Head of IP and Data Protection Patrick Wheeler explains the new guidelines on international data transfers, with examples.
Haven’t we left the EU?
Brexit may be done, but in many respects it is far from being dusted. Business relationships with the EU bloc of countries remain of critical importance to UK businesses, since the EU is still the largest market for UK goods and services, with the US in a very distant second place.
A key area where UK businesses need to continue to be aware of and continue to comply with EU regulations is data protection. UK laws are currently closely aligned to EU laws. The EU General Data Protection Regulation (EU GDPR) has largely been reproduced in the UK GDPR under the Data Protection Act 2018.
The UK Government has announced that it is considering what changes might be made to our data protection laws, but unless and until any change is introduced it will still be necessary for UK businesses to comply with both UK GDPR and EU GDPR in their dealings with EU businesses and individual customers within the European Economic Area (EEA), that is, the EU plus Norway, Iceland and Liechtenstein. Those business dealings will invariably require transfers of personal data.
Data transfers within the EEA require no additional safeguards beyond the provisions of the EU GDPR. Any country outside the EEA is designated a ‘third country’. At present, data transfers between the EEA and a small number of third countries (including the UK) can take advantage of the fact that no additional restrictions or safeguards are imposed, because they have been granted a declaration of adequacy. By contrast, data transfers from the EU to third countries like the US, Russia and China which do not have a declaration of adequacy require extensive checks to be carried out and effective safeguards to be put in place. The major concern is the extent to which Governments and Security Services can access data in commercial transactions.
Without adequate safeguards, UK and EU businesses run the risk of not being able to transfer personal data to those countries or, if they do so, being subjected to regulatory enforcement action for committing a data breach. This can result in very substantial fines: up to 2% of worldwide turnover if a data breach is not self-reported promptly. Individuals affected by an unauthorised transfer of data may also have a right to claim damages against the business.
For these reasons it is important for UK businesses to take note of guidance that has been issued by the European Data Protection Board (EDPB) on the application of EU GDPR to international transfers of data. These are currently relevant both to EEA-based data controllers and to UK organisations who process the data of EU data subjects and therefore remain subject to EU GDPR provisions for such activity. In the future the EU will be looking closely at any changes to UK data protection laws. If they conclude that those changes no longer provide adequate protection in line with the GDPR, including rules and safeguards relating to international transfers of data, there is a risk that the UK will lose its declaration of adequacy and become an ordinary third country. That would significantly increase the complexity of business dealings with the EU which involve personal data. There is therefore an incentive for the UK Government and the Information Commissioner’s Office to continue to align UK data protection laws and guidance with EU GDPR and its guidance.
International Transfers of Data
Chapter V of the EU GDPR outlines requirements that apply to transfers of personal data ‘to a third country or to an international organisation’. Unless there is an adequacy decision in relation to the receiving third country, additional safeguards such as Standard Contractual Clauses are required to protect personal data when it is transferred out of the EU’s legal framework.
Article 3(2) of the EU GDPR is also relevant to the protection of EEA data subjects’ personal data beyond the Union’s territorial boundaries, because it provides that the EU GDPR applies to the processing activities of non-EEA-based based data controllers and processors when offering goods and service to data subjects in the EU, or monitoring EU data subjects’ behaviour.
The new guidelines clarify the interplay between the requirements of Chapter V and the territorial scope provisions of Article 3.
An international transfer (to which the Chapter V requirements apply) is defined as a processing for which:
1. the controller or processor is subject to the EU GDPR for the processing in question; 2. the controller or processor (the exporter) makes personal data subject to the processing available to another controller, joint controller or processor (the importer); and 3. the importer is in a third county or is an international organisation (irrespective of whether or not the importer is subject to the EU GDPR for the processing under Article 3). Point 1 clarifies that the Chapter V conditions will apply to an exporting controller or processor who is not established in the EEA but to whom the EU GDPR applies under Article 3(2).
Point 2 clarifies that only transfers undertaken by data controllers or processors are in scope: where data subjects themselves disclose data to an international third party on their own initiative, that is not considered a transfer (though subsequent processing by that third party might be subject to the EU GDPR if Article 3(2) applies). Point 2 only applies where two separate controllers or processors are involved in the disclosure.
Examples: a) Where a controller company employee is temporarily in a third country (on a business trip, say) and accessed the company’s databases remotely, that would not engage point 2. b) Where entities within the same corporate group disclose data between themselves, but carry out different processing functions, such that one is a controller and the other a processor, that could engage point 2. Point 3 makes clear that an international transfer occurs even when the transfer is to a third country-based controller whose processing is subject to the EU GDPR under Article 3(2).
A UK company offers goods and services in the EEA. A French company processes personal data on behalf of the UK company and transmits the data back to the UK company. The processing performed by the UK company is subject to the EU GDPR because it is caught by Article 3(2) (offering goods and services in the EEA) but the transfer by the French company nonetheless would constitute an international transfer and the requirements of Chapter V would apply.
Horses for Courses
Where all three criteria are met and the transfer constitutes an international transfer, the safeguards implemented under Chapter V must be tailored to the specific circumstances and relevant to the situation. For example, fewer safeguards may be required if the importer is subject to the EU GDPR for the processing under Article 3(2) and should focus on what is necessary to fill any gaps resulting from conflicting national laws. Even where the criteria are not met and therefore the Chapter V requirements do not apply to a potential transfer, data controllers should nevertheless consider any risks and steps that could be taken to mitigate them. A data controller remains accountable for all its processing activities, regardless of where they take place.
While this guidance is currently specific to EU GDPR, UK businesses would be well advised to take note of the three key points listed above, because they are likely to have a wider application in the future. The direction of travel for data protection within the EU is to accord more protection to the rights of individuals, so stricter rules and safeguards are likely in the foreseeable future. Data protection laws around the world are largely following the lead taken by the EU. It is therefore in the interests of UK businesses to adopt procedures that are compliant with EU laws and guidance, even if the UK government decides to relax restrictions in any changes to UK data protection laws. Compliance with EU GDPR will still be required for the UK’s largest group of customers.