Overseas transfer of personal data
Transfers of personal data overseas requires careful consideration of the adequacy of the data protection safeguards in the overseas territory and the international organisation data is being transferred to.
For the purposes of the GDPR, a non-EU country is treated as a “third country” and transfers of personal data to third countries are permitted only if appropriate safeguards are in place or if an adequacy decision has been made by the EU Commission.
Appropriate safeguards may be provided by:
> Standard data protection model clauses
> Binding corporate rules which are legally binding data protection rules approved by a competent data protection authority which apply within a corporate group
> Approved codes of conduct together with binding and enforceable commitments of the controller or processor in the third country
> Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country
Where appropriate safeguards are absent, or there has been no adequacy decision made by the EU Commission in respect of the personal data transfer to a third country, the GDPR will permit transfers on the basis of “derogations” where: consent has been obtained; performance of a contract is necessary; transfer is necessary for the exercise of legal claims; or is required for public interest reasons.
Although the appropriate safeguard requirements may initially appear onerous, the derogations accept that international data transfers are a vital business need and the GDPR has sought to reduce bureaucracy by removing the requirement for specific authorisation for data transfers when approved standard data protection clauses are used or binding corporate rules have been pre-approved.
Adequacy decisions of the EU Commission allow businesses to transfer personal data from an EU Member State to third countries without having to satisfy themselves that adequate safeguards are in place for each transfer. The adequacy assessment is based on a test set by the Court of Justice of the European Union (CJEU) in Schrems which ascertains whether the data protection standards in a third country are “essentially equivalent” to those applied in the EU (Maxmillian Schrems v Data Protection Commissioner (C–362/14), Grand Chamber, 6 October 2015).
The Commission has adopted 12 adequacy decisions in respect of the following countries:
> Canada – limited to transfers to commercial organisations who are subject to the Canadian Personal Information Protection and Electronic Documents Act
> The Faroe Islands
> Isle of Man
> New Zealand
> US – for certified companies
The partial adequacy decision for the US is in the form of the EU-US Privacy Shield, which only applies to transfers to US companies that have self-certified as having met the standards set out in the Privacy Shield framework.
Many countries outside the EU are now looking at how they can obtain EU adequacy recognition to allow greater freedom in the access and transfer of EU personal data. South Korea has one of the strictest privacy regimes in the world but until they have an EU adequacy ruling they must seek explicit consent for data transfers where the appropriate safeguards are not in place.
Although the UK is exiting the EU, the UK’s Data Protection Bill will set out the UK’s post-Brexit data protection position and will be aligned with the GDPR. It is expected that the EU will grant an adequacy ruling in respect of data transfers between the EU and UK to govern the free flow of personal data between the UK and EU.