Transferring Data outside the UK

Definition under the DPA

The Eighth Data Protection Principle states:

“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

What does the DPA definition really mean?

Data can be freely transferred to those non-EEA countries that have been approved by the European Commission as having adequate data privacy laws, including Argentina, Canada, Switzerland, the Channel Islands and the Isle of Man, Israel and New Zealand.

Data can only be freely transferred to any US businesses that have signed up to the EU-US Privacy Shield framework.

If none of those apply, then the data controller must assess whether the protection afforded to data subjects in the recipient’s country is “adequate in all the circumstances of the case”.

If the data controller cannot satisfy that assessment, then the personal data can only be transferred if adequate safeguards are put in place, for example, by using pre-approved wording in a written contract between the data controller and the recipient, or in accordance with approved intra-group corporate rules.

Note that there is no restriction on transferring data that is simply passing through a non-EEA country ‘in transit’ from one EEA member state to another.

Definition under the GDPR

Any transfer of personal data outside the UK shall only take place if it complies with the GDPR.

What does the GDPR definition really mean?

Data can be freely transferred to those countries that have been approved by the European Commission as having adequate data privacy laws, including all EU member states, Argentina, Canada, Switzerland, the Channel Islands and the Isle of Man, Israel and New Zealand.

Data can only be freely transferred to any US businesses that have signed up to the EU-US Privacy Shield framework.

If the recipient is not based in any of those countries, then the personal data can be transferred if adequate safeguards are put in place, for example, by using pre-approved wording in a written contract between the data controller and the recipient, or in accordance with approved intra-group corporate rules, or by agreeing to abide by an approved industry Code of Conduct.

If none of those safeguards apply, then the transfer can occur if one of the following applies:

  • the data subjects have been informed of the risks of the transfer, and nevertheless given their explicit consent,
  • the transfer is necessary for the data controller to perform a contract between it and the data subject,
  • the transfer is necessary for the data controller to perform a contract with another party that is in the data subject’s interest,
  • the transfer is necessary for important reasons of public interest,
  • the transfer is necessary in relation to exercising or defending legal claims,
  • the transfer is necessary to protect the vital interests of any person, and the data subject is unable to give consent, or
  • the transfer is from a publicly-available register or database.

And if none of those exemptions apply, then the transfer can only take place if it is not repetitive, concerns a limited number of data subjects, is necessary for the data controller’s compelling legitimate interests, if the data controller undertakes an assessment of the risks, if the data controller provides suitable safeguards to protect the data, and the data controller notifies both the ICO and the data subjects.

What are the significant differences between the DPA and the GDPR?

Rather than simply allowing the data controller to undertake a self-assessment as to whether it can make the data transfer, the GDPR provides a more prescriptive list of when the data transfer can occur. Under the GDPR, the data controller cannot simply pick one of the justifications in the list above – they must start at the beginning and work through logically.

The DPA regulates transfers of data out of the EU, whereas the GDPR will regulate transfers of data out of the UK.

What effect will this have on UK businesses?

In reality, probably very little.

Businesses will need to be more mindful of international data transfers, which now apply when transferring data outside the UK, ensuring that they justify each transfer in accordance with the GDPR requirements, but international data transfers will still be permitted. UK businesses will need to review the terms of written agreements that deal with the flow of personal data from a UK business to a foreign business.

What will my business need to do?

First, identify all relationships that your business has with businesses located outside the UK, and then narrow that down to those relationships where there is a flow of personal data from one party to the other.

Secondly, identify the legal basis on which that personal data is being transferred under the DPA, and identify whether you are entitled to rely on that same legal basis under the GDPR. If not, then you will need to vary the terms of that arrangement to ensure it satisfies the GDPR.

This is particularly important if you use ‘model terms’. You will be entitled to use ‘model terms’ under the GDPR, but it is likely that the European Commission will approve different terms to reflect the provisions of the GDPR. These new ‘model terms’ have not yet been published but, when they are, it is likely that you will have to amend your existing contracts to include them.

Q&As

My business has an American parent company, and I send all my customers’ data to them. What will I have to do now?

First, identify the basis on which you are transferring data to your parent company under the DPA (for example, has the parent company signed up to the EU-US Privacy Shield framework, or are you using approved intra-group company rules or approved contractual clauses?). Then identify whether you can continue to send data to your parent company on the same basis under GDPR. If so, then you won’t need to change the process. But if not, you will have to identify a new legal basis and adopt a new process.

What if I anonymise the data before I transfer it out to another country?

The ICO has confirmed that anonymous data can be freely transferred without complying with the DPA rules on international data transfers. And under the GDPR, as long as the data is anonymised so that it fails the definition of ‘personal data’ (ie. it cannot be used to identify an individual person), the same applies. 

‘Model terms’, what are they?

They are contractual clauses that have been approved by the European Commission and, if used in a contract where personal data flows from one country to another, will be considered as satisfying the requirements of the DPA. The European Commission will, at some point, approve new ‘model terms’ that satisfy the requirements of the GDPR and, if none of the preceding exemptions apply, then the data controller and recipient will be able to incorporate those ‘model terms’ into their contract by way of satisfying their legal obligations.

So if I include ‘model terms’ in my international contracts, that’s it?

Well, no, you will actually have to comply with those ‘model terms’ in practice as well.

I send a lot of personal data to businesses in the United States. How do I check whether they are a member of the EU-US Privacy Shield framework?

The US Govt maintains a searchable online database at https://www.privacyshield.gov/list, so check there in the first instance. And if they are not a member, perhaps encourage them to sign up to the framework, which can be done online via the same website. But until they are registered, then you will have to rely on one of the other exemptions under the DPA and GDPR.

I work in a large, multi-national organisation, and we have plenty of intra-group rules, regulations and codes of conduct. Can we rely on those?

Yes, but only if your intra-group rules have been approved by the ICO. If they have not yet been approved, then you can submit them for approval, but must rely on another exemption until approved has been granted. The ICO expects to make a decision within about one year of application. Approved rules are used by a number of large organisations – BT Group, IBM, Schlumberger and AstraZeneca are amongst 9 organisations that have had their intra-group rules approved by the ICO in the past 3 years.

The position won’t change under the GDPR. But note that you can only rely on approved intra-group rules when transferring personal data internally within your group – once the data goes outside the group, then one of the other exemptions must be applied.

Glossary

  • Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
  • DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
  • EEA means the European Economic Area, which consists of the UK and the other 27 member states of the European Union, together with Iceland, Norway and Liechtenstein.
  • EU means the European Union, which consists of the UK and 27 other member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden).
  • GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
  • ICO means the Information Commissioner’s Office, the supervisory authority responsible for enforcing the DPA and GDPR in the UK.
  • Personal data means any data from which a living person can be identified.
  • Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.

Notes
This briefing is based on the law as it stands in July 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.