- Posted by James Clark
- On 12 September 2018
The UK’s supervisory authority for data protection, the Information Commissioner’s Office (“ICO“), has published guidance in relation to international transfers under the GDPR.
Of particular interest is the ICO’s stated position that a transfer of personal data to a non-EEA data importer does not constitute a restricted transfer in cases where the General Data Protection Regulation (“GDPR“) applies directly to the processing which will be undertaken by that data importer.
Under Chapter V to the GDPR, controllers and processors cannot transfer personal data outside of the EEA (to so-called ‘third countries), unless adequate levels of data protection can be ensured. This was also the position under the law preceding the GDPR.
Unlike the previous law, the GDPR contains unambiguous extra-territorial provisions (in Article 3(2)) which extend the reach of the GDPR to organisations with no establishment in the EU, which are nevertheless processing personal data in the context of selling goods or services to, or monitoring, data subjects in the EU. These are in addition to the more circuitous extra-territorial application under Article 3(1), which did exist under the previous law and was explained in the Google Spain decision of the European Court of Justice, pursuant to which a company based outside of the EU can be subject to EU data protection law where its processing is in the context of its establishment (e.g. a subsidiary company) in the EU.
Importantly, the ICO’s latest guidance has confirmed that, in its interpretation, a transfer is only restricted if it is made “to a receiver to which the GDPR does not apply“. Normally, this will be because the receiver “is located in a country outside of the EEA“. However, this also implies that the reverse is true. In other words, a transfer to a receiver to which the GDPR does apply will not be a restricted transfer. So, if a non-EEA data importer receives personal data from the EEA, the processing of which will, for the data importer, be subject to the extra-territorial reach of the GDPR, a form of ‘protective bubble’ applies to that processing which means that it is not a restricted transfer, and the mechanisms in Chapter V which are necessary to ensure an adequate level of protection (e.g. the use of standard contractual clauses) do not need to be considered.
This position is, in one sense, highly rationale. If the GDPR already applies directly and in full to the non-EEA data importer, why would additional mechanisms be required in order to ensure an adequate level of data protection?
- Analysis of extra-territorial reach of the GDPR – The ICO’s guidance underlines the importance of understanding precisely where and when the GDPR applies directly to processing undertaken by an organisation which is outside of the EEA. Unfortunately, the ICO’s guidance on that topic is not coming until later in the year, and it remains one of the trickiest aspects of the legislation to interpret and apply in practice.
- Current and new ex-EEA transfers – If companies are cognizant of their obligations under the GDPR, current transfers will already be covered by a Chapter V mechanism or derogation. However, new transfers now merit further examination to determine whether such a mechanism remains necessary in light of the ICO’s guidance. However, we also expect UK based organisations to be nervous about immediately foregoing a Chapter V mechanism with their non-EEA suppliers and partners (see the previous point about the difficulty of the scope of GDPR’s direct application).
- Brexit planning – When the UK leaves the EU on 30 March 2019, the UK will be a third country for the purposes of EU law (including the GDPR). Absent a special arrangement for data transfers as part of the EU – UK agreement on Brexit, it was assumed to date that all EU – UK data transfers would prima facie require a Chapter V mechanism or derogation from 30 March next year (indeed, the EU Commission published a statement in January to this effect). This new ICO guidance creates a chink of light, however, as in many cases UK controllers and processors are likely to be caught by the direct application of the EU Regulation post-Brexit. However, clearly organisations in the EEA who will be exporting data to the UK post-Brexit will be more interested in the views of their own supervisory authorities (on which, see below regarding the EDPB) than those of the ICO.
Confusing matters further, the UK will apply the GDPR through its national law (the Data Protection Act 2018), creating in effect the same legal regime as exists currently whereby the GDPR has direct effect as a piece of EU law. Whilst logic might dictate that, as a consequence of the protection of the GDPR as applied by the DPA 2018, no transfers from the EEA to the UK post-Brexit should require a Chapter V mechanism, that is certainly not a conclusion which can be reached at this point. In the medium term, an adequacy decision for the UK (which would forego the need for mechanisms such as the standard contractual clauses) might be the more likely destination.
Guidance from the European Data Protection Board (“EDPB“) on both international transfers and the scope and application of the GDPR is expected soon. We will be waiting eagerly to see whether the EDPB follows a similar line to that taken by the ICO in its latest guidance. It would be surprising if the ICO had consciously decided to go out on a limb with this position without an understanding that the EDPB had arrived at a similar conclusion. However, we will need to wait for the EDPB guidance to be certain.
The ICO guidance can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
James Clark and Natalie Webb, DLA Piper UK LLP