International Data Transfers Q&A
There’s no getting away from the fact, navigating the rules regarding the transfer of personal data to different countries around the world can be complicated.
Multiple different scenarios between controllers, processors and even entities within the same group of companies can throw up all kinds of questions. What’s the most appropriate transfer mechanism to use? Do we need to do a risk assessment? What should we do for Intra-Group transfers?
In this Q&A session we’ve selected some questions raised by the DPN audience which we believe will be useful for many organisations. We’re delighted to be able to draw on the expertise of Debbie Venn, Partner at DMH Stallard LLP to provide her answers.
Q: We are a controller based in the UK and we process the data of UK, EU and other citizens globally. We contract service providers based in the USA. What transfer mechanism should we use?
As the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum (Module One – controller-processor). This is so it can be covered under one agreement, rather than having a UK International Data Transfer Agreement (IDTA) and the EU SCCs, for this purpose.
You’ll also need to consider (as part of your controller responsibilities) whether there are any specific laws which need to be complied with in the jurisdictions outside of the UK and EU, such as California. This is to make sure there are no other provisions that need to be added into a relevant controller to processor agreement.
A controller to processor data processing agreement can cover all data sharing activities, with the EU SCCs and UK Addendum appended, to ensure compliance with both EU and UK GDPR.
We’d recommend this especially when special category data is being transferred, so additional wrap-around measures can be included, in addition to the EU SCCs and UK addendum. Alternatively, if the personal data being shared is minimal, you could opt for just the EU SCCs and UK Addendum.
As processors are based in the USA, a Transfer Risk Assessment would also need to be carried out for the purposes of assessing any additional security measures to put in place. However, if the U.S organisation is a signatory to the recently adopted EU-US Data Privacy Framework, this risk assessment would not be necessary.
Q. For Intra-Group Transfers should we consider basing this on EU SCCs or UK ITDA, or Binding Corporate Rules (BCRs)?
BCRs while they are useful, are complicated. They’re difficult to manage and agree internally within a group. They also need approval from a relevant Supervisory Authority – a process which can be painfully long. The UK ICO has, I believe, only 9 companies that have adopted BCRs since UK GDPRs became effective.
Many organisations are therefore opting to use EU SCCs or the UK IDTA (or EU SCCs with UK Addendum if both EU and UK personal data is being transferred). The agreement can set a detailed, granular framework for data sharing, reflecting the sharing practices, internal security compliance, and so on, in addition to the international data transfer elements. This is also useful when handling companies coming into the group and acceding the Intra-Group agreement.
Q. Do we need to perform a Transfer Risk Assessment for Intra-Group Transfers?
This depends to a degree on where group companies are located. But in principle, a TRA must be carried out to cover the proposed data flows / transfers in addition to entering into the relevant agreements / clauses.
Q. For Intra-Group Transfers should we follow the data flows, or the group company locations?
Follow the data. An Intra-Group Transfer Agreement should be set up to support the flows of the data, rather than prescribe how that data should flow.
Q. What is a Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA)?
A TRA/TIA is an assessment which should be conducted when relying on an appropriate safeguard for a data transfer, for example, EU SCCs, UK ITDA or BCRs. Risk assessments are not required where an adequacy decision is in place, or when relying on an exception (derogation).
The aim of the assessment is to make sure the level of protection offered under the UK/EU GDPR is maintained even when the data is transferred outside the UK/EEA and to identify and help mitigate any risks, where necessary. The level of protection for the importer of the data / country doesn’t need to be the same, but essentially equivalent or sufficiently similar.
UK Transfer Risk Assessment (TRA)
This is an assessment produced by the UK ICO. It’s a risk-based approach, considering the harm in terms of non-compliance. It represents a fairly pragmatic approach focused on the likelihood of risk in terms of the receiving country and who might have access to the data (e.g. law enforcement or national security agencies).
It assists an assessment of whether the protection of personal data in a third country is adequate and does this on the basis whether standards in a third country are materially lower, rather than whether protection is equivalent (as for EU assessment). Essentially, you need to consider:
- Who is the data importer?
- Status of the data importer (i.e. controller/processor/sub-processor)
- Activities of the data importer
- Details of the personal data being transferred, including the individuals it relates to and the nature of the information. Does it include special category data, what kinds of volumes and how frequent?
- Protection mechanisms in place, including format and transfer process
- Assign a risk level to the proposed data being transferred: low, moderate or high and adjust the data, if this is possible and can help to reduce the risk.
- Are the human rights of individuals in the destination country of a lower standard than in UK/EEA? Is it more likely that human rights breaches will occur, or would they be more severe if they did? Extra protections might be needed based on this risk.
- What enforcement mechanisms are in place?
- Do any exceptions apply? For example, in an emergency situation.
For more detail see the ICO Transfer Risk Assessment Guidance and TRA Tool
EU Transfer Impact Assessment (TIA)
The approach adopted in the EU is referred to as “supplementary measures”. This is more detailed and includes the European Data Protection Board (EDPB) recommendations on measures to supplement transfer mechanisms. If you’re a global business, the more pragmatic UK ICO approach may not be sufficient to meet the TIA requirements covering EU personal data.
For more information see the EDPB supplementary measures recommendations
Q: Who should complete the TRA/TIA in a supplier relationship – the controller or the processor?
Generally the controller should be assessing whether their personal data can be transferred to a processor. This is also usually governed by a data processing agreement between the two parties.
However, it may be depend on which party is initiating the restricted transfer; i.e. who is the exporter? This could be a processor or controller in the UK/EU transferring the data overseas. If a processor is exporting the data, they would be responsible for undertaking the TRA/TIA and putting the relevant SCCs/IDTA in place with any sub-processors involved.
Controllers however have a responsibility to make sure they are using processors who take sufficient steps to protect personal data. It’s not 100% clear how far the controller’s obligations would go to verify the processor’s compliance with UK/EU GDPR when making a restricted transfer.
Q: What level of assurance should we expect from other controllers (data importers) for any onward transfers to processors? Should we ask to review their TRA/TIAs?
Reviewing of TRA/TIAs would help understand the assessments made. However, this is all about assessment of the risks. The controller will need to weigh-up the risks, broadly considering a number of factors, such as:
- Controller’s risk profile
- Risk profile of the data
- Data subjects in scope
- Nature of the processing
- Third countries involved and risk under local laws
- Scope of the processor’s processing activities and their assessments
- Reputation of the processor
- Sub-processors used
- Nature of assurances provided – has the processor given enough reassurance around the assessments they have made when making a restricted transfer?
- Contractual provisions between the parties
Thanks Debbie! As these questions and Debbie’s responses demonstrate, the world of international data transfer rules can be tricky to unravel – especially for the uninitiated.
For many businesses, it often comes down to taking a proportionate approach based on the size of your organisation and the sensitivity, volume and frequency of the personal data you are transferring overseas.
What’s crucial is knowing where your data flows and to whom. Only then can you make a judgement call on the potential risks, and ensure appropriate transfer measures are in place for higher-risk activities.