Menu
Get In Touch

Navigating the Global Seas of GDPR: A Guide to International Transfers of Personal Data

The General Data Protection Regulation (GDPR) is one of the most comprehensive data protection frameworks in the world. Since its introduction in May 2018, it has fundamentally reshaped the way organisations handle personal data, both within the European Union (EU) and globally. One of the most complex and challenging aspects of GDPR compliance lies in international data transfers, especially in our interconnected world where personal data frequently crosses borders.

This article serves as an in-depth guide to understanding and navigating international transfers of personal data under GDPR, ensuring that organisations can stay compliant while maintaining the global flow of information necessary for their operations.

Understanding GDPR and its Global Impact

Before delving into the specifics of international data transfers, it’s important to understand the foundational principles of GDPR. This regulation applies to all organisations processing the personal data of individuals in the EU, regardless of where the organisation itself is based. Consequently, businesses outside the EU that offer goods or services to EU citizens or monitor their behaviour must also comply with GDPR.

GDPR’s primary focus is on protecting the personal data of individuals (referred to as ‘data subjects’), ensuring that data is processed in a lawful, fair, and transparent manner. Among its key provisions are data subject rights, data protection by design and by default, and stringent requirements for data processors and controllers. These provisions apply not only to data within the EU but also to any data transferred outside the EU, hence the need for strict regulations around international data transfers.

What Constitutes an International Data Transfer?

An international data transfer under GDPR occurs when personal data is sent from within the EU or European Economic Area (EEA) to a third country or international organisation. Third countries, in this context, are those outside the EEA, including non-EU countries such as the United States, India, China, and others.

The regulation sets a high standard for such transfers, with the main concern being whether the destination country or organisation can provide adequate protection to personal data comparable to that provided within the EU. This is crucial, as transferring data to a country or organisation without adequate safeguards could potentially expose EU citizens to privacy risks or misuse of their data.

International transfers can occur in various scenarios, including:

  • Sharing customer data with a company subsidiary located outside the EU.
  • Using a third-party service provider or cloud-based storage system that stores data on servers outside the EU.
  • Engaging in cross-border business partnerships where personal data needs to be shared.
  • Submitting personal data for international payroll processing, human resources, or other administrative functions.

Understanding how to manage these transfers while staying within the bounds of GDPR is essential for any organisation operating on a global scale.

Lawful Bases for International Data Transfers under GDPR

The GDPR outlines several mechanisms for lawful international transfers of personal data. These mechanisms are designed to ensure that data subjects‘ rights are not compromised when their data leaves the EU. They include:

  1. Adequacy Decisions
    The simplest and most straightforward method for transferring personal data outside the EU is when the European Commission has issued an adequacy decision for the destination country. An adequacy decision means that the Commission has determined that the country in question provides a level of data protection that is essentially equivalent to that within the EU. As of 2024, countries like Canada, Japan, and Switzerland have been granted adequacy status.When an adequacy decision exists, no additional authorisation or safeguards are needed to transfer data, making this option the least burdensome for businesses. However, many countries, including major economies like the United States, do not have adequacy decisions, meaning organisations must rely on other mechanisms.
  2. Standard Contractual Clauses (SCCs)
    In the absence of an adequacy decision, one of the most commonly used mechanisms is the adoption of Standard Contractual Clauses (SCCs). These are pre-approved contractual terms that ensure both parties involved in the data transfer are bound by GDPR-equivalent data protection obligations. SCCs are an attractive option because they do not require individual approval from data protection authorities. However, SCCs must be implemented carefully, as organisations are responsible for assessing whether the recipient country can provide the level of protection required by the GDPR.SCCs have evolved significantly since GDPR’s inception, especially following the invalidation of the EU-US Privacy Shield in 2020 by the Court of Justice of the European Union (CJEU) in the landmark Schrems II ruling. The ruling emphasised the need for businesses to assess the legal environment of the receiving country and adopt supplementary measures if necessary to ensure adequate protection.
  3. Binding Corporate Rules (BCRs)
    Binding Corporate Rules (BCRs) are a set of internal policies and procedures adopted by multinational corporations to ensure that personal data transfers within the organisation (e.g., between subsidiaries in different countries) are compliant with GDPR. BCRs must be approved by a European Data Protection Authority (DPA), which makes them more complex to implement than SCCs. However, once approved, BCRs provide a robust, flexible framework for managing international data transfers within corporate groups.BCRs are particularly useful for large, global businesses that need to transfer data frequently across borders. They demonstrate a commitment to high data protection standards and can be tailored to the specific needs and operations of the organisation. Despite the administrative burden, BCRs offer long-term legal certainty for international data transfers.
  4. Derogations for Specific Situations
    In cases where adequacy decisions, SCCs, or BCRs are not feasible, GDPR allows for data transfers under specific derogations. These derogations include transfers made with the explicit consent of the data subject, those necessary for the performance of a contract, or transfers that are in the public interest. However, derogations are intended to be used as a last resort and only in specific situations. They are not suitable for large-scale or systematic data transfers and may expose organisations to greater risk.It is crucial for organisations to document the basis for relying on derogations and ensure they meet the stringent conditions set out in GDPR. For example, obtaining consent for a data transfer must be explicit, informed, and freely given, with the data subject fully aware of the risks involved.

Supplementary Measures: Lessons from Schrems II

The Schrems II decision has had a profound impact on international data transfers, particularly for businesses relying on SCCs. The Court’s ruling highlighted that SCCs alone may not be sufficient in certain circumstances, particularly when the recipient country’s surveillance laws or lack of judicial redress undermine the protection of personal data. As a result, businesses are required to assess the specific legal and regulatory context of the destination country and implement supplementary measures where necessary.

These supplementary measures can take various forms, including:

  • Encryption: Ensuring that personal data is encrypted both in transit and at rest, with encryption keys stored securely within the EU.
  • Anonymisation: Transferring data in an anonymised form, so that it cannot be linked back to individual data subjects.
  • Contractual Obligations: Expanding contractual obligations beyond the standard SCCs to include specific measures aimed at mitigating risks related to government access or surveillance.
  • Technical and Organisational Controls: Implementing additional security controls such as secure data transfer protocols, audit mechanisms, and limiting access to data.

For organisations transferring data to the United States or other jurisdictions with extensive government surveillance programmes, these measures are critical to ensuring compliance with GDPR and avoiding hefty fines.

The Role of Data Protection Authorities and the European Data Protection Board

Data Protection Authorities (DPAs) across the EU play a pivotal role in overseeing and enforcing GDPR compliance, including international data transfers. Organisations should engage with their local DPA when developing policies for international transfers, particularly when seeking approval for mechanisms such as BCRs.

The European Data Protection Board (EDPB) provides guidance and recommendations on issues related to international data transfers, including updates on the adequacy of third countries and the evolving use of SCCs. Following the Schrems II ruling, the EDPB issued guidelines on assessing transfers and applying supplementary measures, which have become a critical resource for businesses navigating the complexities of international transfers.

Organisations are encouraged to stay informed about updates and guidance from the EDPB and DPAs, as data protection laws and international relations continue to evolve.

Post-Brexit Considerations: UK-GDPR and International Transfers

The United Kingdom’s departure from the EU has introduced additional complexities for international data transfers. As of 2021, the UK operates under its own version of GDPR, known as the UK-GDPR, which mirrors many of the provisions of the EU regulation but applies specifically to the UK.

For organisations operating in both the UK and EU, it is crucial to understand the implications of cross-border data flows between the two regions. Fortunately, the European Commission granted the UK an adequacy decision in June 2021, allowing data to flow freely from the EU to the UK without additional safeguards. However, the adequacy decision is subject to periodic review and may be revoked if the UK’s data protection regime diverges significantly from GDPR in the future.

When transferring data from the UK to other third countries, organisations must follow UK-GDPR requirements, which include using SCCs or seeking approval for BCRs where necessary.

Navigating Data Transfers to High-Risk Jurisdictions

While GDPR provides a robust framework for international transfers, certain countries pose higher risks due to inadequate data protection laws or extensive government surveillance. Countries such as China and Russia, for example, have stringent regulations on data localisation, which require personal data to be stored on servers within their borders. These laws can create conflicts with GDPR, particularly regarding data access and control.

When transferring data to high-risk jurisdictions, organisations should conduct a thorough risk assessment, considering both the legal environment and the specific operational risks involved. Supplementary measures, such as encryption and data minimisation, become even more critical in these cases.

In some instances, organisations may need to reconsider whether the transfer is necessary or explore alternatives, such as anonymisation or pseudonymisation, to reduce the risks associated with high-risk jurisdictions.

The Future of International Data Transfers

The landscape of international data transfers under GDPR is constantly evolving. Ongoing negotiations between the EU and third countries, such as the development of a new EU-US data transfer framework (often referred to as Privacy Shield 2.0), could significantly impact businesses relying on transatlantic data flows. Meanwhile, the Schrems II ruling and subsequent guidance from the EDPB have set a higher bar for businesses seeking to transfer data outside the EU.

Organisations must remain agile and proactive in responding to these changes. Regularly reviewing data transfer mechanisms, conducting risk assessments, and staying informed about regulatory updates are essential steps in maintaining GDPR compliance.

As data becomes an increasingly valuable asset in the global economy, the need for robust, flexible, and legally sound data transfer mechanisms will continue to grow. By understanding the complexities of GDPR’s international transfer provisions and adopting best practices for compliance, organisations can navigate the global seas of data protection with confidence and resilience.

Conclusion

Navigating the international transfer of personal data under GDPR is no small feat. The regulation sets a high standard for data protection, both within the EU and beyond its borders, and organisations must be diligent in ensuring that data transfers are conducted lawfully and securely. Whether using adequacy decisions, SCCs, BCRs, or derogations, it is critical to assess the risks involved in each transfer and implement appropriate safeguards.

In the post-Schrems II era, businesses must also consider the legal landscape of the destination country and adopt supplementary measures where necessary to protect personal data. By staying informed about regulatory developments and engaging with DPAs, organisations can ensure they remain compliant with GDPR while facilitating the global flow of data essential for modern business operations.

Related Posts

1 thought on “Navigating the Global Seas of GDPR: A Guide to International Transfers of Personal Data”

  1. Pingback: GDPR Compliance for Event Organisers: Safeguarding Attendee Data - GDPR Advisor

Leave a Comment

Contact Us: Click HERE
X