We've seen a lot of changes to the personal data transfer framework over the last few years: the striking down of the EU-US Privacy Shield in the CJEU Schrems II decision, the ensuing EDPB guidance on how to provide additional protection for personal data exports, new Standard Contractual Clauses in the EU and, thanks to Brexit, a new UK International Data Transfer Agreement, not to mention the EU-UK adequacy decision.  With a potential replacement to the Privacy Shield on the horizon and UK plans to reform data protection law about to crystallise, it's a good time to review available and incoming options for HR data transfers.

The issue

Under the GDPR, personal data cannot be exported to countries outside the EEA unless they provide a level of data protection equivalent to that in the EEA.  Countries deemed to provide adequate protection can benefit from an EU adequacy decision in which case data can flow freely from the EEA.  For destinations which do not benefit from an EU adequacy decision, transfers can only take place under an approved transfer mechanism or where a derogation applies.  A similar prohibition applies under the UK GDPR to data exports from the UK.

If you are a part of a multinational businesses transferring HR data to offices outside the EEA/UK from your EEA/UK business, or if you are an EEA/UK business which hosts your HR databases containing EU/UK data in a third country which does not benefit from an adequacy decision, you will need to use an authorised transfer mechanism.

The impact of Schrems II

Data transfers to third countries like the USA have become more problematic in the wake of the July 2020 CJEU Schrems II decision.  This struck down the EU-US Privacy Shield which had allowed for straightforward data transfers to the US.  It also set out further requirements for ensuring adequate protection of data being transferred to countries including the USA, where the data is at risk from a level of access by governmental agencies that is not considered to be proportionate, and where there is insufficient judicial redress available for EU citizens.  As the UK was part of the EU at the time of the decision, it also applies in the UK.

The CJEU said it is up to controllers to assess on a case by case basis, whether or not the data to be exported will receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect it if not.  Where these additional measures would still fail to ensure adequate protection, the transfer cannot take place.  In November 2020, the EDPB published recommendations on steps to assess and mitigate risks associated with third country transfers, setting out a six-stage process and possible supplementary technical and organisational protection measures.  The assessment process involves carrying out what is now known as a TIA (Transfer Impact Assessment).  This applies whatever the transfer mechanism being used.

Encryption is essential for HR data

There is some debate as to whether any supplementary measures can effectively protect personal data being transferred to the US and countries with similar regimes.  The French regulator, the CNIL, recently said that the transfer of Google Analytics data to the USA could only be made lawful in very limited circumstances – where the data is encrypted before it leaves the EEA, by an EU (or adequate country) data controller with exclusive access to the encryption keys, or where a proxy server is used.  Whether or not the data being transferred is likely to be accessed by third country government agencies is irrelevant.  By extension, this reasoning could also be applied to HR data. 

In fact, the EDPB gave two examples of situations in which there will be no appropriate technical safeguards: unencrypted processing (processing in the clear) by cloud service providers, and remote access and use of unencrypted data by a third country importer for business purposes including human resources processing. This will be the case even where both transport encryption and data-at-rest encryption are used if the importer holds the encryption keys.

Finding the best solution

A range of transfer mechanisms are available under the (UK) GDPR, but none of these are without drawbacks, particularly in the wake of Schrems II.

Standard Contractual Clauses

Using the EC's Standard Contractual Clauses (SCCs) is one of the key mechanisms to legitimise cross-border data transfers to third countries from the EEA. SCCs have proved popular over the years, particularly after the collapse of the US Safe Harbor regime, and the Privacy Shield.  As with all data transfer methods, however, they are not without limitations.

On the plus side, the EC approved new and improved SCCs on 27 June.  These reflect the GDPR and are modular, covering a wide range of processing journeys and relationships.  They also include a docking clause which allows new parties to join existing SCCs.  This means the SCCs are flexible in structure, but they are rigid in terms of prescribed content and requirements.  The new SCCs are an improvement on the old ones but businesses have little scope to amend their terms beyond what is needed to reflect the nature of the transfer taking place.

Group companies transferring HR data to a third country from both the EEA and the UK will need to satisfy UK as well as EEA requirements.  The UK has its own International Data Transfer Agreement which is similar to the SCCs, however, it is most likely that businesses will use the Addendum to the IDTA which is designed to incorporate the EU SCCs, thereby simplifying the process slightly.

While the new SCCs are often going to be the best data transfer mechanism for HR data, they have become more complex following the CJEU Schrems II decision, and now require a TIA, and potentially, supplementary measures (bearing in mind the EDPB's restrictions for HR data).

Binding Corporate Rules

Binding Corporate Rules are designed for intra-group transfers and can be individually tailored to suit the business (provided they are GDPR-compliant).  This suggests they are ideally suited for transfers of HR data.  After the collapse of the EU-US Privacy Shield, many expected BCRs to come into their own, however, they need to be approved by the exporter's lead regulator and this takes time – usually too much time for business purposes.  A further complication is that, following Brexit, some businesses might need two sets of BCRs to enable transfers both from the EEA and the UK.  That would involve two different approval processes which would run on different timelines.  That doesn't mean BCRs should be ruled out, but it does mean another mechanism like SCCs would be needed pending approval of BCRs, adding to time and expense.

The problem with consent

There are a number of derogations available to the general prohibition on data transfers.  The one most frequently looked at is where the data is transferred with the consent of the individual.  There are two issues with this in the context of HR data.  First, consent cannot be used to justify regular and ongoing transfers, and second, valid consent is very hard to obtain in an employment context due to the imbalance in power between the employer and the employee.  ICO guidance does give one example of when consent might be used – where an employee is asked to consent to their photo appearing in promotional material, provided there is no pressure to agree, and the individual is free to refuse without suffering detriment. In that sort of situation, consent could be used to justify the transfer of the data.

Other authorised mechanisms

The EDPB recently approved guidelines on certification as a tool for data transfers. However, this has not yet developed into a fully-fledged solution.

Take a step back – do you really need to transfer all this data?

Businesses transferring or considering transferring their HR data to third countries, particularly to the USA, should take a step back and ask whether and to what extent the transfer is necessary.  It's worth considering whether the data could be hosted locally.  If not, does the business really need all the data being exported or could smaller datasets be used?  If data does need to be exported, what additional protections could be used in line with the EDPB guidelines?  These might include anonymisation and encryption prior to transfer (provided the importer does not hold the encryption keys).

Take a step forward

Looking to the future, the EU and USA announced agreement in principle of a Trans-Atlantic Data Privacy Framework, the details of which are being negotiated.  This is intended to replace the Privacy Shield but indications are that it may be vulnerable to legal challenge if there is no legislative change behind the scheme.  It is possible that the new scheme may 'buy a few years' of easy EEA-US data transfers, but there is no guarantee it will prove lasting.  Businesses looking to use it will need to keep that in mind.

Another factor to consider when selecting an appropriate transfer mechanism for HR data, is that the UK is about to reform its data protection regime and has prioritised widening its own adequacy regime.  Although the UK government has recognised the need to preserve EU-UK adequacy in its response to the consultation on its proposals, there are indications it may proceed more quickly than the EU with recognising further third country regimes as providing adequate data protection.  Notably, the government intends to reform the power of the Secretary of State to make adequacy decisions, including to allow them to be made in favour of groups of countries or regions, and to create a new power to recognise alternative transfer mechanisms.

What does this mean?

HR data transfers to third countries, especially to the USA and other countries which allow similar levels of governmental access to personal data, will continue to take place against a shifting regulatory landscape for the foreseeable future.

It's not just a question of picking the most suitable authorised transfer mechanism for HR data, it is essential for businesses to assess what data really needs to be exported, to evaluate the risk associated with the importing country, and to take steps to mitigate risk to the rights and freedoms of individuals by carrying out a TIA and adopting appropriate supplementary measures if required.  Even then, there may be some risk of non-compliance attached to the transfer and businesses should recognise that it may not be possible to eliminate it entirely.  This makes it all the more important to do as much as possible to align legal requirements with business needs.