What is a ‘data transfer’?
A ‘data transfer’ occurs when you send that data outside of the Bailiwick, for example by using online products or services such as Mailchimp (US-based) to send your subscribers a newsletter, or communicating with your customers via your organisation’s Facebook (US-based) page, or using Amazon Web Services (US-based) to host your business systems.
Does this include ‘data sharing’?
‘Data transfers’ and ‘data sharing’ are different things. ‘Transfers’ are related to geographical
location of data and how it moves around. Whereas ‘sharing’ normally relates to an organisation giving a third party
access to data or otherwise providing data to them.
What’s the problem with transferring data internationally?
In order to answer this you first need to be aware of the following distinction between the two groups of jurisdictions in question:
The problem with transferring data outside Bailiwick/EEA/adequate third countries
- The Bailiwick’s data protection law reflects the high standards that are in place across all EU and EEA Member States and transferring data to those countries means that equivalent legal protections will be in place (although it is still important to assess wider security/risk). There are also several jurisdictions outside the Bailiwick that offer equivalent strong protection to people’s rights over their data, which you can freely transfer data to/from with no additional legal issues arising. This is thanks to these jurisdictions, as we do in the Bailiwick, having a European Commission ‘adequacy’ decision. An ‘adequacy’ decision from the European Commission (EC) is a green light for all transfers of data between any adequate jurisdiction and the European Economic Area (EEA) as well as to/from the other adequate jurisdictions outside the EEA, known as ‘third countries’. So any jurisdictions that the EC have deemed ‘adequate’ are considered to have a rigorous data protection regime in place that is broadly equivalent to that in the EU.
- There are several large jurisdictions (e.g. the United States and China) that do not provide the legal protections for personal data in the same way as the EU/Bailiwick/third countries do. So if you send data about people to those places you need to first consider the risks you are taking with those people’s data and if you choose to proceed you need to take additional legal steps to protect people’s rights and to mitigate risks.
The difference highlighted above is that EU/EEA Member States and the jurisdictions the EC deem adequate differ from the rest of the world in terms of how much protection they give citizens over their data. In short, the EU’s GDPR is considered the gold standard. To get around this disparity, at least in the US, a data transfer agreement known as ‘Privacy Shield’ was put in place in 2016 to enable the legal free-flow of data between the EU to the US. However, in 2020 the European Court of Justice ruled that Privacy Shield was invalid (search ‘Schrems II’ for details) and therefore could no longer be relied on to legally transfer data. This left a vacuum for anyone who wished to legally transfer data with the US.
To fill this vacuum, the European Commission published, in June 2021, new legal agreements called ‘Standard Contractual Clauses’ (SCCs)
which, if used properly, enable transfers to continue. It is important to note that SCCs on their own to not necessarily mitigate the risks to people that may arise when their data is transferred to other jurisdictions, so they should not be used in isolation.
So the issue remains: some jurisdictions remain riskier (because of concerns over, for example, their government surveillance powers) for people’s data and so you as someone who uses people’s data need to know what to do when you are considering a data transfer.
What you can do
It is important to know that the legal issues around international data transfers are fiendishly
complicated. Even well-established legal experts are debating the way forward, so do not feel disempowered if you are unsure of how to proceed: everyone is unsure. We are working on providing clear, relevant, actionable guidance for local organisations who know that they are transferring data and want to do it safely and legally.
In the meantime here are three steps you can take to get a handle on what you might need to do next:
- The most important thing to do is to make sure you know where in the world the personal data you are responsible for, actually is. So many businesses and organisations use ‘cloud’ based services without looking into which countries the cloud servers are in. This information should be available to you if you speak to your service providers, and you can often choose to physically locate your data on servers in specific countries or areas (such as within the EEA).
- The next step to take is to consider the people whose data you collect and use via services based in riskier places – do they know that their data is being transferred? Do they understand the risks involved? How are their rights protected? What legal redress might those people have if their data is compromised in a different country? Think about risk assessing any work you do that requires you to transfer data internationally – is there an alternative service provider? If there is no alternative, could you minimise, or anonymise, the data you are processing so that people are not at risk?
- Read our technical update on international data transfers for more information and come back later in 2021 when we will have a self-assessment tool you can use to help you assess the risks that may arise and how to mitigate them.
We know that you may have questions about your specific circumstances, we would encourage you to discuss this issue with your IT provider/support or you can Contact Us
for further information..