International transfers of personal data: are you compliant?

Recent changes to the law around the international transfer of personal data mean that businesses need to review any arrangements which may result in personal data being transferred or accessed from outside the UK, to ensure that the personal data remains protected and that the transfer does not breach data protection law.

The UK is known for having one of the most onerous data protection regimes in the world, but the protection afforded to personal data in other countries varies significantly. To ensure that people’s personal data is not put at risk by being transferred to another country with lesser safeguards, the UK GDPR prohibits any international transfer of personal data unless certain requirements are met.

Am I making an international transfer?

International transfers of personal data can occur in a wide range of circumstances.

A common example is when a UK company engages a supplier which is based outside the UK (or which has sub-contractors based outside the UK). In this case, it is important to check whether the supplier will have access to any personal data and, if so, where that personal data will be held and accessed from. Even if the personal data remains held in the UK, if staff based in another country can remotely access it, this will constitute an international transfer of personal data.

Another example is transfers of personal data within a group of companies – perhaps a UK subsidiary of a foreign company providing reports to its parent company or sharing its parent company’s (non-UK based) computer systems. Even though these transfers are taking place within a group, the international transfer rules still apply.

However, the international transfer rules only apply where the personal data is being sent to (or made available to) a separate legal entity. International transfers which take place within a company (for example, if one of that company’s employees is working abroad) are not subject to the international transfer rules.

What if the country that the personal data is being transferred to provides strong protection for personal data?

Fortunately, transferring personal data internationally does not always have to involve extra work. Some countries have similar data protection standards to those that we have in the UK, and these countries benefit from an “adequacy decision”, meaning that personal data can be transferred to these countries without any additional steps being taken.

The most obvious example is the EU and EEA, where data protection law remains extremely similar to the data protection law in the UK. Transfers to any country within these organisations can continue to be made without any additional safeguards being put in place, notwithstanding that the UK is no longer a member of the EU.

In some cases, the situation is a little more complicated. Some countries have only “partial” adequacy decisions, meaning that the free transfer of personal data to those countries only applies in certain circumstances.

The most important of these “partial” adequacy decisions is that for the US. Whilst some US states do have relatively robust data protection laws, none have yet been recognised as “adequate” under UK law. However, an optional scheme known as the Data Privacy Framework allows US-based companies to voluntarily agree to comply with obligations similar to those imposed by the UK GDPR. If a company is registered with the Data Privacy Framework, personal data can therefore be transferred to that company without any further work.

When transferring personal data to the US, it is therefore important to check the Data Privacy Framework to establish whether the company that the personal data is being transferred to is registered. It is important to ensure that the company has opted-in to the UK extension to the Framework and is registered for HR data or non-HR data (depending on which type of data you are transferring).

A full list of countries which benefit from adequacy decisions can be found here.

What steps need to be taken where the transfer is not covered by an adequacy decision?

Although the number of countries covered by adequacy decisions is slowly increasing, many major countries around the world still do not have the benefit of adequacy decisions. Many US-based companies also remain unregistered with the Data Privacy Framework, meaning that they do not benefit from the partial adequacy decision.

Where a transfer of personal data is not covered by an adequacy decision, it is generally the responsibility of the company making the transfer to ensure that the personal data will not be put at risk by the transfer (there are limited derogations where a transfer can be made without putting safeguards in place, but these will rarely apply).

It is therefore essential to follow the steps below before commencing any new international transfer of personal data. However, the rules around these types of transfers of personal data have changed significantly over the previous few years, so many existing transfers may now be non-compliant, even if they were compliant when they commenced. It is therefore essential to check all international transfers of personal data to ensure that they follow the current rules.

Does the proposed transfer put the personal data at unnecessary risk?

The Schrems II judgment in 2020 imposed a significant new requirement on any company wanting to make a transfer of personal data that was not covered by an adequacy decision. Prior to commencing that transfer, the company must carry out an assessment to ensure that the personal data will continue to be sufficiently protected and, where required, put in place additional measures to help protect the personal data.

Although this judgment took effect immediately, it was not until November 2022 that the UK Information Commissioner’s Office (ICO) published its Transfer Risk Assessment Tool. In practice, this means that most transfers commenced prior to November 2022 do not have a compliant assessment in place, and therefore do not comply with the new stricter requirements following the Schrems II ruling.

Whether reviewing an existing transfer arrangement or commencing a new one, it is therefore essential to complete the Transfer Risk Assessment Tool first. This will identify whether or not the transfer can be safely made (with or without extra steps and protections being put in place) and, if not, whether there are any exemptions which apply which will allow the transfer to be made anyway.

What other documentation needs to be put in place where the transfer is not covered by an adequacy decision?

Assuming that the Transfer Risk Assessment Tool establishes that a transfer can be made, a special form of agreement known as the International Data Transfer Agreement needs to be put in place with the company that the personal data is being transferred to.

The International Data Transfer Agreement came into effect on 21 March 2022. However, agreements could continue to be entered into on the basis of the former “standard contractual clauses” until 21 September 2022. Where an agreement was entered into on the basis of the old clauses, transitional arrangements meant that transfers could continue to be made under these outdated agreements until 21 March 2024. However, now that these transitional arrangements have expired transfers cannot continue unless a new International Data Transfer Agreement has been entered into. It is therefore essential to review all existing relationships to ensure that an International Data Transfer Agreement is in place.

What effect has Brexit had on the rules governing international transfers of personal data?

Now that the UK is no longer a member of the EU, data protection law has slowly started to diverge, and international transfers are one of the main areas where the UK and the EU have chosen to take a materially different approach.

The EU rules are outside the scope of this article, but they differ in quite a number of respects from the UK rules, including in terms of the risk assessment which must be carried out and the clauses which must be put in place to govern the transfer. From a UK perspective, it’s worth noting that the ICO has confirmed that a UK company may choose to adopt the EU approach if preferred (for example, if the UK company is part of a multi-national group and wishes to take a consistent approach with its EU-based affiliates), but the recognition has not been reciprocated – the EU data protection authorities would not recognise the UK approach as a valid basis to justify international transfers from an EU member state.