Simon Cheng Managing Associate
Free Movement of Personal Data? Cross-Border Transfer vs Localisation – Part 1
Given the uncertainty over Brexit, concerns about the movement of people and goods across the UK-EU border post-Brexit are bigger than ever. But what about personal data? Can personal data still be transferred between the UK and other EU countries post-Brexit? What are the relevant laws in the UK and the EU? How are other countries regulating the cross-border transfer of personal data? In this 2-part article, we will discuss the data transfer laws of the EU, the UK, Hong Kong, Mainland China, India and the APEC, and suggest that the trend in the future is for cross-border data transfer to be allowed as long as a prescribed level of data protection measures are in place.
Every day, a massive amount of personal data is generated from all kinds of activities. The drinks you’ve bought, the distance you’ve travelled, the “likes” you’ve given on social media – they may all be quantified and collected by the respective entities providing these goods and services. Some of these entities may be huge multi-national corporations who wish to collate data from different regions for more in-depth analysis; while others may be small start-up companies who wish to engage a third-party specialist for data processing. All these acts may require the transfer of personal data across the border. The transfer of data can also happen inadvertently, for example, by forwarding an email to a colleague at an overseas office or uploading files to an online storage platform using foreign servers. As data protection law differs from one place to another, people and governments are understandably concerned about whether the data can be sufficiently protected after being transferred to a foreign jurisdiction. As such, many places have enacted or are considering to enact data transfer laws to regulate the cross-border transfer of personal data or even require the localisation of personal data.
The European Union
In light of the incoming Brexit, a good starting point of the discussion is the EU’s General Data Protection Regulation (GDPR) which came into force in May 2018. The GDPR has a wide impact as it not only applies to EU entities but also non-EU entities if they offer goods or services to or monitor data subjects within the EU.
In line with the free movement of goods, capital, services and labour within the EU, Article 1(3) of the GDPR protects the free movement of personal data within the EU. This also covers Iceland, Liechtenstein and Norway who are not members of the EU but have nevertheless adopted the GDPR by reason of being members of the European Economic Area (EEA). This is a logical arrangement as all members of the EU and the EEA are subject to the GDPR, which means the level of protection offered across these countries is more or less the same. On the other hand, transfer of personal data to a non-EU/EEA country is more heavily regulated by Chapter V of the GDPR.
Chapter V of the GDPR provides for two bases on which personal data can be transferred from the EU/EAA to a non-EU/EAA country. The first basis is “adequacy” – the European Commission may decide that a non-EU/EAA country offers an adequate level of protection for personal data, in which case personal data can be freely transferred to that non-EU/EAA country. So far, the list of countries regarded as providing adequate protection consists of Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan. Adequacy talks are ongoing with South Korea as well. As to the United States, although the country itself is not deemed to be “adequate”, organisations from the United States may enrol in the Privacy Shield Framework in order to enjoy the “adequacy” status. However, one should note that the Privacy Shield Framework is under constant challenges from those who doubt whether personal data can be adequately protected in the United States when surveillance in the country is so extensive. It remains to be seen whether the Privacy Shield Framework will suffer the same fate as its predecessor the Safe Harbour programme which was struck down by the Court of Justice of the EU in 2015.
The second basis for allowing transfer of personal data is “appropriate safeguards” – personal data can be transferred to a non-EU/EEA country if there are appropriate safeguards providing data protection. What qualifies as appropriate safeguards is listed in Article 46 of the GDPR. For corporations, “binding corporate rules” and “standard contractual clauses” are most relevant. Binding corporate rules (in the form of internal privacy policies, practices, etc.) should provide for a certain level of protection for personal data. They are useful for an intra-company or intra-group transfer. The standard contractual clauses approved and/or published by the European Commission and they are useful when contracting with a party outside the EU/EEA.
In addition to these two bases of transfer, Article 49 also sets out an exhaustive list of derogations (i.e. exceptions) where personal data can be transferred to a non-EU/EEA country even when none of two bases above applies. These include situations where the data subject has given an informed consent to the proposed transfer, the transfer is necessary for the performance of a contract between the data subject and the data controller, the transfer is necessary for important reasons of public interest, etc.
The rationale behind Chapter V of the GDPR is clear – as far as possible personal data should be offered GDPR-level protection wherever it goes. As long as the prescribed level of protection is ensured, cross-border transfer of personal data is allowed. The GDPR represents a very sensible approach to the issue as it recognises the need for cross-border transfer of data and provides realistic options for those who wish to transfer data.
The United Kingdom
At the time of this article, the UK is still a member of the EU and the EEA. That means the GDPR, as an EU regulation, is directly applicable to the UK. Thus, personal data can be freely transferred between the UK and the EU/EEA countries. On the day the UK leaves the EU and the EEA, the GDPR will be incorporated into the domestic law of the UK by virtue of the UK’s European Union (Withdrawal) Act 2018. While personal data will still be offered largely the same level of protection in the UK after Brexit, it does not necessarily follow that there will be free transfer of data between the UK and the EU/EEA. In the absence of any data transfer deal, the UK is just like any other non-EU/EEA country. The UK government has said that it will continue to allow free transfer of data from the UK to EU/EEA countries after Brexit.
However, the transfer of data from a EU/EEA country to the UK will have to fit into the “adequacy” basis, the “appropriate safeguards” basis or one of the derogations set out in the GDPR. As one cannot say for certain that the European Commission will give the UK the “adequacy” status, businesses in the UK may wish to seek an alternative basis to allow the transfer of data from the EU/EEA to the UK, for example, by incorporating the standard contractual clauses into the contract with partners in the EU/EEA in order to satisfy the “appreciate safeguards” basis.
For the transfer of data from the UK to a non-EU/EEA country after Brexit, the GDPR will apply as a domestic law of the UK. Naturally, necessary modifications will be made to replace the European Commission with the appropriate UK authority.
Although Brexit has complicated matters, the rationale remains the same – personal data can be transferred but as far as possible it should be offered GDPR-level protection wherever it goes.
In the next part of this 2-part article, we will shift our focus to some of the more prominent Asian jurisdictions.