The International transfers of personal data subtopic in Lexis®PSL is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.
The data protection regime on international transfers
All transfers of personal data are subject to the general requirements of the GDPR, eg you must:
- have a lawful ground for processing that personal data—see Lexis®PSL Practice Note: Processing personal data—lawful processing
- provide certain information to data subjects—see Lexis®PSL Practice Note: Privacy notices—information requirements, and
- (where the transfer poses a high risk) complete a data protection impact assessment—see Lexis®PSL Practice Note: Data protection impact assessments—DPIAs
When you transfer the personal data internationally (outside the UK), you must also satisfy and comply with requirements in Chapter V of the GDPR (Transfers of personal data to third countries or international organisations). These requirements are set out in Articles 44 to 50, GDPR.
To comply with these requirements, you should consider:
- is the transfer caught by the data protection regime on international transfers?
- is there an alternative to transferring personal data outside the UK?
- is there a lawful ground for processing under Article 6 (and for special category personal data, Article 9)?
- is there a lawful mechanism for the international transfer, ie an adequacy decision, appropriate safeguards or a derogation (exception)?
- if not, what should you do?
See Lexis®PSL Practice Note: International data transfers—practical compliance, together with Lexis®PSL Precedents: Transfer impact assessment—personal data and International personal data transfer—data recipient questionnaire. See also Lexis®PSL International data transfers—flowchart.
Is the transfer caught by the data protection regime on international transfers?
The data protection regime applies restrictions to certain international transfers of personal data, often referred to as ‘restricted’ transfers. A transfer is restricted where all of the following apply:
- there is a transfer of data
- the data you are transferring constitutes personal data (and/or special category personal data)
- the recipient of the data is not subject to the GDPR (usually this will be because the recipient is located in a country outside the UK)
- the recipient is a separate organisation or individual, even if the recipient is another company within the same corporate group
For more guidance, including ICO examples, see Lexis®PSL Practice Note: International data transfers—practical compliance—Is the transfer caught by the data protection regime on international transfers?
Is there an alternative?
Before subjecting yourself to the additional GDPR Chapter V requirements relating to international data transfers, you should consider whether there is an alternative, eg can you:
- make the data anonymous so it is never possible to identify the individuals to which the data relates, even when combined with other information available to the recipient—this is because anonymised data is not personal data and the entire data protection regime does not apply to it
- achieve your objectives in other ways, eg by using a UK supplier
Two-stage approach
When considering whether you are able to transfer personal data outside the UK, you should adopt a two-stage process:
- identify a lawful ground for processing—and only if you are satisfied you have a lawful ground
- establish whether you can transfer the data under one of the mechanisms in Chapter V
Lawful grounds for processing
Transferring personal data anywhere constitutes processing for the purpose of the GDPR. You cannot process personal data simply because you wish to do so. You must have a lawful ground for processing under Article 6. For more guidance, see Lexis®PSL Practice Note: Processing personal data—lawful processing—The lawful grounds for processing personal data under GDPR.
Where special category personal data is involved, you must also meet one of the conditions in Article 9. See Lexis®PSL Practice Note: Processing personal data—lawful processing—Grounds required for special category personal data.
Valid mechanisms for international data transfers
Where you transfer personal data outside the UK, as well as having a lawful ground for processing, you must satisfy the requirements of Chapter V of the GDPR (‘Transfers of personal data to third countries or international organisations’), ie Articles 44 to 50. Essentially, you must have a valid legal mechanism for the transfer, ie:
- an adequacy decision
- appropriate safeguards like standard contractual clauses (SCCs) or binding corporate rules (BCRs), or
- a derogation
The Chapter V mechanisms are designed to ensure data subjects are protected when their personal data leaves the UK. The mechanisms follow a hierarchy—see Lexis®PSL International data transfers—flowchart.
Adequacy decision
You may transfer personal data to a country that has the benefit of a UK adequacy decision. Transfers made under an adequacy decision do not need any specific authorisation from the ICO. There is also no obligation to ensure safeguards are in place or to assess the efficacy of data subject rights and remedies in the recipient country.
The UK has granted adequacy decisions in relation to:
- EEA states
- Gibraltar, and
- third countries that have the benefit of an EU Commission adequacy decision
This is explained in more detail in Lexis®PSL Practice Note: International data transfers—practical compliance—Is the transfer covered by an adequacy decision?
SCCs and BCRs (appropriate safeguards)
The SCCs are standard terms and conditions which the data exporter and recipient sign up to. They contain contractual obligations on the data exporter and recipient and rights for data subjects, which can be enforced against the exporter or recipient. For more guidance, including links to Precedent SCCs, see Lexis®PSL Practice Note: International data transfers—practical compliance—Is the transfer covered by appropriate safeguards?
BCRs are an internal code of conduct operating within a multinational group, which applies to international data transfers within the group—see Lexis®PSL Practice Note: Binding Corporate Rules (BCRs). You must submit BCRs for approval to the ICO. The approval process is lengthy and time-consuming and generally BCRs are only used by large, multinational commercial organisations.
Entering into SCCs (or BCRs) does not, of itself, provide a complete solution for an international data transfer. You can only rely on this transfer mechanism where:
- appropriate safeguards are in place (SCCs/BCRs are potential safeguards only), and
- enforceable data subject rights and effective legal remedies are available
Most commercial organisations will seek to rely on SCCs rather than BCRs. For ease of reading, the remainder of this section refers to SCCs only, but should be read as also applying to BCRs, as the same principles apply.
Why are SCCs not a complete solution?
This section refers to principles set out in the case of Facebook Ireland and Schrems, Case C-311/18 (Schrems II). This case relates to the EU GDPR, but until such time as the UK government or ICO indicate otherwise, it is assumed the same principles apply to the UK GDPR.
The Schrems II case made clear that entering into the SCCs does not automatically mean appropriate safeguards are in place—you must ensure that in reality (not just in contractual terms) the protections, enforceable rights and legal remedies provided are ‘essentially equivalent’ to those guaranteed under the GDPR. It is not enough for the SCCs to say this is the case.
This will involve some sort of assessment—not only on the data recipient but also on the legal regime of the country where it is based.
You should conduct your assessment with due diligence and document it thoroughly—see Lexis®PSL Precedents: Transfer impact assessment—personal data and International personal data transfer—data recipient questionnaire.
The EDPB has published detailed Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which sets out the following methodology:
- assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the safeguards provided by the SCCs, ie assess whether the level of protection in the recipient country is essentially equivalent to that guaranteed under the GDPR
- if this is not the case, consider if supplementary measures exist which, when added to the safeguards in the SCCs, could ensure the data transferred is afforded a level of protection in the recipient country essentially equivalent to that guaranteed under the GDPR—this will include assessing whether the law of the recipient country prohibits or otherwise prevents the effectiveness of your proposed supplementary measures
- if you are able to identify effective supplementary measures, take any necessary procedural steps
- monitor and re-evaluate at appropriate intervals
See Lexis®PSL Standard contractual clauses and binding corporate rules—flowchart.
The assessment(s) set out in the above methodology must be done on a case-by-case basis. See:
- Lexis®PSL Practice Note: International data transfers—practical compliance—Due diligence when relying on SCCs or BCRs, and
- Lexis®PSL Precedents: Transfer impact assessment—personal data and International personal data transfer—data recipient questionnaire
Relying on SCCs for transfers to the US
The ECJ ruled (in Schrems II) that the Privacy Shield was invalid because US law does not ensure an essentially equivalent level of protection for data subjects. This was largely due to the:
- extent to which US public authorities may access personal data for national security purposes, and
- absence of appropriate rights and remedies for data subjects before the courts against a US authority
For an explanation of the regime to which the ECJ objected, see Lexis®PSL Q&A: US government surveillance in the context of EU data protection law.
For the purpose of this section, it is assumed that the Privacy Shield is also invalid under the UK GDPR.
Your starting point will therefore be that US law does not ensure an essentially equivalent level of protection for data subjects. Whether you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking account of:
- whether the data recipient is subject to state surveillance provisions, eg the Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12.333 which permits US security authorities to access personal data without a court order
- any supplementary measures you may be able to implement to make access to the data impossible or ineffective—these measures will have to be sufficiently robust to stand up to the US surveillance regime and surveillance services
Inability to comply with the SCCs
If the data recipient is unable to comply with the SCCs, they must inform you and take any supplementary measures you may have agreed. In turn, you are obliged to suspend the transfer and/or terminate the contract.
Transfer under a derogation (exception)
If you are making an international transfer that is not covered by an adequacy decision or appropriate safeguard, you will need to rely on one of the derogations (exceptions) in Article 49. There are seven specific derogations, plus a final fall-back derogation.
You can rely on one of the specific derogations where:
- the data subject has explicitly consented to the proposed transfer, having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards
- the transfer is necessary for the performance of a contract between the data subject and controller or for the implementation of pre-contractual measures taken at the data subject’s request
- the transfer is necessary for the conclusion or performance of a contract (between the controller and another natural or legal person) concluded in the interests of the data subject
- the transfer is necessary for important reasons of public interest
- the transfer is necessary to establish, exercise or defend legal claims
- the transfer is necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent, or
- the transfer is made from a UK register that is intended to provide information to the public and is open for consultation by the general public or any person who can demonstrate a legitimate interest (but only to the extent that conditions laid down by UK law for consultation are fulfilled)
If all else fails, there is a final, fall-back derogation—the transfer is necessary for your compelling legitimate interests which are not overridden by the interests or rights and freedoms of data subjects. However, this is subject to a number of conditions being met.
For guidance on the derogations, see Lexis®PSL Practice Note: International data transfers—practical compliance—Transfer under a derogation (exception).
No transfer mechanism
What should you do if there’s no lawful mechanism for the transfer of the data?
Proposed transfers
Where the data transfer has not yet started, you will not be able to proceed with the proposed transfer unless you can identify an appropriate transfer mechanism.
Existing transfers under SCCs/BCCs
In the absence of adequate safeguards (and/or where laws in the recipient country prevent the recipient from complying with SCCs/BCCs) the data transfer must be suspended—unless another lawful mechanism can be identified, such as the derogations under Article 49 (see above: Transfer under a derogation). If, however, you intend to rely on SCCs, having concluded appropriate safeguards would not be ensured, you must notify the ICO.