The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.

Non-EU EEA countries

Transfers to Iceland, Norway and Lichtenstein currently constitute restricted transfers. This will remain the case until the EEA (European Economic Area) Joint Committee decides that the GDPR shall apply to these countries. After this, transfers to the three non-EU EEA countries will not constitute restricted transfers.

How to make restricted transfers

The ICO states that restricted transfers should only be considered if an organisation’s aims cannot otherwise be achieved.

The ICO states that the following questions must be worked through by any organisation attempting to make a restricted transfer:

  1. Has the European Commission made an “adequacy decision” about the country in which the receiver is based? If the answer is yes, you may proceed with the restricted transfer. If the answer is no, move to question 2.
  2. Is the restricted transfer covered by appropriate safeguards? The safeguards are set out under GDPR Article 46. They include mechanisms such as binding corporate rules, standard contractual clauses and approved codes of conduct. If the answer is yes, you may proceed with the restricted transfer. If the answer is no, move to question 3.
  3. Is the restricted transfer covered by an exception? Relevant exceptions are set out under GDPR Article 49. They include: (i) data subjects’ explicit consent; (ii) transfers necessary for the performance of a contract to which data subjects are subject; and (iii) transfers necessary for important reasons of public interest or to protect an individual’s vital interests. A “catch all” exemption applies for one-off transfers made in an organisation’s legitimate interests. However, the ICO warns that this exception “should not be relied on lightly and never routinely as it is only for truly exceptional circumstances”. Transfers on the basis of the “legitimate interests” exception must not be repetitive and concern only a limited number of data subjects. The organisation’s interests in transferring the personal data must outweigh the rights and freedoms of affected data subjects. The ICO expects organisations to notify it and any affected data subjects of any transfers undertaken under this exception.

The Brexit elephant

It is perhaps ironic that the ICO is issuing guidance about ex-EEA personal data transfers at this time. The UK’s post-Brexit data protection relationship with the EU is essentially unknown. The ICO has already raised concerns about whether the European Commission will grant the UK an “adequacy decision” post-Brexit. In a speech on 23 August 2018, the UK Secretary of State for Exiting the European Union suggests that no progress at all has been made between the EU and UK in the area of data protection.

The ICO’s guidance on restricted transfers is timely, clear and helpful for global companies. However, global companies urgently need certainty about whether they will be able to continue transferring EU personal data to the UK after 29 March 2019. The Brexit-shaped elephant in the corner of the EU’s new data protection regime only continues to grow in size.