Transferring people’s data outside the Bailiwick

What is a ‘data transfer’? 
A ‘data transfer’ occurs when you send people’s data outside of the Bailiwick, for example by using online products or services such as Mailchimp (US-based) to send your subscribers a newsletter, or communicating with your customers via your organisation’s Facebook page, or employing a company in another jurisdiction to provide customer services.

Does this include ‘data sharing’? 
‘Data transfers’ and ‘data sharing’ are different things. ‘Transfers’ are related to geographical location of data and how it moves around. Whereas ‘sharing’ normally relates to an organisation giving a third party access to data or otherwise providing data to them.  

What’s the problem with transferring data internationally? 
In order to answer this you first need to be aware of the following distinction between the two groups of jurisdictions in question:  

1. The Bailiwick’s data protection law reflects the high standards that are in place across all EU and EEA Member States and transferring data to those countries means that equivalent legal protections will be in place (although it is still important to assess wider security/risk). There are also several jurisdictions outside the Bailiwick that offer equivalent strong protection to people’s rights over their data, which you can freely transfer data to/from with no additional legal issues arising. This is thanks to these jurisdictions, as we do in the Bailiwick, having a European Commission ‘adequacy’ decision. An ‘adequacy’ decision from the European Commission (EC) is a green light for all transfers of data between any adequate jurisdiction and the European Economic Area (EEA) as well as to/from the other adequate jurisdictions outside the EEA, known as ‘third countries’. So any jurisdictions that the EC have deemed ‘adequate’ are considered to have a rigorous data protection regime in place that is broadly equivalent to that in the EU. 
    
2. There are several large jurisdictions (e.g. the United States and China) that do not provide the legal protections for personal data in the same way as the EU/Bailiwick/third countries do. So if you send data about people to those places you need to first consider the risks you are taking with those people’s data and if you choose to proceed you need to take additional legal steps to protect people’s rights and to mitigate risks. 

The problem with transferring data outside Bailiwick/EEA/adequate third countries
The difference highlighted above is that EU/EEA Member States and the jurisdictions the EC deem adequate differ from the rest of the world in terms of how much protection they give citizens over their data. In short, the EU’s GDPR is considered the gold standard. To get around this disparity, at least in the US, a data transfer agreement known as ‘Privacy Shield’ was put in place in 2016 to enable the legal free-flow of data between the EU to the US. However, in 2020 the European Court of Justice ruled that Privacy Shield was invalid (search ‘Schrems II’ for details) and therefore could no longer be relied on to legally transfer data. This left a vacuum for anyone who wished to legally transfer data with the US. 

Now what? 
To fill this vacuum, the European Commission published, in June 2021, new legal agreements called ‘Standard Contractual Clauses’ (SCCs) which, if used properly, enable transfers to continue. It is important to note that SCCs on their own do not necessarily mitigate the risks to people that may arise when their data is transferred to other jurisdictions, so they should not be used in isolation. 

So the issue remains: some jurisdictions remain riskier (because of concerns over, for example, their government surveillance powers) for people’s data and so you as someone who uses people’s data need to know what to do when you are considering a data transfer. 

What you can do
It is important to know that the legal issues around international data transfers are fiendishly complicated. Even well-established legal experts are debating the way forward, so do not feel disempowered if you are unsure of how to proceed: everyone is unsure. 

In June 2022 we published the following updates which should assist you: 
 

• The first update, ‘Guidance on International Data Transfers’ is a step-by-step guide to the things you need to think about before you transfer people’s data outside the Bailiwick.
• The second update is ‘Guidance and a self-assessment tool for Transfer Impact Assessments’ which contains a series of questions to help you make a self-assessment of the risk posed by a transfer of someone’s data outside of the Bailiwick of Guernsey.
• Finally, the third update is ‘The Bailiwick of Guernsey Addendum for the EU Commission’s Standard Contractual Clauses (SCCs)’ which is a legal document you can make restricted amendments to in order to protect people’s data by using it in conjunction with the EU Commission’s Standard Contractual Clauses.

Questions?
We know that you may have questions about your specific circumstances, we would encourage you to discuss this issue with your data protection officer or legal advisor in the first instance, or you can Contact Us for further information.