International data flows: What to consider when transferring data to “third countries”
Since the General Data Protection Regulation (“GDPR”) came into force enhancing the standards for privacy and data protection rights, organisations in the UK that process personal data have been working towards building data protection compliance programmes, security rules and accountability documentation practices to achieve an acceptable level of compliance with the additional obligations brought with it.
Although the GDPR new-at-the-time rules were born from discussions about how previous legal regimes (e.g., the Data Protection Act 1998) had to be interpreted in a modern and tech-evolving world, clarification is still demanded by organisations as to how in practice to interpret and implement it. We see different opinions (sometimes by different data protection regulators) concerning which the most reasonable approach to take is, sometimes caused by the fact that a minor event may change the “reasonable” and “acceptable” approach, since data protection standards must be considered on a case-by-case basis assessment in which the assessment of elements such as the type of personal data processed, reasons why personal data is used, parties involved in the processing, and whether or not people concerned (data subjects) would expect the organisations using their data in the way they aim to do.
A challenge that many organisations are currently facing concerns the international transfer of data. Ensuring that data is transferred to (or accessed from), for example, the US or India, without facing risks of being issued with fines or claims for compensation has become what some clients have claimed to be a “great burden” and “exhaustive exercise”.
Also, relevant in the context of international transfers is the fact that a considerable number of regular UK businesses are likely to be subject to two GDPR data protection legal regimes: the “UK GDPR“ (this is the GDPR that has been converted into UK law after Brexit, and that is supplemented by the Data Protection Act 2018) and, if applicable, the “EU GDPR” (the GDPR that still applies to all EEA countries and beyond, due its extraterritorial effect). In other words, a UK based company might be subject to both the UK GDPR and the EU GDPR even if it only has a UK legal entity operating from a UK location. For example, if such a company sells goods or services to EU individuals. Although this has been a minor concern since both regimes are, for now, basically similar, when it comes to international transfers of data, there are, for now, relevant differences, the details of which I stress below in this article.
Before handling those differences there are other initial steps that I recommend following as the starting point of a Transfer Risk Assessment exercise. These are as follows:
- Confirm whether the company is subject to UK GDPR only, or both UK and EU GDPR.
- Check: Is this an International Transfer? This is a relevant point since the term “International transfer” is broadly interpreted. For example, data hosted in the UK that is remotely accessed from a third country by a third-party contractor or group company, is an international transfer. However, if the data is accessed from the same third country by an employee of the UK entity, it is not considered an “International Transfer”. In the latter context, GDPR will still apply, but the organisation will not be subject to the rules governing international transfers of data. Equally, almost surreal scenarios may happen. For example, a UK entity that is subject to the EU GDPR, transferring data to a provider which is also based in the UK, is, to the European Data Protection Board’s eyes, undertaking an “International Transfer” to a third country. It happens, though, that in this case no further action would be required since the UK is considered an “adequate country” (granted with an adequacy decision by the European Commission).
- Check: Is it a restricted transfer but to an adequate third country? This happens when the country or international organisation to which the data is transferred has been granted with an adequacy decision by the UK Government or (when applying EU GDPR) the European Commission. The list of territories and organisations considered adequate by the UK Government can be found here. It is relevant to note that in a “law enforcement” context, the list of countries considered adequate is shorter.
- In absence of adequacy, my next recommended step is considering whether the data can be transferred by relying upon a legal exception. These exemptions are listed in Article 49 of both the UK and EU GDPR. Their application, for now, is narrowly interpreted which means that only in exceptional and non-repetitive transfers the application of one of these exemptions will be considered compliant. But if this is the case, relying on the suitable exemption and keeping records of the rationale behind the decision is, with no hesitation, the preferred way. The Information Commissioner’s Office (“ICO”) has published guidance on the application of these exemptions, which can be found here.
- Otherwise, the exporter of the data is under obligation of putting in place adequate measures, by implementing one of the mechanisms that the GDPR lists. This is where the real challenge comes for the reasons set out below.
First, the most frequently used mechanism to allow international transfers of data to restricted “third countries” is the implementation of Standard Contractual Clauses between the exporter and the importer. As a reminder, restricted third countries are those that have not been granted with adequacy decisions by the UK Government (or the European Commission- if under EU GDPR) such as the US, Australia, Colombia, China, or India, amongst others). However, what seems to be an easy thing to do (put in place data processing arrangements between two parties) has turned into a task in need of greater care:
First of all, because currently, in the UK, there are one set of SCCs (controller to controller; and controller to processor models) approved by the ICO (“UK SCCs”), for transfers of data to third countries to which UK GDPR applies. These current UK SCCs differ from the current and most recent version of SCCs approved by the European Commission for transfers of personal data to a third country when such a transfer is subject to the EU GDPR (“EU SCCs”).
The above means that a UK business might need to implement both SCC models with, for example, one single service provider or customer. The European Data Protection Board has clarified in one of the latest guidelines recently published (under consultation - available here) that a company based in a third country (such as the UK) to which EU GDPR applies, must comply with the EU GDPR when exporting data from its location to a third country.
It means that if such a company decides to put in place Standard Contractual Clauses as the chosen mechanism, it might need to put in place two sets of clauses, the EU SCCs (to comply with the EU GDPR) and the UK SCCs (because as it is a UK business, will be subject to the UK GDPR anyway). We are expecting EEA regulators to accept the UK forthcoming updated set of SCCs (which will most likely be named “International Data Transfer Agreement” or “IDTA”) as a valid mechanism, when this IDTA is approved and published by the ICO, and vice versa (that the current version of the EU SCCs is admitted by the ICO for UK GDPR transfers), so businesses do not need to bother customers or contractors with repeated documentation that will need to be revised by legal advisers, discussed, negotiated, agreed and implemented, when one sole set of Clauses would achieve the same purpose and level of protection.
Until then, the simplest approach that I found to be mostly demanded by our clients is to incorporate both clauses by reference in a wrapping agreement and implement the necessary details and supplementary measures in an annex that applies to both versions, by incorporating them all to both set of clauses in the wrapping document.
Finally for the implementation of both UK SCCs and EU SCCs the exporter of the data, in collaboration with the importer is under obligation of considering threats to data subjects’ privacy rights as a part of the Transfer Risk Assessment (“TRA” also known as Transfer Impact Assessment or “TIA”) that must be carried out. This includes gathering information concerning what laws affecting privacy rights are applicable in the third country and how they apply in practice. For example, if data is transferred to the United States, it is necessary to check whether in the context of the importer’s business, US law enforcement and/or intelligence agencies are likely to access the data transferred. If so, you should also check whether this will cause a breach of the GDPR standards and what harm will, in this case, be likely to be caused to the individuals concerned, and what, if this is the case, can affected individuals do to defend their privacy rights or to claim for compensation. I will soon publish another article focussed only on this point, in which I will mention the sections that I recommend including in TRA documents.
If, as an outcome of a TRA carried out, risks are identified, the consequence is that the SCCs per se are not sufficient to ensure compliance with GDPR, as they must be completed with supplementary measures that can be of contractual (the importer expressly agrees to challenge unreasonable access requests), organisational (the data is held elsewhere), or technical nature (the data is encrypted, anonymised or pseudonymised). All UK and EU regulators agree that when the risks cannot be mitigated, the transfer must not take place, and if the exporter’s intention is for it to happen, regulators must be informed.
The burden described by clients to whom I have helped to go through this journey comes when there is a need to carry out TRAs for a high number of countries and data processing contexts, as there are doubts about the level of due diligence that is required for each assessment. In short, my recommendation is that for transfers of data that are considered “low risk” (a.k.a. unlikely to cause harm to individuals if unlawfully accessed or disclosed to the public, such as personal business email addresses) an assessment of the information publicly available and the information collected from the importer should suffice, where when “high risk” data is processed, major due diligence including seeking qualified legal advice if the initial assessment of the territory shows serious concerns is likely to be a must. The key, again, lies on finding the balance between working on a risk-based approach basis and putting data subjects first, for which being informative and transparent with them is, as well, a crucial point.
There is no hesitation that we will see evolution in this area of data protection compliance, from regulators, courts, and even developers of tools aimed to carry out automated assessments. In the interim, continuing to demonstrate regular commitment to compliance is, to me, the key to a successful compliance plan, whichever the area of data protection is dealt with at each time.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.