Having discussed some of the changes that will be implemented when the General Data Protection Regulation (“GDPR“) comes into force in 2018 in our Future of Data Protection in Europe blog and highlighted the importance that Privacy by Design will have under the new regime, this post will discuss the rather topical issue of International Transfers of Personal Data.
Not only is this an important issue for anyone that transfers personal data outside of the European Economic Area (“EEA“), it is also an important topic for organisations that rely on cloud providers for any part of their business.
As you all know the Data Protection Act 1998 (“DPA“) contains eight principles which must be complied with when processing personal data. The eighth principle states that:
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
If you are the data controller then under the DPA the obligation is on you to ensure that country or territory has an adequate level of protection before the personal data is transferred outside of the EEA. This does not mean that processors can be complacent, especially with the possibility of joint liability under the GDPR.
So what does this actually mean?
The most frequent way that an organisation deems the transfer is adequate is to rely on what is known as an EU Commission finding of adequacy. The Commission has the power to determine whether a country outside of the EEA ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. Currently the list of countries that Commission deems to be adequate is limited to: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
One of the key jurisdictions omitted from that list is the USA. In 2000 the Commission made a finding of adequacy in respect of the “EU-US Safe Harbour Framework”. However in October 2015 the Court of Justice of the European Union (“CJEU“) ruled that this finding of adequacy was invalid and as a result Safe-Harbour became invalid.
The reason that this is such an issue is that that many of the large cloud providers rely on Safe-Harbour to ensure that their transatlantic data flows are compliant with European data protection law.
Safe-Harbour – Privacy-Shield
The mass surveillance on the part of the US security agencies and the lack of recourse for European citizens for data protection breaches in the US were the main reasons behind the CJEU judgment. The EU and US were given until the end of January 2016 to agree a replacement for Safe-Harbour.
They have reached an agreement which they have called the “EU-US Privacy-Shield”. This Privacy-Shield needs to go through a few processes before it is formally agreed by the Commission however it does contain additional protections for European citizens. Amongst other protections, there will be an US Ombudsperson with responsibility for ensuring compliance, and ultimately European citizens will be able to complain to their local regulator who can work with the Federal Trade Commission in the US to resolve any complaints. It is important to note that the Ombudsperson will have responsibility for all transfers of personal data not just those that rely on the Privacy-Shield.
Is there any other way I can transfer data outside the EEA?
Model Clauses and Binding Corporate Rules
If an organisation cannot rely on a Commission finding of adequacy it can use what are called the Model Clauses. These are set of clauses that are approved by the European Commission as ensuring personal data is protected in accordance with European data protection laws. It is important to note the Model Clauses cannot be varied and must be used as drafted. Binding Corporate Rules are another means by which organisations determine adequacy, however they are time consuming, expensive and only allow transfers within group companies.
It is also possible for an organisation to conduct its own adequacy assessment to determine if an international data transfer complies with European data protection laws. The adequacy test is divided into General Adequacy Criteria and Legal Adequacy Criteria. When conducting an adequacy test, an organisation should always work through the General Adequacy Criteria and indeed the ICO has recommended that the General Adequacy Criteria are applied to all international data transfers not just scenarios where an organisation is conducting an adequacy test.
The General Adequacy Criteria are:
- The nature of the personal data
- The country or territory of origin of the information contained in the data
- The country or territory of final destination of that information
- The purposes for which and period during which the data are intended to be processed
- Any security measures taken in respect of the data in that country or territory
The Legal Adequacy Criteria:
- The law in force in the country or territory in question
- The international obligations of that country or territory
- Any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases)
Will the GDPR make significant changes?
The GDPR will in principle retain the data transfer rules set out in the current European data protection law.
It will hopefully create a more uniform approach across Europe and it will also give the Commission greater powers to make adequacy findings in relation to countries, industries and even organisations themselves.
What should I do to prepare?
Whilst we have political agreement on the GDPR the final draft has not been published in the Official Journal of the EU. Until that happens we do not have the final draft of the GDPR.
Until then there are a couple of key considerations if you are transferring personal data outside the EEA:
- If you have previously relied on Safe-Harbour stop using it immediately
- Apply the General Adequacy Criteria to each data transfer to assess your exposure
- Consider using model clauses to ensure compliance
This is a highly political topic which is changing on a daily basis. If you are involved in the transfer of personal data outside of the EEA it is essential that you remain abreast of changes as many European regulators are already starting to take action against organisations for transferring personal data outside of the EEA without first ensuring that there are adequate protections in place.
Post produced in partnership with Ashfords.