The movement of information has been driving today's global economy and data is no longer constrained by national boundaries. As operations become increasingly global, modern business face complex multijurisdictional relationships and a resulting demand for cross-border transfer of data increases.
Data transfers are an essential element of business operations and disruptions to this process can significantly impact business. As a result, it is vital for organisations to understand the rules around transfers of data and when they might apply to avoid affecting individual rights.
Data transfer checklist
Is it a restricted transfer?
You will be making a restricted transfer under the EU GDPR and UK GDPR if:
- The EU/UK GDPR applies to the processing of personal data you are transferring;
- You initiate and agree to transfer personal data to a recipient located outside the EU/UK; and
- The recipient is a separate controller or processor and is legally distinct from you.
If it is not a restricted transfer, you can proceed with the transfer regardless of any adequacy decisions or safeguards.
If you are making a restricted transfer, then you will need to assess if an adequacy decision has been issued in relation to the place where the receiver is located.
Is there an adequacy assessment/regulation about the country/territory where the receiver is located?
EU Adequacy Decisions
UK Adequacy Decisions
The EU recognised the following countries as providing adequate protection:
The UK recognised the following countries as providing adequate protection:
If there is an adequacy decision in relation to the place where the receiver is located, you can proceed with the transfer without the need for a further safeguard.
If no adequacy decision has been issued, then you will need to make sure a safeguard is in place.
What safeguard should be in place?
Following the decision in Schrems II, transfers relying on an article 46 transfer mechanism must first be subject to a Transfer Impact Assessment (“TIA”) under the EU GDPR or a Transfer Risk Assessment (“TRA”) under the UK GDPR. Below we set out some of the key differences between the TIA and TRA and highlight the ways in which the TRA takes a more business friendly, risk-based approach to assessing the viability of transfers:
Article 46 transfer mechanisms
In addition to completing a TIA or TRA, any transfers to a third country not benefitting from an adequacy decision need to be subject to an Article 46 safeguard as well. These safeguards include:
Recent updates: Europe
Updating your SCCs
In Europe, the first advancement was the publication of a new set of SCCs by the European Commission which replaced outdated versions from before the GDPR was introduced. Draft versions of the new SCCs were published in November 2020 with the final versions being released in June 2021.
The deadline for updating your old EU SCCs was 27 December 2022, as after that date they will no longer be valid as a safeguard for transfers of personal data under EU GDPR.
If your live contracts contain the old SCCs, do get in touch about our remediation services – including our automated software tools – for assistance in remediating your transfer documentation, whether for the new EU SCCs or the post-Brexit UK GDPR transfers safeguards. Our team can help selecting and putting in place the best safeguard for your data transfer.
The second development in the EU was the European Data Protection Board’s recommendations on supplementary measures when transferring data outside of the EEA and guidance on European Essential Guarantees for surveillance measures. Details of these two sets of guidance can be found here.
Recent updates: United Kingdom
Standard Contractual Clauses
In the UK, following Parliamentary approval, the International Data Transfer Agreement ("IDTA"), the international data transfer addendum to the European Commission's Standard Contractual Clauses ("UK Addendum") and the UK's new data transfer tools came into force on 21 March 2022.
The old EU SCCs could still be used as part of the transitioning period could be used until 21 September 2022. Now, however, any new transfers must be based on the IDTA or UK Addendum. For most organisations, using the UK Addendum in conjunction with the EU SCCs will be the preferred choice, as this will ensure compliance with all European and UK data transfer requirements.
The old EU SCCs will no longer be permitted for any UK Transfers from 21 March 2024.
In addition, the UK's Information Commissioner's Office ("ICO") published an international data transfer guidance, a transfer risk assessment ("TRA") guide and tool. We covered the topic in more details in the Data Protection Update – November 2022.
In the US, a new EU-US Data Privacy Framework was announced in March 2022 and President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("Executive Order") in October 2022.
The new Framework is designed to provide protection for EU personal data that is essentially equivalent to that which it receives in Europe and to address the issues with US law identified in Schrems II. Under the Executive Order, the US Government commits to enhanced safeguards for and oversight of:
- US signals intelligence activities,
- introduces a new redress mechanism,
- introduces internal procedural requirements for handling personal data
- and updates the privacy principles.
On 13 December 2022, the European Commission published its draft adequacy decision for EU-US data transfers following the new EU-US Data Privacy Framework. If the draft adequacy decision is adopted, this EU-US Data Privacy Framework will be the successor to the invalidated EU-US Privacy Shield.
After that, the UK will need to make an independent adequacy decision on whether the new Framework provides appropriate protections in respect of data transfers to the US.
We produced an in depth article on the EU-US Data Privacy Framework which you can find here.
In the APAC area, there is a growing body of law and regulation in relation to cross-border transfer of personal data. However, the data protection framework within the APAC can deviate greatly from the general rules of the EU and UK GDPRs. Below is a comparative table on the legal transfer mechanisms available for cross-border transfers of personal data in the jurisdictions of our areas of expertise.