International data transfers are an inescapable part of the globalised world we live in. In their simplest form, they occur when personal data goes from one company to another based in a different country. Simple in theory, but more nuanced in practice. 

The General Data Protection Regulations (GDPR), and by extension UK GDPR, were brought in as a measure for protecting the personal data of individuals and for enabling the free movement of that data. As such, Chapter V of the regulations specifically addresses to make lawful GDPR transfers to third countries or international organisations.

Unfortunately, that does not make it accessible. So, here is a simplified guide to the legalities of international data transfers, including how to recognise a transfer and select the appropriate method.

What is an international data transfer? 

An international data transfer does not have a legal definition. Instead, you must identify a transfer by assessing the flow of data against a set of criteria.

Is there an exporter who is subject to the UK GDPR?

An exporter here means a controller or a processor who sends the information. The UK GDPR applies to any business that operates in the UK or supplies goods/services to people in the UK.

Does that exporter make personal data available to an importer? 

An importer here also means a controller or a processor who receives the data.

Is the importer in a third country, irrespective of whether the UK GDPR applies to them,  or are they an international organisation? 

Essentially, that importer must be based in a different country. It does not matter if the UK GDPR already applies to them.

So, for a transfer to be classified as an international data transfer, it must involve personal data, have an exporter, and have an importer based in another country.

How do you conduct an international transfer?

Now that we have identified that this is an international data transfer, you must identify the most appropriate instrument for this transfer to take place: 

What is adequacy?

A term you have likely heard before, and will hear much more in the next few months as the EU assesses the UK’s adequacy status. An adequacy decision is a decision made by the Department for Science, Innovation and Technology (DSIT) that says this country’s data protection regime is not materially lower than the UK’s.  A full list of countries that have adequacy can be found here. 

If the importer is based in an adequate country, the transfer may proceed. If not, you’ll need to consider the next most appropriate safeguard.

What are appropriate safeguards? 

An appropriate safeguard is an instrument that enables the international transfer where it would otherwise be restricted (since it is not to an adequate country).

Before you can rely on an appropriate safeguard to transfer data, you must do a transfer risk assessment. A transfer risk assessment is similar to a data protection impact assessment in that your aim is to understand and reduce the risks before transferring the data. Conducting this step is essential for ensuring compliant GDPR transfers. Detailed guidance on conducting a transfer risk assessment can be found here.

The main instruments listed under Article 46 of the UK GDPR are:

STANDARD DATA PROTECTION CLAUSES (IDTAs AND SCCs)

If there is a contract between the importer and the exporter and it uses standard data protection clauses recognised by UK data protection law, then that transfer may go ahead.

The UK has two sets of recognised standard data protection clauses. The first is the International Data Transfer Agreement (IDTA) and the second is the International Data Transfer Addendum (Addendum). The former is a standalone agreement produced by the ICO, while the latter is an addendum to the EU Standard Contractual Clauses (SCCs) that allows companies in the UK to use the EU SCCs for transfers under UK GDPR. Both documents, along with detailed implementation guidance, can be found here.

BINDING CORPORATE RULES (BCRs)

BCRs are intended for multinational corporate groups, franchises or other such joint ventures or professional partners.

CODE OF CONDUCT

If the importer has signed up to a code of conduct approved by the ICO which includes appropriate safeguards, then that transfer may go ahead. 

CONTRACT CLAUSES AUTHORISED BY THE ICO

If the importer has achieved ICO-approved certification, including appropriate safeguards for data transfers, then that transfer may go ahead.

These are for bespoke contracts governing a specific international transfer and require the ICO to authorise them individually.

There are additional options for public authorities or bodies. However, for most businesses one of the above will be the most appropriate instrument if a country does not have adequacy.

What is a derogation?

Derogations are exceptions that allow the transfer of data when a country is neither adequate nor would the appropriate safeguards above be available. These can only be used when you have exhausted your other options.

The full list of derogations can be found under Article 49 of the UK GDPR. 

Ensuring Safe and Legal Data Transfers

International data transfers are a critical part of modern business, but they come with legal responsibilities. The important takeaway here is that you need to be able to understand what an international data transfer is and how to safely and legally transfer that personal data when it does occur.

Condensing the above into the simplest form possible:

1. There must always be an importer and an exporter.
2. There must be an instrument that allows for the transfer of data.
3. When working through the instruments, there is a hierarchy:

Adequacy > Appropriate Safeguard > Derogation

Ultimately, not every international data transfer is the same. There can be varying levels of complexity to the arrangements at every step. However, by knowing the above you will be able to identify at a glance when one can and when one cannot occur.

If you need any assistance with International Data Transfers,  or guidance on using SCCs, get in touch with our team of experts in data protection laws and cross-border data transfers here.

We are also hosting a webinar on “Data Sharing in the Public Sector”, where we will demystify the data sharing process and provide practical frameworks for lawful, secure, and effective data collaboration. Register here.