Menu
Get In Touch

Navigating Data Transfers: Can Personal Data Be Transferred Outside of the UK Under UK Data Protection Law?

As globalisation drives the seamless flow of information across borders, the transfer of personal data beyond national boundaries has become a common practice. Organisations often need to transfer data to different jurisdictions for a variety of reasons, from outsourcing services to engaging in cloud computing. However, for UK-based entities, navigating the legal landscape of transferring personal data outside of the United Kingdom has become increasingly complex, particularly in the wake of Brexit.

This article will explore the framework for transferring personal data outside of the UK under current UK data protection law, focusing on the rules, mechanisms, and best practices organisations need to follow to ensure compliance.

The Regulatory Framework for International Data Transfers

When it comes to data protection, the UK’s regime is primarily governed by two key pieces of legislation:

  1. The Data Protection Act 2018 (DPA 2018): This is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR), tailored to fit the UK’s legal context after Brexit. It forms the backbone of the UK’s domestic data protection laws.
  2. The UK GDPR: Following Brexit, the EU GDPR was adopted into UK law with certain modifications to accommodate the post-Brexit context. The UK GDPR operates alongside the DPA 2018 and governs data protection in the UK. One of its crucial aspects is how it regulates international data transfers, including transfers to countries outside of the European Economic Area (EEA), referred to as “third countries”.

Under UK GDPR, transferring personal data to a country or organisation outside of the UK is only permitted under specific circumstances. The main purpose of this legal framework is to ensure that when data leaves the UK, it continues to be adequately protected. The guiding principle is that data should not be transferred to a third country unless that country ensures an equivalent level of data protection.

When Can Personal Data Be Transferred Outside of the UK?

To determine whether personal data can be transferred outside of the UK, the first step is understanding the rules that apply. Transfers can be made under three primary mechanisms:

  1. Adequacy Decisions: If the destination country has been deemed to offer an “adequate” level of data protection.
  2. Appropriate Safeguards: Where no adequacy decision exists, organisations must implement specific safeguards to protect the data.
  3. Derogations: In limited circumstances, transfers may still be permissible based on certain exceptions.

Let’s delve into each of these mechanisms.

Adequacy Decisions: What They Mean and How They Work

The easiest way to transfer personal data from the UK to another country is if the UK government has made an adequacy decision in respect of that country. An adequacy decision means that the UK has assessed the laws and practices of the receiving country and determined that they offer a level of data protection essentially equivalent to that of the UK.

Countries that have been granted adequacy decisions by the UK can receive personal data without the need for any additional safeguards. As of now, the UK has granted adequacy decisions to a number of countries, including:

  • European Union (EU) and European Economic Area (EEA) countries,
  • Andorra,
  • Argentina,
  • Canada (for certain data),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Switzerland,
  • and Uruguay.

The European Union itself has an adequacy decision from the UK, allowing for the continued flow of personal data between the UK and the EU after Brexit.

It’s important to note that adequacy decisions are subject to periodic review and may be revoked or suspended if a country’s data protection standards are found to have deteriorated. This introduces an element of uncertainty for organisations relying solely on adequacy decisions, though such changes are rare and tend to be well-telegraphed in advance.

Appropriate Safeguards for Data Transfers to Countries Without Adequacy Decisions

If a country has not been granted an adequacy decision by the UK, it does not necessarily mean that data transfers to that country are prohibited. However, organisations must implement appropriate safeguards to ensure that the personal data remains protected to the same standard as within the UK. These safeguards must be legally binding and enforceable.

The most commonly used safeguards are:

a) Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are a set of template clauses approved by the Information Commissioner’s Office (ICO) or relevant regulatory authorities. SCCs can be incorporated into contracts between data exporters (based in the UK) and data importers (based in a third country). The SCCs outline specific obligations for both parties concerning the protection of personal data.

For SCCs to be effective, both the UK exporter and the overseas importer must adhere to the contractual terms, which include duties like ensuring data security and reporting breaches. However, following the landmark “Schrems II” ruling by the Court of Justice of the European Union (CJEU) in 2020, it has been clarified that organisations relying on SCCs must conduct additional assessments to ensure that the laws of the recipient country do not undermine the protections offered by the SCCs.

This means that organisations must assess the legal framework in the recipient country to ensure there are no laws (such as mass surveillance legislation) that could jeopardise the security of personal data. In practice, this can be a time-consuming and resource-intensive process, but it is essential to ensure compliance.

b) Binding Corporate Rules (BCRs)

Binding Corporate Rules are another form of appropriate safeguard. They are internal rules adopted by multinational organisations for transferring personal data within the same corporate group to entities located in countries without an adequacy decision.

BCRs must be approved by the ICO before they can be used. They typically impose obligations on all entities within the corporate group to handle personal data in compliance with UK data protection standards, even if the entities are located in countries without an adequacy decision. BCRs offer a flexible and scalable solution for large multinational companies that frequently transfer data across borders within their corporate network.

c) Certification Mechanisms and Codes of Conduct

The UK GDPR also provides for the possibility of using approved certification mechanisms or codes of conduct to transfer data outside the UK. These mechanisms, once approved by the ICO, can act as appropriate safeguards.

Certification mechanisms and codes of conduct are relatively new under the UK GDPR, and as of now, there are few in place. However, these mechanisms may become more widely used in the future, particularly for industries with specific data protection requirements, such as health or finance.

Derogations: Exceptions to the Rule

In cases where neither an adequacy decision nor appropriate safeguards are in place, organisations can still transfer personal data outside of the UK if one of the following derogations applies. These derogations are exceptions to the general rule and are typically applied in specific, limited situations.

The main derogations include:

  • Explicit Consent: The individual has given explicit consent to the proposed transfer, after being informed of the possible risks due to the absence of an adequacy decision or appropriate safeguards.
  • Contractual Necessity: The transfer is necessary for the performance of a contract between the individual and the organisation, or for pre-contractual measures taken at the individual’s request.
  • Public Interest: The transfer is necessary for important reasons of public interest, such as humanitarian emergencies or public health issues.
  • Legal Claims: The transfer is necessary for the establishment, exercise, or defence of legal claims.
  • Vital Interests: The transfer is necessary to protect the vital interests of the data subject or another person, where the individual is incapable of giving consent (for example, in a medical emergency).
  • Public Registers: The transfer is made from a public register that is intended to provide information to the public, and the person accessing the register complies with the legal conditions for accessing it.

Derogations should only be used as a last resort, as they are limited in scope and typically require a high level of documentation and justification to demonstrate compliance with the UK GDPR.

Post-Brexit Considerations: Data Transfers Between the UK and the EU

One of the most significant challenges post-Brexit has been ensuring the continued free flow of data between the UK and the European Union. As the UK is now considered a third country under the EU GDPR, the legal basis for transferring personal data between the two regions has changed.

Fortunately, the European Commission granted the UK an adequacy decision in June 2021, meaning that personal data can flow freely from the EU to the UK without the need for additional safeguards. This adequacy decision is, however, subject to review, with the initial decision set to expire in June 2025 unless renewed.

For UK-based organisations transferring data to the EU, the UK’s adequacy decision for the EU ensures that these transfers can continue seamlessly. However, organisations must remain vigilant and be prepared for the possibility that the adequacy decision may be revoked or not renewed, in which case they would need to rely on appropriate safeguards, such as SCCs.

Accountability and Documentation: Ensuring Compliance

Under the UK GDPR, the principle of accountability requires that organisations are able to demonstrate compliance with data protection rules. When transferring personal data outside of the UK, it is essential that organisations maintain detailed records of:

  • The legal basis for the transfer (adequacy decision, SCCs, BCRs, etc.);
  • Data protection assessments and impact assessments carried out (particularly if relying on SCCs);
  • Contracts and documentation supporting the transfer;
  • Any derogations relied upon, along with the justification for using them.

Failing to document data transfers appropriately can expose organisations to significant regulatory and reputational risks, including fines and enforcement actions from the ICO.

Key Risks and Challenges of International Data Transfers

While the legal framework for data transfers outside of the UK is well-established, organisations face several risks and challenges in practice:

  1. Legal Uncertainty: Data protection laws are subject to change, particularly in light of evolving geopolitical relationships (such as Brexit). Organisations must stay updated on legal developments in both the UK and third countries to ensure continued compliance.
  2. Varying Standards of Protection: Even when using SCCs or other safeguards, data recipients in third countries may not always be able to offer the same level of protection as within the UK, particularly in countries with weak enforcement or extensive government surveillance laws.
  3. Data Subject Rights: Individuals whose personal data is transferred abroad retain their rights under the UK GDPR, including the right to access, rectification, and erasure. Organisations must ensure that data subjects’ rights can still be upheld in the recipient country.
  4. Regulatory Scrutiny: The ICO has the power to investigate and take action against organisations that fail to comply with international data transfer rules. Non-compliance can lead to fines of up to £17.5 million or 4% of annual global turnover, whichever is higher.

Best Practices for Ensuring Compliance with International Data Transfer Rules

To minimise the risks associated with international data transfers, UK-based organisations should adopt the following best practices:

  • Regularly Review Transfers: Conduct regular reviews of all international data transfers to ensure compliance with the latest regulatory developments, especially in countries without adequacy decisions.
  • Conduct Data Protection Impact Assessments (DPIAs): Before transferring data, carry out DPIAs to assess the risks associated with the transfer, including legal risks in the destination country.
  • Implement Technical and Organisational Measures: Ensure that robust security measures are in place to protect personal data during transfer and in storage.
  • Engage with Legal Experts: Given the complexity of international data transfers, it’s essential to consult with legal experts who specialise in data protection to ensure that all transfers are compliant.
  • Monitor Adequacy Decisions and Safeguards: Stay updated on the status of adequacy decisions and any changes to SCCs or BCRs that may impact your data transfers.

Conclusion

Navigating the landscape of transferring personal data outside of the UK is a challenging but essential task for organisations in the modern, interconnected world. The UK GDPR and the Data Protection Act 2018 provide a robust framework to ensure that personal data remains protected, even when it crosses borders. By understanding the mechanisms available—whether through adequacy decisions, appropriate safeguards, or derogations—and adhering to the principle of accountability, organisations can ensure that their international data transfers are both legally compliant and secure.

Related Posts

Leave a Comment

Contact Us: Click HERE
X