International Data Transfers

In June 2021, the EU published an adequacy decision meaning that they accept that the UK GDPR provides an equivalent level of protection for personal data transfers to that outlined within the EU GDPR. 

If you never transfer personal data into or out of the UK, then the provisions for international data transfers will not concern you. 

To be clear about which countries this decision applies to. This is all the member states of the EU along with Iceland, Liechtenstein, and Norway. Similar transfers on the basis of adequacy are being negotiated with other countries around the world, and the list is updated at the ICO website as new agreements are reached. 

At the time of writing the list includes, Canada, Switzerland, Japan, and New Zealand, but it is worth checking with the ICO or seeking advice from CSRB if you are in any doubt about the status of a specific country. 

If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international personal data transfers. 

Following the end of the transition period from the EU, the UK Government introduced the international Data Transfer Agreement (IDTA). Exporters can use the IDTA to comply with Article 46 of the UK GDPR. This article “allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always ‘on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” 

This effectively allows international trade to be carried out while remaining compliant with UK data protection regulations. 

The other important article of UK GDPR relating to international data transfers is Article 47 covering Binding Corporate Rules (BCRs). BCRs allow multinational organisations to transfer personal data internationally within the same corporate group to countries not subject to an adequacy decision.

You can make a restricted transfer of personal data within an international organisation if both you and the receiver have signed up to approved BCRs. UK BCRs are approved by the ICO and a list of the BCRs approved is published on the ICO website. It currently includes organisations like Mastercard, Rakuten, BT and Astra Zeneca, who all have significant parts of their business based outside the UK. 

One area that is high risk is personal data transfers within Cloud based online services, which are often not territorially limited. One of the main areas of risk is ‘Shadow IT’. Shadow IT refers to IT devices, software and services outside the ownership or control of IT organisations.

As a 500-page book on the legal implications of personal data transfers within the Cloud was published in late 2021 entitled ‘Cloud Computing Law’ by Christopher Millard it’s clear that the area of International Data Transfers is complex and always evolving. 

CSRB is a certified personal data protection consultancy offering expert advice on all areas of personal data protection and information governance. 

Please get in touch with us here or call 0117 325 0830 to learn more about how we can bring clarity to your information governance and privacy processes.