Preparing for GDPR - What's the Deal on International Data Transfers?
I'm sure you've heard about it by now, but if not - the upcoming EU General Data Protection Regulation puts in place stringent new standards for ensuring adequate safeguards for most international transfers of personal data.
Basically, apart from in all the situations explained later in this article, you can only transfer personal data to other countries by legally protecting it - mainly through "model contractual clauses" issued by the EU Commission or using "binding corporate rules" with specific information requirements to lock into place adequate data protection standards when that data is processed in other countries.
Now, as alluded to earlier, these extra safeguards don't apply if you're transferring data to EEA countries (all the EU member states + Norway, Iceland and Liechtenstein). They don't apply either to a specific list of other countries which have been deemed to have "adequate" data protection laws and regulatory structures already in place by the EU Commission. These countries are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Moreover, we have to careful to properly define the term "transfers". A “transfer” is not the same as a "transit"; it is the actual processing in the third country that completes the ‘transfer’. Therefore, the fact that personal data may be routed through a third country on the way from a EEA country does not bring such a transfer within the scope of the extra restrictions of the GDPR unless some actual processing operation is conducted on the personal data in the third country.
And, don't forget, the Regulation also provides 7 scenarios where you're allowed to derogate from the extra legal safeguards:
- where the transfer is made with the individual’s informed consent;
- where the transfer is necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
- where the transfer is necessary for the performance of a contract made in the interests of the individual between the controller and another person;
- where it's necessary for important reasons of public interest; (This case is most likely to apply in situations where the transfer is necessary for reasons of crime prevention and detection, national security and tax collection)
- where it's necessary for the establishment, exercise or defence of legal claims;
- where it's necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; (In practice, this relates to matters of life and death, such as the transfer of medical records of an individual who has been involved in a serious accident abroad.)
- where it's made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
I hope that cleared up some questions with regards to the new rules regulating international data transfers in the GDPR. Stay tuned as I will soon probably go more in depth explaining what exactly constitutes valid "Binding Corporate Rules" as they grow more and more in popularity.