In recent years, data has been hailed as the new gold. Personal dataInformation which relates to an identified or identifiable natural person. helps businesses understand their customers and create an individualised experience. It helps improve products and services and, for the life sciences, personal data is crucial for research and innovation.
Personal data is classified by the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). as “any information which are related to an identified or identifiable natural person.”
However, due to its ever-increasing utility and value, personal data must be protected to safeguard privacy rights, prevent identity theft and foster trust. Therefore, organisations must follow strict protocols when sharing and transferring personal data.
The Facebook-Cambridge Analytica scandal of 2018 received significant media attention when it was discovered that personal data had been collected through multiple apps and transferred to Cambridge Analytica to use for targeted advertising in the 2016 US elections. The scandal had a major impact on privacy ethics and was certainly a factor in the further scrutiny of data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. regulations.
There are many reasons why organisations need to transfer personal data; it has become an increasingly essential part of international trade. All industry sectors have data transfer requirements, whether sharing for life sciences research, customer data for retail operations, or employee details between international offices. But the most important consideration, no matter the business sector or size, is to ensure data transfers are processed with the proper controls and safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... to protect the privacy and rights of individuals.
International data transfer rules are not new. They were first introduced in 1995 under the Data Protection Directive, when the internet was in its infancy. The European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. brought in the directive to address the growing concerns around data privacy and to safeguard individuals’ information. Since then, of course, there have been many updates, notably the General Data Protection Regulation (GDPR), which came into effect in 2018.
This blog explores the tools used to legitimise international data transfers, in particular standard contractual clausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) – the most commonly used mechanism to ensure compliance when processing an international data transfer.
Standard Contractual Clauses (SCCs), also known as Model Clauses or EU Model Clauses, are a set of contractual provisions approved by the European Commission. SCCs are used to facilitate the export of personal data from the European Economic Area (EEA) to countries outside the EEA (known as third countriesCountries that are not part of the European Economic Area (EEA).) that do not have an adequate level of data protection.
SCCs allow data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. and data processorsThird parties processing personal data on behalf of a data controller. to comply with their obligations under the GDPR. Incorporating SCCs into contracts not only helps businesses mitigate liability, but also ensures the retentionIn data protection terms, a defined period of time for which information assets are to be kept. of provisions that safeguard personal data. It builds trust and confidence and demonstrates the integrity of the exporting organisation.
To put it simply, SCCs help in providing GDPR-like protection to EU personal data after leaving the EEA.
Following Brexit, the GDPR was adopted into UK law as the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., which was complemented by the UK’s Data Protection Act (2018).
Since the UK’s departure from the EU, there are now different mechanisms to use, whether transferring data from the EEA or the UK. One of these mechanisms is required, unless a destination country has been awarded adequacy.
Adequacy is the status granted to a country to allow data to be transferred without additional safeguards. In other words, a country with adequacy has similar data protection provisions, therefore additional protection measures are not required. The UK has awarded adequacy to most of the same countries as the EU, but there are some differences.
Here is a helpful overview:
Transferring data from the EEA | Transferring data from the UK | |
Key data transfer mechanisms | Standard Contractual Clauses (SCCs) | Standard Contractual Clauses (SCCs) with AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content.
International Data Transfer Agreement (IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs)) |
Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs) | UK Binding Corporate Rules (UK BCRs) |
|
Adequacy decisions | Adequacy decisions | |
Derogations under Article 49 of The EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). | Derogations under Article 49 of The UK GDPR | |
Current countries with adequacy | Andorra, Argentina, Canada (commercial organisations operating under PIPEDA* ), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK (under the GDPR), Uruguay, US (under new EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. ) | Countries, territories & sectors covered by the EU GDPR (but not currently the US)
PLUS Gibraltar, Japan (only private sector organisations) |
Since 2022, the two main ways UK organisations can transfer data across borders is the new International Data Transfer Agreement (IDTA), or the EU’s SCCs with the addition of the ICO’s International Data Transfer Addendum.
The Addendum route is more often used when an organisation has both EU and UK based entities. But this is where things can become complicated. The juggling of agreements and Addendums can cause a real headache for businesses, and further to these complexities, the UK privacy sector is patiently awaiting updates on the potentially new UK legislation as proposed in the Data Protection and Digital Information (No.2) Bill. It is currently at the report stage in the House of Commons and due to enter its 3rd reading, before being passed to the House of Lords.
The UK government aims to simplify the UK’s data protection framework to support even more international trade without increasing costs.
The UK is also currently working with a number of countries which may be included in adequacy regulations in the future, including Australia, Brazil, Colombia, The Dubai International Financial Centre, India, Indonesia, Kenya, Singapore, and the US.
What this will mean for the UK’s adequacy with the EU remains a contentious issue.
“International transfers paint a dynamically evolving canvas for personal data protection. The landscape continuously reshapes itself, not just within the contours of the EU and the UK. Countries worldwide are crafting their own versions of contractual safeguards inspired by the EU’s SCCs. As the story of international data transfers is written and rewritten, it forces us to keep pace with its relentless transformation and to continually adapt our understanding so we can provide the best advice for our clients.”
Katrina Leach, Head of Data Protection Operations, The DPO Centre
Here is a quick run-through of the mechanisms for international data transfers:
Standard Contractual Clauses (SCCs) are the frequently preferred mechanism for international data transfers between organisations. They address many of the complexities in modern business data processing chains and are intended for transfers between two legal entities.
SCCs are template contract terms that require the signature of both parties engaging in data transfers from the EU or the UK to a third countryA country that is not part of the European Economic Area (EEA)..
The mechanism covers most scenarios including:
As mentioned earlier, when using SCCs for UK-based organisations, the ICO’s Addendum must be included.
Adequacy:
International data flow is important for the economy and restrictions can be damaging for trade. However, the protection of an individual’s personal data and privacy rights are of equal importance.
Adequacy is the data protection status given to a country deemed to have equivalent safeguards to the GDPR. This allows data transfers to proceed without the need for additional mechanisms. An adequacy decision ensures there are high standards of protection for personal data.
International trade negotiations are constantly evolving, and organisations must be vigilant of any legislative changes that may affect their data transfer activities. This is where a data protection professional is invaluable to a company. Qualified Data Protection Officers and Data Protection Representatives have up-to-date privacy knowledge to support any changes.
ADEQUACY UPDATE: New EU-US Data Privacy Framework (DPF)
On 10 July 2023, the European Commission granted adequacy for EU-US data transfers using the EU-US Data Privacy Framework. The adequacy decision is a welcome addition to the list of mechanisms that organisations can now use for transatlantic transfers. It is anticipated that the UK will also agree to the Data Privacy Framework in due course and a “data-bridge has been agreed in principle, which will operate as an extension to the EU-US DPF Program.
Binding corporate rules (BCRs):
BCRs are a mechanism for data transfer within a company or a group of companies. In simple terms, they are internal rules that define the policy for transferring personal data outside the EU. For UK organisations there are UK BCRs.
The rules must be adhered to by all entities of the company or organisation, regardless of the host country. The conditions for these are set out by the GDPR and UK GDPR respectively.
Full details about all international data transfer mechanisms can be found in Chapter 5 (Art. 44-50) of the GDPR. For specific details about transfers from the UK, see the international transfers guidance from the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc..
Many organisations cite cross-border data transfers as one of their most difficult tasks. In the recent Data Protection Index Report, which charts data protection attitudes and opinions across the spectrum of sectors in the UK, 10% of the panel of privacy professionals cited international data transfers as their organisation’s biggest GDPR challenge. You can download the latest UK DP Index Report here.
There are currently more than 120 countries with international data protection laws and the privacy landscape is constantly changing. With businesses having a growing global presence cross-border data transfers will only continue to become more complex, especially when dealing with multiple jurisdictions, each with their own data protection laws.
The DPO Centre team have the data transfer expertise to help you navigate the constantly evolving arena of international privacy legislation.
For more advice or to discuss a specific data transfer issue, please complete the form below and we will be in touch.
For more news and insights about data protection and The DPO Centre, follow us on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible