International data transfers from the EU
EU data protection law has evolved to provides common standards for data protection across Member States. With that evolution the EU now expect “adequacy” of data protection laws from third countries which are outside the EEA.
This expectation was codified in the Data Protection Directive (1995) which prohibited the transfer of personal data from the EEA to a third country, which does not ensure an adequate level of protection (recital 57)
With the adoption of GDPR and 2018 Data Protection Acts in both the UK and Ireland the enforcement, penalties and focus on this prohibition have been stepped up dramatically.
The limitation on data transfers across borders is increasingly important in a world where technological developments have exponentially increased the scope for and reality of international data transfers.
EU Adequacy Decisions
The EU Commission is responsible for making adequacy decisions and only fourteen decisions have been made since 1995. These are decisions that a third countries legal system (as a whole) provides adequate levels of protection for EU data. This list includes the “Safe Harbour” agreement with the United States of America which was found unlawful after Snowdon and later replaced by “Privacy Shield”.
If the United Kingdom leaves the European Union and the European Economic Area, it will – absent special arrangements – become a third country for the purposes of EU data protection law. Data transfers between the UK and EU will no longer take place under common legislative rules but (in areas falling within the scope of the GDPR) as international data transfers subject to Chapter V of the GDPR.
The UK and EU share a common set of rules and regulations. Moreover, the UK has indicated its intention to give effect to the GDPR notwithstanding its decision to leave the EU. This certainly represents a strong basis for negotiations on an appropriate adequacy agreement.
However concerns have been raised about whether UK legislation – such as the wide-ranging Investigatory Powers Act 2016 – would comply with the EU data protection regime, as interpreted by the Court of Justice. There are therefore likely to be certain challenges in reaching an appropriate adequacy framework which would take an indeterminate period of time.
The Irish Data Protection Commission has issued guidance on transfers of personal data to the United Kingdom in the event of a no-deal Brexit. As this guidance notes, in a “no-deal” Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia, India or Brazil.
What this means in practice is that, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
What the ICO (using the term restricted transfer) said is that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted. But it goes on to say that the Brist Government will keep this under review.
Broadly speaking there are two routes to ensure that a business can transfer data to a country that doesn’t have an adequacy decision (Art 45)
which one to follow depends of where the transfer is between companies (Art 46) or inside a company or group of companies. (Art 47)
International data transfers between companies
Standard Contractual Clauses (SCC) can be used to protect data flows between companies. In addition to SCCs the data exporter must perform due diligence to assure its self that the recipient has the organisation, operational and technical abilities to effectively protect the data. The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. There are two sets of standard contractual clauses for restricted transfers between a controller and controller, and two sets between a controller and processor.
For those companies process personal data of EU residents and don’t have a establishment in the EU have an extra step to take. Art. 27 means that most companies have to designate a representative in the EU for Data Protection reasons The representative has to be accessible by both the local DPA and data subjects whose data is being processed. This is more than just an administrative exercise and needs to be taken seriously by the representative as Recital 80 makes clear: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”
International data transfers inside a company
Binding Corporate Rules can be used within a corporate group or to a group of overseas service providers. BCRs are an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entities. This may be a corporate group or a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures. You must submit BCRs for approval to an EEA supervisory authority in an EEA country where one of the companies is based.
Before starting work on BCRs it is wise to reach out to and become familiar with the lead DPA. The development and approval process can be very lengthy and badly drafted BCRs can be rejected, causing further delays.
If you have any queries about this of any other elements of EU data protection law, please contact us