One of the thorniest (UK) GDPR issues has been transferring personal data outside the EU/UK. Where have we ended up and what difference has Brexit made?
Can we send personal data to other countries?
You can only transfer personal data outside the EU/UK to a so-called 'third country' which provides an adequate level of protection equivalent to that in the EU/UK. The rules around data transfers apply whether you are a controller or processor and whether you are transferring personal data to a controller or processor, even if they are in the same group of companies as you.It's worth stressing that you should first consider whether or not you really need to transfer the data and make efforts to minimise and/or anonymise what is being transferred. Note also that the EU rules largely apply to EEA countries as well.
See EDPB guidelines on international transfers and ICO guidance on international transfers for more.
How do we know whether a third country provides an equivalent level of protection? Adequacy decisions
If the third country benefits from an EU adequacy decision, it is automatically considered to provide the right level of protection and you will not need to take any additional steps to transfer the personal data from the EU (although you will still have to comply with the GDPR in your treatment of the data). A similar system exists for the UK. The list of countries with an adequacy decision changes from time to time and, it's possible that the EU and UK lists will differ in future, so this should always be checked. The EU and UK have mutual adequacy decisions so personal data can flow freely between them.
What if there's no adequacy decision? Appropriate safeguards pt1 - transfer mechanisms
If there is no adequacy decision with the importing country, you will need to put appropriate safeguards in place before transferring the personal data (unless an exception applies – see below). As part of this you will need to use an approved transfer mechanism as set out in Article 46 of the (UK) GDPR. There are currently two types of transfer mechanism available to private organisations:
Standard Contractual Clauses (EU)/Standard data protection clauses (UK)
The most commonly used transfer mechanisms are the European Commission Standard Contractual Clauses (SCCs) for transfers from the EU, and standard data protection clauses for transfers from the UK.
The SCCs are a set of model clauses which cover data transfers from controllers or processors in the EU to controllers or processors outside the EU. There are four modules to represent different controller processor relationships but whichever module is chosen, it cannot be altered if it is to have full effect.The SCCs also contain a 'docking' clause which allows third parties to join existing SCCs without having to enter into separate agreements.
Following Brexit, the UK has its own sets of standard data protection clauses which fulfil a similar function to the SCCs:
- The International Data Transfer Agreement (IDTA) and
- The International Data Transfer Addendum which is an addendum to the SCCs and allows organisations to rely on them for transfers to third countries from the UK as well as from the EU. Many UK organisations choose to use the Addendum.
(UK) Binding Corporate Rules
Binding Corporate Rules are designed for intra-group transfers and can be individually tailored to suit the business (provided they are GDPR-compliant). This suggests they are ideally suited for intra-group transfers of HR data, for example. However, BCRs need to be approved by the exporter's lead EU regulator and/or the ICO as the case may be and this takes time – usually too much time for business purposes. Organisations which already have EU-approved BCRs can use the UK BCR Addendum to effectively incorporate and extend the scope of the EU BCRs to include transfers from the UK. This means that if you are exporting directly from both the EU and the UK, it may be easier first to apply for the EU BCRs and then for the UK ones.
What else do we need to do before making transfers? Appropriate safeguards pt2 - risk assessments and supplementary measures
In addition to any requirements to carry out a Data Protection Impact Assessment before beginning a new processing operation, there are particular steps you will need to carry out if you are using a transfer mechanism. These obligations come from European Court of Justice case law (the 'Schrems II' decision).
Step 1 – carry out a Transfer Risk Assessment (UK)/Transfer Impact Assessment (EU)
The UK Transfer Risk Assessment (TRA) and the EU Transfer Impact Assessment (TIA) are essentially case by case assessments of whether or not data being exported will receive an equivalent level of protection to that in the EU. The approach of the European Data Protection Board to making that assessment is similar to but slightly different from the ICO's, however, the ICO is happy for organisations to use either approach or to rely on published UK government analysis. For EU purposes, the approach taken by the EDPB must be used. This requires an assessment of the laws and practices in the EU compared to the laws and practices of the importing countries to assess risk. It involves looking at the safeguards in place around third party access to information, particularly by governments. The safeguards do not need to be identical to those in the EU but must be sufficiently similar.
Step 2 – put in place supplementary measures where required
Where the outcome of the TRA/TIA suggests any imported data will not receive an equivalent level of protection to that in the UK/EU despite the transfer mechanism being used, the data cannot be exported unless supplementary measures can be put in place which will bring protections up to UK/EU-equivalent standards. The European Data Protection Board's guidance is the most authoritative source on this subject in both the EU and the UK as the ICO has not produced detailed guidance on this topic. The EDPB guidance includes a roadmap of steps needed to assess risk (covering the TIA itself) and how to select appropriate supplementary measures, as well as a non-exhaustive list of what those measures might entail including anonymisation or encryption (provided the importer does not hold the encryption keys).
There EDPB also gives two examples of situations in which there will be no appropriate technical safeguards available should the third country not provide an equivalent level of protection. These are unencrypted processing (processing in the clear) by cloud service providers, and remote access and use of unencrypted data by a third country importer for business purposes including human resources processing. This will be the case even where both transport encryption and data-at-rest encryption are used.
Remember: if there are no supplementary measures to address the risks as required, the transfer cannot take place.
Are there any exceptions?
There are a few derogations to the general prohibition on data transfers where there is no adequacy agreement or transfer mechanism in place but they are extremely limited in scope and should be used with caution. The one most frequently looked at is where the data is transferred with the consent of the individual, Valid consent to GDPR standards can be hard to obtain in these circumstances and cannot be used to justify regular and ongoing transfers. In addition, in an employment context consent is unlikely to be freely given due to the imbalance in power between the employer and the employee. Note that the EU and UK may not always have the same or exactly the same rules around exceptions.
What about transfers to the USA?
The issue of transfers to the USA has been particularly fraught but has, for now at least, reached a positive place. Both the EU and the UK have adopted adequacy decisions in relation to frictionless data transfers to the US where importing organisations are signed up to the EU-US Data Privacy Framework (and UK Extension where relevant). The UK government's Data Protection (Adequacy) (United States of America) Regulations 2023 came into force on 12 October 2023. Similar to the EU adequacy decision, they establish the UK-US Data Bridge (the government's preferred term for adequacy) which allows transfers of personal data to be made to US organisations signed up to the DPF and participating in the UK Extension to it, without the need for additional transfer mechanisms like SCCs or BCRs.
Not all US organisations are entitled to sign up to the DPF and UK Extension. The scheme is regulated by the Federal Trade Commission and Department of Transport. Organisations regulated by other departments and outside FTC jurisdiction, for example those in banking, insurance and telecoms, are ineligible. In addition, journalistic data cannot be transferred under the UK-US Data Bridge and there are some additional requirements around identifying special data.
There is no need to conduct a TRA/TIA or put in place Schrems II supplementary measures when transferring data under the DPF/Data Bridge. Crucially, both the EU and UK have also determined that while a TIA/TRA will still be required when using another transfer mechanism, the process is relatively formulaic as the EU and UK government have essentially already conducted the required assessment. The UK ICO's guidance on international transfers includes information about how to streamline the TRA process in this situation. Additionally, when using SCCs and BCRs for US transfers, there will be no need for supplementary measures.
See EDPB note on the DPF, UK explainer of the Data Bridge, factsheet and ICO opinion. Access the Data Privacy Framework site.
Transfers at a glance
Mechanism |
Pros |
Cons |
TIA/TRA |
Supplementary measures? |
Adequacy |
Frictionless transfers without the need for additional measures |
Can be withdrawn or changed |
No |
No |
SCCs/IDTA |
Easy to enter into
Cover a variety of relationships
|
Cannot be tailored to individual situations
UK businesses may need both UK and EU sets but can use Addendum
|
Yes |
Maybe (but not for US) |
BCRs |
Tailored to organisation's needs |
Only suitable for intra-group transfers
Lengthy approval process
UK businesses may need both UK and EU BCRs but can use Addendum
|
Yes |
Maybe (but not for US) |
US Privacy Shield |
Frictionless transfers to any self-certified importing organisation |
Not all businesses are eligible
Not all types of personal data are covered
Can be withdrawn or changed and may face legal challenge
|
Yes but streamlined |
No |