Ever increasing globalisation and increasing reliance on cross-border data transfers in day-to-day business means organisations within the European Economic Area (EEA, EU + Norway, Iceland, and Liechtenstein) regularly transferring data outside of this area, need to ensure they are up-to-date with the guidance from supervisory authorities.
The Information Commissioner’s Office (ICO) has recently published an updated guidance for international transfers under Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR). The guidance provides clarification regarding (a) where a transfer of personal data is considered a ‘restricted transfer’ and (b) which mechanisms can be deployed in this case to transfer personal data. This piece offers a brief summary of their detailed guidance.
Restricted transfers
A ‘restricted transfer’ is a transfer of personal data outside the protection of the GDPR. Typically, restricted transfers take place when personal data, protected in Europe by the GDPR, is transferred to a third country (i.e., a country outside the EEA, where the GDPR does not automatically apply).
The guidance explains that the transfer is considered a restricted transfer if the following three conditions apply:
- The personal data to be transferred falls within the scope of the GDPR (e.g., the individuals to whom the data relates are EU residents);
- The personal data will be sent and/or made accessible to a receiver to which the GDPR does not apply (e.g., an organisation that is exclusively established outside the EEA);
- The receiver is a separate entity (organisation or individual), who is not employed by you or your organisation.
How to make a restricted transfer
Restricted transfers can be made, but organisations must ensure that they comply with a number of perquisites. Below is a ‘prioritised’ list of such prerequisites.
Has the European Commission made an ‘adequacy decision’ about the country or international organisation?
An adequacy decision is issued by the European Commission (EC) when a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. An adequacy decision allows a restricted transfer to take place to the country with the adequacy decision as if it were transferred within the EEA.
Currently, 10 countries received an adequacy decision. The Commission have also partially recognised Canada (under PIPEDA) and the United States of America (under the Privacy Shield Framework).
Due to the low number of countries currently granted an adequacy decision, the scope of application of this prerequisite is rather low. Nonetheless, the involved countries represent a relevant percentage of data transfers from and to the EU.
Is the transfer covered by the appropriate safeguards?
‘Appropriate safeguards’ are mechanisms that ensure compliance with data protection laws and regulations and safeguard the rights of data subjects who are in the EU.
These safeguards are contained the GDPR (Article 46 and Recital 108) and include the following:
- A legally binding and enforceable instrument between public authorities or bodies.
Restricted transfers can be made from a public authority or body to another public authority of body, if the parties involved have signed a legally-binding agreement containing enforceable rights by data subjects concerned by the transfer.
- Binding corporate rules
Intra-group restricted transfers can be made if both entities have signed up to a group document called ‘binding corporate rules’ (BCRs). The EC website currently shows there are only 132 groups signed up to BCRs globally, with many of these being large multinational organisations.
- Standard data protection clauses adopted by the EC (SCCs)
A restricted transfer can be made if both the sender and the receiver have entered into a contract incorporating standard data protection clauses adopted by the EC.
The EC plans an update to these SCCs in the near future to align them with the GDPR. However, these Data-Protection-Directive-based clauses can still be used for new contracts.
The remaining safeguards all relate to mechanisms which do not exist yet – for instance, certification schemes which recognise organisations’ commitments to data protection, allowing restricted transfers to take place to them. However, it is still important to consider them now and how they will shape data protection in the near future.
Is the restricted transfer covered by an exception?
Without an adequacy decision or an appropriate safeguard, Article 49 GDPR provides that a restricted transfer can only be made if one of the following apply:
- Has the individual given their explicit consent to the restricted transfer?
- Does the organisation have a contract with the individual? Is the restricted transfer necessary for the performance of that contract?
- Does the organisation have (or is it entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for the organisation to enter into that contract?
- Does the organisation need to make the restricted transfer for important reasons of public interest?
- Does the organisation need to make the restricted transfer to establish if they have a legal claim, to make a legal claim or to defend a legal claim?
- Does the organisation need to make the restricted transfer to protect the vital interests of an individual? He or she must be physically or legally incapable of giving consent.
- Is the organisation making the restricted transfer from a public register?
- Is the organisation making a one-off restricted transfer and it is in their compelling legitimate interests?
These exceptions should be relied upon as a last resort. However, it is always preferable to make a restricted transfer with either an adequacy decision or an appropriate safeguard in place.
Conclusion
The publication of the ICO’s guidance provides much-needed clarification and guidance to an area of particular importance, especially in the run up to the UK’s withdrawal from the EU.
However, this guidance is still a stepping stone. The European Data Protection Board (EDPB) is currently working on its own guidance in relation to International Transfers. This guidance, once published, should contain further definitive information.
