International data transfers continue to be one of the most discussed subjects in the world of privacy and data protection. The UK’s departure from the European Union and the end of the transition period on the 31st of December 2020, adds a further level of complication. The DPO Centre advices clients from a wide range of sectors that are grappling with how to manage the lawful transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. of data across international borders.
In this blog we discuss some underlying reasons why this is such a complex issue. Whilst the regulations are understood, the practicalities of implementing and abiding by them is the real challenge. Our conclusion is there is no one size fits all solution, an organisation’s situation should be treated individually on a case-by-case basis. Even then, there is often no definitive answer and it’s necessary to make considered, risk-based decisions. Some of the main considerations we advise on include:
Free movement of data
The GDPR imposes restrictions on the free movement of EU residents’ personal dataInformation which relates to an identified or identifiable natural person. from the EU. With no physical border checks for data – data flows rapidly and unimpeded around the globe in a way that is almost untrackable and untraceable.
So the GDPR puts the onus on data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. to take responsibility for ensuring the personal data they use is processed lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations., fairly and transparently no matter where it is processed or by whom. Whilst controllers should make all reasonable efforts to ensure this happens, in reality it is very difficult to manage and monitor.
Mapping data flows
To manage cross border flows of personal data, it’s first necessary to map the flows and understand how, where and by whom data is processed.
This is, at best, extremely challenging particularly where data traffic can flow in numerous directions almost instantaneously across multiple borders between different organisations. This is particularly true for organisations using AI, AdTech, MedTech, FinTechThe development and use of software and technologies to provide automation and deliver improvements to the financial services industry. and the Internet of ThingsThe concept of connecting everyday devices to the internet and to each other for the purposes of collecting, receiving and sending data about their use. (IoT) businesses. Even in more traditional organisations there are increasingly lengthy data processing chains to map.
Determining where the data is actually held and processed can also be very difficult. Much is held in the ‘cloud’ and whilst most cloud data storage solutions identify a specific region or country for processing (or at least whether they are based in the EU or not) algorithmic or rules-based processing can be conducted simultaneously in different jurisdictions.
Data held in the cloud can be readily accessed, amended and deleted by multiple organisations from different countries. It can, and often is, processed for multiple projects and purposes. As the data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data., ensuring the data is held securely and processed appropriately is, to say the least, difficult. This presents a significant area of risk which cannot be evaluated without a thorough knowledge of how the data flows.
Data flows don’t map to legal structures
Data mapping is further complicated in that the GDPR assumes borderless data flows can be mapped against territory or country based organisational legal structures.
This is particularly problematic with legal structures that have often been set up for tax purposes and don’t reflect operational realities. So, for example companies registered in Luxembourg, Dublin or the Channel Islands don’t necessarily processA series of actions or steps taken in order to achieve a particular end. data in these jurisdictions. Given the difficulties described above, it can be difficult to determine exactly in which jurisdiction they and their processors process the data.
Determining the appropriate lead authority
We are frequently asked by our clients “can we identify a single lead authority?” and “do we have to register with authorities in multiple countries?”
In most cases you would nominate the authority in the member state of where your main establishment is based. Similarly, if a company has widespread local operations in the EU but centralises the administration and processing decision-making power in a particular member state, it is in that member state that the main establishment will be identified.
Inevitably, determining a main establishment will be a complicated exercise for some businesses and it may be that multiple lead authorities can be identified where processing decisions are made at a local level and differ from country to country.
However, for companies that cannot demonstrate the presence of a main establishment within the EU (as will be the case for many UK companies once Brexit is complete) and therefore a single authority cannot be determined, then no lead authority can be appointed. These organisations may still need to appoint a representative within the EU to manage communications with EU data subjects but the benefit of the lead authority one-stop-shop will not be available to them.
After the Brexit transition period, it may be that subsidiaries of UK parent companies, will need to register with an appropriate lead authority in the EU as the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. will no longer play a part in the ‘one-stop-shop’ system. Whether they are able to register with another data protection authority and take advantage of the one-stop-shop principle will depend on whether the subsidiary in question possess actual decision making powers regarding the processing occurring throughout the EU, or if it is simply acting on the instruction of its non-EU parent company. In the latter case, it is unlikely that a single lead authority can be nominated.
For group companies with multiple subsidiaries in different member states the decision whether each subsidiary needs to register with its own local supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. should be assessed on a case by case basis. The decision will again depend on where processing decisions are made. A detailed data mapping exercise, identifying who is the data controller and therefore responsible for processing, will be required in order to enable this decision to be made.
Where two or more controllers based in the EU jointly make decisions, as with all joint controller processing, they must determine their respective responsibilities under the GDPR. The European Data Protection Board (EDPB) suggest that this will extend to the lead authority mechanism so that the joint controllers will designate one establishment that will have the requisite power to implement decisions with regard to the processing.
Defining controller and processor relationships
The GDPR relies on defining data controller, joint controller, controller in common and data processorA third party processing personal data on behalf of a data controller. and sub processor relationships to define responsibilities and liabilities. In their most simplistic form, Controllers determine the purpose and means of processing, if this is set by two or more Controllers then they are deemed joint controllers, if they determine the purpose of the same data independently (i.e. where one controller contributes data to another controllers database (think school/Department of Education), they are controllers in common. However the nature of relationships will depend on the situation and processing activity.
The cross-border nature of this processing, particularly when one of the partners is based outside the EU, brings additional layers of complexity, so must be clearly defined.
Data Controllers outside the EU
Another complex scenario is seen by subsidiaries that have a non-EU parent company, who may not be required to comply with the GDPR’s principles for the entirety of their processing, but “requires” the subsidiary to provide data. Having received personal data from the subsidiary, there is a real concern the parent does not adhere to, or enable the subsidiary to comply with the GDPR’s obligations and the data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. afforded to EU residents.
An example could be a shipping and distribution company that are required to provide personal data without a clear understanding of whether it will be used appropriately by the principal. The subsidiary has limited recourse to the parent but is liable in the first event for a data breach or if their obligations under the GDPR are broken.
In this case it is important that the subsidiary takes all reasonable steps to ensure they are compliant, puts an appropriate Data Sharing Agreements in place with the parent and documents that they have made the controller fully aware of their obligations.
Enforceability
The ability of EU data protection authorities to enforce actions against organisations based outside the EU has been the subject of considerable discussion, and as yet, is still to be proven. We have had discussions with a number of international organisations that do not believe it necessary to comply with the GDPR because they believe the regulation cannot be enforced in their territory.
It is important that both data processorsThird parties processing personal data on behalf of a data controller. and data subjects understand this risk. Whilst organisations outside the EU may be named and shamed if they abuse EU residents’ personal data, it is often too late for the data subjects affected. It remains to be seen if EU regulators or independent privacy advocates will be able to bring successful claims against these organisations.
We recommend that all reasonable steps are taken by organisations outside the EU to ensure compliance with the GDPR. ‘GDPR like’ privacy principles are increasingly being applied to new and incoming legislation in other international jurisdictions. The California Consumer Privacy Act (CCPA), for example, has similar extra-territorial scope provisions, so also affects certain organisations worldwide who are processing personal data on California residents. As privacy legislation becomes more universal it will become incumbent on all organisations to comply wherever they are based, therefore taking a GDPR-as-the-minimum-standard approach will likely prove beneficial in the longer term.
Assessing adequacy outside the EU
Under Article 45 of the GDPR, a non-EU country can be deemed “adequate” by the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. if the standard of data protection laws are essentially equivalent to those provided in the EU. If a country is deemed adequate, then cross-border data transfers to organisations within that country can be conducted without further safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... or controls. A list of countries considered adequate can be found in this factsheet.
In a world with increasingly low or even frictionless trade, it is often impossible to conduct business within the EU without transferring personal data to countries that are not considered adequate.
When doing so, we recommend making best efforts to put additional safeguards and controls in place. You should always ensure the receiving party understands its obligations and liabilities under the GDPR, that it provides warranties and indemnities in respect of data protection, that only the minimum amount of personal data is transferred, that the data is mapped correctly, the lawful basis for the transfer understood, and that data sharing agreements are in place, most likely based on Standard Contractual Clauses.
Understanding the impact of legislation in other jurisdictions
Until recently, the focus, particularly in the UK and Europe, has been on complying with the GDPR. New legislation, like the CCPA in California and the LGPD in Brazil, add another layer of complexity when data is being transferred across borders. Some of this legislation, notably the CCPA, adds the extra-territorial scope dimension.
There is now an increasing number of software tools, such as Data Guidance from One Trust, that are continuously updated and can assist organisations to understand what their data protection compliance responsibilities are in different jurisdictions.
It is important that organisations are now aware of their new legal responsibilities when processing the personal data of residents in these different jurisdictions.
In summary
Personal data can now be transferred around the globe at the touch of the button in a way that was inconceivable only a few years ago. This presents huge opportunities for international trade but genuine concerns for privacy and protection of personal information.
Managing cross border personal data transfers whilst remaining compliant with the GDPR and further new legislation in other jurisdictions, is complex. In this blog we’ve discussed some of the many considerations. In our experience, there’s no simple “one size fits all” solution – each organisation should evaluate its own unique circumstances and take a considered, risk-based approach. When performing this evaluation, it’s always important to:
The DPO Centre are experts in data mapping and can assist with the legislative requirements of international data transfers. We provide consultancy and ongoing data protection officer services that will assist you to understand your data and the steps required to ensure compliant transfers.
Fill in your details below and we’ll get back to you as soon as possible