The amount of personal data that flows around the world is staggering and is only going to increase. According to a report by McKinsey Global Institute, “The amount of cross-border bandwidth that is used has grown 45 times larger since 2005. It is projected to increase by an additional nine times over the next five years as flows of information, searches, communication, video, transactions, and intracompany traffic continue to surge. Virtually every type of cross-border transaction now has a digital component.”
Naturally governments, industry bodies and regulators want to ensure that companies remain within the law and because this huge surge in data traffic increases the risk of an incident happening to the data, and potentially a crime following this incident. Conversely companies and other organisations, want to reduce costs and red tape and move data to wherever it is cheapest and easiest to process and store.
The stated aim of the European Data Protection Board (EDPB) when considering the GDPR was to create the world’s largest single digital market with over 500 million users, i.e. the EU, and to have one standard regulation across the market, i.e. the GDPR.
What does the GDPR say about international transfers?
Where a Data Controller, Joint Data Controller or Data Processor is established in the EU, then the GDPR applies. Where an organisation is not established in the EU, it can still be subject to the GDPR if it processes personal data of data subjects who are in the EU, where the data processing relates to the offer of goods or services, irrespective of whether or not payment is required, or where that organisation is monitoring the behaviour of those data subjects, as long as their behaviour takes place within the EU. This includes internet profiling of data subjects in order to offer them goods and services based on their preferences and online behaviour.
Additionally the GDPR restricts the ability of organisations to transfer personal data out of the EEA. This principle has a significant impact on multi-national organisations and those that use Cloud service providers and remote IT service providers.
In general terms the transfer of personal data to recipients outside the EEA is prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection (the principle of adequacy). Currently the following countries have been deemed as adequate; Andorra, Argentina, Canada (where PIPEDA applies), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand;
- the data controller or data processor has implemented technical and organisational measures to safeguard the personal data; or
- a derogation under the GDPR applies to such cross-border transfers.
The derogations are often referred to as Alternative Transfer Mechanisms and are used if the recipient country is not deemed as adequate and if it is very difficult to prove the effectiveness of the organisational and technical measures. These can give organisations the ability to transfer outside the EEA as long as the following reasons are satisfied:
- made with the individual’s informed consent;
- necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
- necessary for the performance of a contract made in the interests of the individual between the controller and another person;
- necessary for important reasons of public interest;
- necessary for the establishment, exercise or defence of legal claims;
- necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
- made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
Even where there is no Commission decision authorising transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR provides that personal data may still be transferred outside the EU. However, such transfers are permitted only where the transfer:
- is not being made by a public authority in the exercise of its public powers;
- is not repetitive (similar transfers are not made on a regular basis);
- involves data related to only a limited number of individuals;
- is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and
- is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.
How to comply.
We suggest that companies take the following actions:
- review existing and planned business operations to ascertain if personal data needs to be transferred outside the EEA;
- ensure that for every personal data transfer companies must ensure that the transfer mechanism, or legal basis for the transfer, complies with the GDPR;
- review with any Joint Controllers and Processors where their processes may send personal data; and
It should be noted that often companies omit to consider automatic transfers that occur within their systems, for example database back-ups.
If organisations are going to regularly transfer personal data in and out of the EEA, it is advisable to consider using Binding Corporate Rules (BCRs). BCRs were developed by the European Union Article 29 Working Party to allow multinational corporations, international organisations, and groups of companies to make intra-organisational transfers of personal data across borders in compliance with EU Data Protection Law. BCRs must be approved by one Member State’s data protection authority (known as the “lead” authority) and two other “co-lead” authorities.
International transfers are possible as long as companies understand the legal basis for the transfer; are transparent with those who might be affected by the transfer by informing them of where the data will be transferred to and the organisational and technical measures being implemented to protect the data; and by coordinating with other companies it deals with to ensure the same.