Data in all its forms makes the world go round. In our increasingly interconnected, digitally enabled way of life, the free flow of information enables technology, economies, businesses, governments and societies to operate and innovate. But sharing data across borders can be problematic.
In Europe (and the UK), the GDPR (and UK GDPR) prohibit transfers of personal information outside the bloc (or the UK). But there are mechanisms that allow lawful transfers to be made. The latest figures from Statista, taken from a global 2021 poll conducted among privacy experts, showed that 71% of companies transferred data from the European Union to non-EU countries for processing.
So if your business needs to transfer personal information outside of the UK or the EEA, here are six questions to help you on your way:
1. Do you really need to transfer personal information?
First, before you transfer, think about necessity – is it possible to achieve your aims without making the transfer? If it is necessary, could the data be anonymised first so that it falls outside the requirements of the UK GDPR/GDPR. If the transfer is unavoidable, make sure only necessary personal information is exported.
2. Does the importing country have an adequacy decision?
If it is necessary to transfer the data and anonymisation is not possible, check whether the destination country benefits from an ‘adequacy’ decision. Certain countries, such as Canada, Japan and Israel have been deemed adequate, because they provide essentially equivalent protection for personal data as the GDPR / UK GDPR. If there is an adequacy decision in place, you can go ahead and make the transfer once a data processing agreement is in place.
This year, the EU finally approved the new EU-US Data Privacy Framework (DPF) to facilitate data transfers out of the EEA to US companies participating in the DPF. And on 21 September 2023, the UK government announced its decision to establish a UK-US ‘data bridge’ (the UK government’s preferred term for ‘adequacy’) through the UK Extension to the DPF. This came into force on 12 October 2023 allowing personal data to be transferred out of the UK to US companies which are signed up to the UK Extension. The UK government has published a helpful explanatory factsheet for UK organisations.
Note that the EU and the UK consider each other to be ‘adequate’ meaning personal data can be freely transferred between them.
If you have concluded that you need to transfer the personal data and there is an adequacy decision in place in the destination country, you don’t need to consider the following steps. If there is no such decision in place, read on…
3. Have you considered appropriate safeguards?
‘Appropriate safeguards’ are mechanisms approved by the EU or the UK for transferring personal information to third countries. The most commonly used are the Standard Contractual Clauses (SCCs).The European Commission’s SCCs used for transferring personal data out of the EEA are modular and can be used by organisations to build the set of clauses needed in one of four possible transfer scenarios, eg Controller to Processor.
In the UK, organisations can either use the UK Addendum to the SCCs (which allows the EU’s SCCs to be used for transfers of personal data from the UK, or use the international data transfer agreement (IDTA), which is the UK equivalent of the SCCs. Where a controller intends to transfer UK personal information to a processor in a third country using the IDTA, a data processing agreement is also required (in contrast to the SCCs which have one built in).
4. Have you carried out a Transfer Impact Assessment (TIA)?
A TIA is a requirement introduced by the infamous Schrems II case. It’s intended to assess whether the personal data being transferred will continue to benefit from the same level of protection in the third country as it has under the GDPR/UK GDPR. If a country is considered ‘adequate’, there is no need to carry out a TIA. Where personal data is being transferred to a company in the US that is not certified under the DPF, a TIA is required but is now much simpler because the European Commission in its adequacy decision and the UK government have already carried out the required analysis (see the ICO’s guidance on transfers from the UK to the US here).
There is no mandated approach to a TIA but the International Association of Privacy Professionals has published a template TIA and the ICO has a Transfer Risk Assessment tool – both are a useful starting point. It is not advisable for organisations seeking to transfer personal information out of the EEA to use the ICO’s tool as the UK takes a more ‘risk-based’ approach to international transfers than the EU (hence the UK terminology of ‘Transfer Risk Assessment’ rather than TIA).The ICO has stated that in the event a transfer breaches the UK GDPR, if an organisation can demonstrate it’s used its best efforts in completing a TRA, the regulator will take that into account so always do one if required and keep a record of it.
5. Are supplementary measures required?
The outcome of the TIA will determine whether the use of an appropriate safeguard alone is sufficient to ensure the personal data will be protected, or whether additional supplementary measures are required. These might include technical measures such as pseudonymisation or encryption and/or organisational measures such as data minimisation. The European Data Protection Board (EPBD) has published recommendations on supplementary measures, with examples of what they might look like.
If there are gaps between the protection of the personal data in the destination country and the exporting country and supplementary measures cannot be identified and adopted, the transfer should be avoided, suspended or terminated.
6. Are you continuing to monitor the level of protection?
Make sure you continue to monitor the level of protection of any personal data transferred out of the UK or EEA. That means checking that adequacy decisions still exist (if in place), and evaluating whether any changes have happened in the importing country, which will affect the protection of personal data. Lastly, amend your privacy notices and Record of Processing Activities to reflect how you’re now transferring personal information out of the UK or the EEA. It’s important they’re always kept up to date.