Blog

Restricted Transfer or No Restricted Transfer – That is the Question Here

By Carolin Brucker Cabe, an Associate at XPAN Law Group, LLC.

ICO’s latest publication gives rise to speculations regarding international transfers under the GDPR and how they might be handled in the future. This comes at a time when the countdown to Brexit draws closer to completion, but is still “up in the air”.

The Information Commissioner’s Office, better known as ICO, UK’s supervisory authority for data protection, has published guidance regarding international data transfers under the European Union’s General Data Protection Regulation (“GDPR”). These guidelines are particularly of interest with a view to the UK, since Brexit planning is in full swing and the UK is supposed to leave the EU on March 30, 2019. By doing so, the UK will become a “third country” for the purposes of EU law, and hence, the GDPR.

But before we shine some light on the Brexit particulars as they relate to data protection, let’s step back and look at the published guidance in general to ask ourselves, “Do we really understand and have we internalized when the GDPR applies if we deal with a third country and are faced with a restricted transfer”?

Restricted Transfers

Chapter V of the GDPR (Articles 44-50) deals with “Transfers of personal data to third countries or international organisations”. Controllers and processors cannot transfer personal data outside of the European Economic Area, short EEA, unless adequate levels of data protection can be ensured. Methods to ensure these adequate levels of data protection include the use of Standard Contractual Clauses (SCC), which are pre-approved model contracts for data transfers, Binding Corporate Rules (BCR), which are internal corporate rules, typically for use within multinational companies (or how the GDPR likes to call it a “group of undertakings”, see Article 4(19) GDPR, Recital 37, 48, 101 accordingly), or countries for which an adequacy decision by the European Commission exists (the latest in the works is an adequacy decision for Japan). The EU-US Privacy Shield, which is a framework for transatlantic exchanges between EEA countries and the United States, does not fit nicely within the text of the GDPR, but as of now, is still a valid mechanism to transfer data. For the sake of simplicity, we will include it here but with many caveats.

According to ICO’s publication “the GDPR applies if you are processing personal data in the EEA, and may apply in specific circumstances if you are outside the EEA and processing personal data about individuals in the EEA”. The ICO’s further states that a transfer is only restricted if it is made “to a receiver to which the GDPR does not apply”. This is usually the case when the receiver “is located in a country outside of the EEA”.

So far so good. But what does this interpretation mean in the situation where a transfer occurs to a receiver to which the GDPR does in fact apply? By implication, one could argue that, under the ICO’s interpretation, no restricted transfer exists because the GDPR already applies to the data importer, even if not located within the EEA.

For the purpose of better understanding this potential interpretation of the ICO’s guidance in light of the above, imagine the following situation: A non-EEA data importer receives personal data from an EEA exporter. The processing will be subject to the GDPR due to Article 3(2), which defines the extraterritorial reach of the GDPR. As such, the non-EEA data importer must comply with the GDPR (and all of its requirements). And, since the GDPR applies to the non-EEA data importer, the restricted transfer provisions and the mechanisms of Chapter V do not need to be considered: the GDPR applies so there is no restricted transfer. This, at least, would be the logical inference to be drawn after the ICO’s latest position with regards to international transfers.

In practice, this has not been the fall out, as many companies are requiring a mechanism permitted under Chapter V before transferring data to a non-EEA data importer. What remains unanswered in this inference is how the EU will obtain jurisdiction over the non-EEA data importer (see the latest legislation for a UK Data Protection Act 2018 here, basically applying the GDPR through national law), even if the GDPR technically applies since the transfer is coming from an EEA-data exporter. In an abundance of caution, many entities are executing contractual agreements, such as the SCCs, to ensure that they do not fall afoul of the GDPR.

Unfortunately, an ICO’s analysis of Article 3(2) GDPR does not exist yet. And, while the interpretation outlined above may seem more extreme, we will have to wait and see whether our inference drawn here will become a more certain reality in the future.

With a view to Brexit

As initially mentioned, the UK is supposed to leave the EU on March 30, 2019 and by doing so will become a third country for the purpose of the GDPR. Nothing is set in stone yet as to how data transfers between the EU and UK will work post-Brexit. It has been assumed that all EU-UK data transfers would prima facie require a Chapter V mechanism or derogation from March 30 on next year (see the EU Commission statement of January this year).

But the new ICO guidance gives rise to speculation whether – in many cases – UK controllers and processors are likely to be subject to the direct application of the GDPR post-Brexit, according to the inference drawn above. However, this remains to be seen. It is possible that an adequacy decision for the UK would be more likely. However, adequacy decisions are subject to a robust process of analysis that has previously taken up to 28 months to finalize. Only Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay have been approved to date, with Japan currently in the process of securing approval. In light of the time pressure and the looming Brexit date approaching rapidly, we might see a welcome surprise and will eagerly await what the European Data Protection Board (EDPB) as well as the ICO will have to say on both international transfers and the scope and application of the GDPR, especially Article 3(2).

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.