel
Italy
Jersey
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
New Zealand
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
South Korea
Spain
Sweden
Switzerland
Uruguay

In addition, Canada, Japan and the US have received partial adequacy decisions under both the UK and EU GDPR.

Also note that personal data can flow freely between public authorities internationally.

What about Brexit?

When it comes to international transfers, we’ve only seen one meaningful change in recent years: Schrems II.

Though there are differences between the UK and EU GDPR, of course, for transfers to third countries, little has changed because of the mutual adequacy decision.

Put differently, personal data may flow freely between the UK and EU/EEA. And since the remaining countries with adequacy decisions are identical for the UK and EU GDPR, little has changed.

Mechanism #2: International data transfer agreement

Under the EU GDPR, we had the SCCs (standard contractual clauses). After the EU updated them, the UK ICO (Information Commissioner’s Office) updated its equivalent mechanism to the IDTA: international data transfer agreement.

Organisations subject to the UK GDPR must now use the IDTA, as the transition period ended in March 2024.

The idea for both the EU SCCs and UK IDTA is that they’re model contractual clauses, available on the European Commission and ICO websites respectively. If you use them without change, they should comply with the Article 28 requirements of the EU and UK GDPR.

More specifically, you complete the first 8 pages the IDTA. The remaining 28 pages are all the mandatory clauses you cannot amend nor remove.

You can, however, add more clauses, but these may not change or take away from the meaning of the pre-written text.

Remember the transfer risk assessment tool!

Many people overlook the TRA (transfer risk assessment) tool – a 41-page risk assessment also on the ICO website – which sits alongside the IDTA.

This TRA is designed to tell you whether you can go ahead with the international transfer of personal data in question.

Like any other risk assessment, you must determine the level of risk, and decide whether it’s acceptable as-is, or requires treatment to bring it down to an acceptable level. You must also include them on your risk register.

Mechanism #3: Binding corporate rules

BCRs (binding corporate rules) under both the UK and EU GDPR are for international organisations.

Suppose you have offices in the UK, Australia and mainland China. If you took the IDTA/SCC approach here, you’d need six contracts (and risk assessments), just to have the free flow of personal data between all entities.

That’s where the BCRs come in. These rules allow all entities involved within a global organisation to have data flow freely between all entities within it.

In effect, the BCRs are a contract that, like the IDTA, covers the requirements of Article 28, but the ICO (or, for the EU GDPR, your supervisory authority) must sign it off. Its website has more information about the application process.

That’s for the GDPR. What about international privacy laws?

Using my earlier example again, Australia and mainland China each have their own national laws, as do most countries around the world. So, your BCRs must reference the Australian Privacy Act and the Chinese Personal Information Protection Law.

However, when dealing with international organisations, you can get complications on the other (non-UK/EU) side.

For example, I remember doing some GDPR work for a large Saudi Arabian organisation. A national law prevented it from being allowed to report data breaches with a risk to data subjects outside the country.

For clarity: it may report data breaches to the local authorities, but not internationally. And where you have competing laws, the strictest always applies.

When dealing with a situation like that, you need to find a workaround – for example, publish a statement your website like: ‘Please be aware that you might want to change your password at your earliest opportunity.’

It’s not ideal, but it makes the best of an awkward situation. It’s taking a risk-based approach to compliance.

Mechanism #4: Codes of conduct

Under Article 40 of both GDPRs, organisations can rely on approved codes of conduct to transfer data internationally. However, the UK doesn’t currently have any, so can’t use them.

The EU, on the other hand, has multiple Article 40 codes of conduct available for certain types of data processing, within certain third countries.

Mechanism #5: Certification

Another provision under Article 42 of both GDPRs is certification.

The UK has several certification schemes. However, the only one approved under Article 42 that can also be used for international transfers is ADISA ICT Asset Recovery Certification 8.0. Furthermore, this scheme is only available to processors or sub-processors providing data sanitisation services.

The EU GDPR currently has Europrivacy^/®, but this certification mechanism doesn’t account for international transfers, and can’t be used outside the EU or EEA.

However, a new mechanism – Interprivacy – is being developed, which is designed to meet the Article 46(2)(f) requirements of the EU GDPR, extending Europrivacy as an approved mechanism for international transfers.

Mechanism #6: International data transfer derogations

Article 49 of the UK and EU GDPR allow “derogations for specific situations”. You should only rely on this mechanism if you can’t rely on any of the above.

The derogations permit you to make restricted transfers if:

The data subject has explicitly consented;
The transfer is necessary to perform a contract;
The transfer is necessary to protect someone’s vital interests;
The transfer is necessary for “important reasons of public interest”;
The transfer is necessary to establish, exercise or defend legal claims; or
You’re making the transfer from a register intended to provide information to the public.

These types of transfers should be infrequent and concern a limited number of data subjects.

Also, if you rely on a derogation, make sure you record (in your Article 30 ROPAs) the safeguards you’ve put in place for the data transfer.

Mechanism #7: Compelling legitimate interest

The final mechanism is compelling legitimate interests. Specifically, both Regulations say in Article 49(1)(g):

[The international transfer] is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

As is standard with legitimate interests, you must inform the data subject of that interest, as well the international transfer. You must also inform your supervisory authority.

Unlike the lawful basis legitimate interests, there’s no assessment for this. However, you must keep records that show your decision-making process around what the legitimate interest was, why you deemed this the appropriate transfer method, that you’ve informed your data subjects, etc.

Like the derogations, this mechanism should be used in moderation.

How to choose the right mechanism

Seven mechanisms, with variations between the UK and EU GDPR, can feel overwhelming.

The good news is that those differences are minor, as both GDPRs share the same principles. Moreover, the bulk of personal data transfers are covered by the first three mechanisms:

Adequacy
IDTA/SCCs
BCRs

Between these three, the correct mechanism is often fairly obvious.

In short, rely on adequacy if you can. If you can’t, use the BCRs if you’re an international organisation; otherwise, use the IDTA (UK GDPR) or SCCs (EU GDPR).

Get professional legal support

Want peace of mind that your data protection documentation and commercial agreements conform to the GDPR?

Our specialist legal and privacy team at our sister company, GRCI Law, can help you draft, review and update:

Privacy notices;
Supplier contracts;
Data protection policies; and
International data transfer agreements.

Ensure you have the appropriate legal provisions – such as the appropriate contractual clauses – in place for international transfers.

Get started

We first published a version of this blog in January 2018.

The post A Guide to GDPR International Transfers appeared first on IT Governance UK Blog.