Explore UCD

UCD Home >

International Data Transfers

Transfer of personal data beyond Europe

Introduction

When personal data is processed within the European Economic Area (EEA), it is automatically covered by EU privacy rights and legislation, including the GDPR. The EEA covers all EU countries and the following non-EU countries Iceland, Liechtenstein and Norway.

However, the same privacy protection is not automatically in place if an organisation intends to transfer/export personal data to a recipient/importer organisation in a country outside the EEA. Such a transfer is classed as ‘international transfer of personal data to a third country’. In such a case, the organisation acting as data exporter, needs to put in place special safeguards and measures so that the privacy protection ‘travels with the personal data’, no matter where in the world it is processed.

Recent developments

2020 has seen major changes to data protection rules governing international transfers of personal data which were a direct result of the so-called Schrems II ruling, which invalidated ‘Privacy Shield’,  a widely used transfer mechanism for personal data from the EU to the US. The reason for this invalidation was that it was deemed to offer insufficient protection for EU data.

Since then, potential privacy risks caused by any international data transfers need to be rigorously assessed on a case-by-case basis in advance of transfers, and those assessments documented. Where identified as necessary, appropriate additional protective measures/safeguards have to be implemented. If sufficient safeguards are not possible to achieve, the transfer cannot go ahead.

Initial risk assessment

If data is transferred to a country that has an EU ‘Adequacy Decision’ and there are no further onward transfers of personal data, this transfer can be undertaken without any extra measures. In other words, the transfer is the same as if it was carried out within the EU.

 A list of countries with an adequacy decision can be found here.

However, if the data is transferred form a country with adequacy decision further on to another country that is a non-EEA country, that does not equally benefit from an adequacy decision, then further assessments and appropriate safeguards are required

GDPR mechanisms for transferring data outside Europe as per Chapter V

  • Article 45 – Transfers on the basis of an adequacy decision (as mentioned above)
  • Article 46 – Transfers subject to appropriate safeguards (including standard contractual clauses -SCCs, see below)
  • Article 49 – Derogations for specific situations (see below)

Risks and risk mitigation

In order to assess risks associated with international data transfers, the data exporting organisation, with the input from the non-EEA based data importing organisation, need to undertake a Transfer Impact Assessment (TIA).

Transfer Impact Assessment (TIA) Process

The required assessment consists of a six-step plan, which is set out by the European Data Protection Board EDPB Recommendations (EDPB). The EDPB is a committee that comprises all EEA Supervisory Authorities. Its recommendations are expected to be taken on board by organisations.

The assessment consists of six steps:

Step 1: Know your transfers

Step 2: Identify the transfer tool, as per GDPR Chapter V, you are relying on

Step 3: Assess whether the Article 46 GDPR of Chapter V is effective for all circumstances of the transfer

Step 4: Adopt supplementary measures where needed

Step 5: Act on procedural steps you have identified as effective supplementary measures

Step 6: Re-evaluate at appropriate intervals

Standard Contractual Clauses (SCCs)

SCCs are for data transfers in the context of an ongoing exporter-importer relationship, where the importer is based in a non-EEA country that does not benefit from an adequacy decision. With the introduction of updated EU transfer Standard Contractual Clauses in June 2021, a completed TIA became a mandatory part of the overall legal agreement. Supervisory Authorities and other stakeholders can request to have sight of the TIA.

In that TIA the EEA based exporter, supported by the importer, has to assess whether SCCs on their own offer sufficient safeguards. Depending on the legislative situation in the importer country some privacy risks will be beyond the control and contractual arrangements between exporter and importer.  In a number of countries, including the U.S., federal and security agencies have extensive legal powers to access and process EU personal data, to a degree deemed unacceptable by European standards. Therefore, a TIA requires a detailed examination of applicable laws in the third country, especially if there is a potential for overriding government and security agency powers like mass surveillance.

This risk of foreign government interference has to be reflected in the TIA, which might find either that a) no additional safeguards are needed; or b) that technical, or organisational, or contractional safeguards are needed, or c) a combination of all, or d) that no matter what safeguards are applied, it will remain insufficient, and the importer will not be able to comply with the exporter’s instructions. In the latter case, the privacy risk is too great, and the transfer cannot go ahead or has to be stopped.

Transfers based on exceptions

GDPR Article 49 as a transfer tool will be available in only very limited circumstances. To qualify, transfers must be exceptional/occasional. It cannot be used as substitute for SCCs. A Data Exporter should first endeavour to frame transfers with one of the mechanisms guaranteeing adequate safeguards listed above. Any use of Article 49 (derogations) requires very detailed analysis of the situation at hand, as substantial restrictions apply to all Article 49 exceptions. For more detail on Article 49 see here.

TIA Decision Diagramme *

For more resources on international data transfers see: https://www.ucd.ie/gdpr/guidanceresources/