GDPR – Transfer of Data

The EU’s General Data Protection Regulation (GDPR) imposes restrictions on the transfer of data to countries outside the EU, Norway, Lichenstein and Iceland or “to an international organisation”.

Chapter V of the GDPR deals with the transfer of data and there are several areas where multi-national corporations could easily find themselves in breach of the regulations.

While Article 44 deals with the general principle of transfer, Article 45 (Transfers on the basis of an adequacy decision) offers the clearest information on which countries are considered ‘safe’ for the transfer of EU citizens’ personal data.

The European Commission maintains a list of countries that are considered to provide ‘adequate’ levels of data protection based on a number of criteria. Under the GDPR, transfers of personal data to these countries “shall not require any specific authorisation.”

At the time of writing, the ‘adequate’ countries so far recognised by the European Commission are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (subject to the Privacy Shield framework). 

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.

Adequacy talks are ongoing with Japan and South Korea.

If you want to go beyond these jurisdictions, you’ll need to get your teeth into Articles 46 through 48 – and likely get the legal department involved.

Article 49 (Derogations for specific situations) details some circumstances where transfers can be made outside of the provisions of Article 45 and 46. Again, one to run past the legal department.

What About the UK Post-Brexit?

The UK government is keen to maintain the free flow of data with the European Union post-Brexit, but there is some uncertainty as to how this would be achieved.

The most likely scenario is that the UK would seek an ‘adequacy’ ruling from the European Commission so that transfers would be permitted under Article 45.

However, it remains to be seen whether the legislative process that would be required to grant the UK ‘adequacy’ status could be completed within the Brexit timetable.

Some large corporates may want to consider holding data in EU countries other than the UK in the event that it finds itself (even if for a short period) in a position where EU citizen’s data held or processed there would be a breach of the GDPR.

 

 

Sources:

General Data Protection Regulation

European Commission Adequacy Decisions

House of Commons Briefing – Brexit and Data Protection 

GDPR Portal