Data Transfer Outside the UK and GDPR
DATA PROTECTION AND GDPR –DATA TRANSFER OUTSIDE THE UK BY CONSENT
The Data Protection Act has 8 principles, the last one relates to the transfer of data outside the European Economic Area (which means transfers outside European Union member states or Iceland, Norway and Liechtenstein). That principle states that personal data shall not be transferred to a country or territory outside the European Economic Area “unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
The European Commission has determined that some countries, such as New Zealand have an “adequate level of protection”. However, they did not include the United States. Previously the European Commission allowed data to be transferred to any company in the United States which had signed up to what was known as a Safe Harbor agreement. However, a court decision in October 2015 raised concerns about how such data was protected from public authorities in the United States saw the Safe Harbor agreement replaced by the EU-US Privacy Shield which will be reconsidered during the summer of 2017.
Where transfer of personal data is not to a country which has been determined by the European Commission as having that “adequate level of protection” or to somewhere not a party to the EU-US Privacy Shield then you need to make your own assessment about the “adequate level of protection” and decide whether the transfer of personal data should proceed.
However, before you get too bogged down in the decision making process regarding “adequate level of protection” you need to be aware that there are some exemptions which could enable you to transfer personal data even if there is no adequate protection. One of these exemptions relates to the consent of the data subject. So, in a nutshell, if the individual whose personal data is being transferred (the data subject) consents to the transfer, you can transfer personal data even if there is no adequate protection.
How does GDPR alter this?
GDPR states that personal data may only be transferred outside of the EU if you comply with certain conditions laid out in Chapter V of the GDPR.
However, GDPR still provides exemptions one of which relates to the individuals’ consent. However, the GDPR exemption is more onerous since you can transfer personal data even if there is no adequate protection only if you have the individual’s informed consent. Interestingly, this exemption, along with several others, is not available for the “activities of public authorities in the exercise of their public powers”.
What is informed consent?
Article 49 of GDPR states that the data subject must have
- explicitly consented to the proposed transfer
- after having been informed of the possible risks of such transfers to the data subject due to the absence of an adequacy decision and appropriate safeguards
This places the onus on someone seeking to reply on the transfer of data to
- clearly explain the possible risk involved and
- then get explicit consent for transfer
The ICO (Information Commissioner’s Office) advises that you should always take steps to ensure that there is “adequate protection if it is possible to do so, and only to rely on an exemption if it is not”. However, they also acknowledge that “the exemptions are legally available to you and may in some circumstances provide a simple solution that only results in a minimal loss of protection for the individual”.