International Data Transfers

What Is an International Data Transfer?

International data transfers are any “transfers” of personal data from one country to another.

However, “transfer” is a misleading term, a “transfer” of data for Data Protection purposes would not just be where a physical transfer via email, for example, takes place. Some further illustrations:

• An HR team in Canada accessing personal data of an employee based in the UK that is saved in the cloud would be a “transfer”.
• A UK company’s servers storing personal data that is based outside of the UK, would be a transfer. As would storing a UK individual’s personal data on a server based outside of the UK / EEA.

Adequacy Decisions – What Are They?

The UK Information Commissioners Office (ICO) (and for countries in the European Economic Area the European Commission) assess other countries data protection laws and determine whether they are adequate in protecting personal data.

If the ICO deem that country to have adequate laws, then you can freely transfer personal data between those countries without having any additional safeguards in place.

The ICO and the European Commission regularly review and monitor the adequacy of other countries and keep up to date lists of those with an adequacy decision on their respective websites, you can find the UK list here.

What About Post-Brexit?

The UK and EU have mutual adequacy for now, but the European Commission monitors this and if they feel that the UK changes the UK Data Protection laws in a way that undermines the protections currently on offer, then it will revoke the decision.

What Happens to Transfers to the United States?

The United States has a well publicised battle with adequacy and is dealt with slightly differently to other countries.

Originally, the EU and America had a “privacy shield” and if companies signed up to the privacy shield they were able to freely transfer data. However, this was revoked due to various claims throughout the EU, and issues around US laws that prevented the privacy shield from properly protecting personal data.

The European Commission and US government have worked together to resolve the concerns and agreed the Data Privacy Framework in 2023. US companies can now self-certify under the Data Privacy Framework and if they do, can freely transfer personal data from the UK and the EU.

Note: For UK data to be freely transferable, companies will need to apply for a UK extension to the Data Privacy Framework. It can be a long process to sign up to the Data Privacy Framework and company’s will need to appoint an authority that monitors their compliance.

What If There Is No Adequacy Decision?

If a country does not have an adequacy status (or as a US company, they are not signed up to the Data Privacy Framework) then any transfers to that country will be considered a “restricted transfer”.

If a company is undertaking “restricted transfers” then transfers are still possible, but they will need to put safeguards in place.

The aim of safeguards is that they act in place of the law that is deemed to be inadequate and protects personal data in the same way as it would be protected if the data remained in the UK.

The key safeguards are: Standard Contractual Clauses, International Data Transfer Agreement, Binding Corporate Rules and Derogations.

• Binding Corporate Rules: Are rules specified by a company or group that are formally approved by the ICO (or the relevant data protection authority) and once approved must be adhered to – they essentially act as the company’s data protection regulations.
• Derogations: specific circumstances when you are allowed to undertake specific transfers of personal data including:
  • Explicit consent to that specific transfer
  • Performance of a contract
  • Public interests (as recognised by law – i.e. preventing crime)
  • Legal claims
  • Vital interests (protecting an individual’s life)
  • Required by law
• Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA): The SCCs and the IDTA are essentially the EU and UK (respectively) approved contract clauses that are entered into between the person who is sending the personal data (the exporter) and the person receiving the personal data (the importer). They contractually oblige each party to comply with the UK (or the EEA) Data Protection laws and regulations. With minor exceptions, these clauses are mandatory and cannot be amended.

Note: The SCCs are used in respect of EU personal data, IDTAs are used for UK personal data. Where both EU and UK personal data is transferred, you can enter into a IDTA with EU Addendum – which essentially means being bound by both sets of contractual clauses.

Risk Assessments – Do I Need to Do One?

To rely on any of the safeguards, all companies that are undertaking restricted transfers should undertake a Transfer Risk Assessment.

A Transfer Risk Assessment is a process in which the company reviews the types of personal data being transferred and the risks associated with that transfer, as well as looking at how to mitigate the risks that have been identified.

Anything Else?

A key principle of the Data Protection laws and regulations is transparency.

Therefore, all companies should be transparent with individuals as to how they use personal data. So, simply put, if you are transferring personal data outside of the UK (or the EEA) then you need to add this information into your privacy policy.

Don’t Forget!

If your company is not based in the UK but you provide goods or services to the UK and therefore process UK personal data, you will need to appoint a UK representative (and likewise will need an EU representative if you process EU personal data but are not based there).

If you have any questions on International Data Transfers, or need a UK (or EU) Representative then please contact: contact@ouryclark.com