The background to these issues is that transfers to countries outside the EEA (this is all EU member states, Iceland, Norway and Lichtenstein) are known as “restricted transfers” in data protection law. GDPR sets a general principle that restricted transfers shall only take place if the conditions of GDPR are complied with (Article 44). The objective is “in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
At Data Protection Consulting, we have encountered a couple of problem areas in relation to restricted transfers under GDPR and referred to the ICO for advice as follows:
Employees and restricted transfers
If an employee is located in a country outside the EEA, the ICO view is that the access to and processing of personal data on behalf of the employer’s business, where servers or storage is based in the UK, does not constitute a restricted transfer. This covers situations where an employee might be based temporarily or permanently outside of the EEA while the employer is based in the EEA. In such a scenario, the requirements relating to restricted transfers in GDPR would not apply. Similarly there would not be a requirement to publish such a transfer of personal data in the organisation’s Privacy Notice. (Ordinarily transfers of personal data to countries outside the EEA are disclosed in the relevant Privacy Notice, but as the ICO view is that it is not a restricted transfer so the need to disclose it does not apply.)
The ICO was keen to stress that the security of personal data remains a concern when it is accessed from outside the EEA. The devices and wifi used by the employee need to provide protection for the personal data accessed so this is an area which needs to be addressed in the employer’s device management and security procedures.
So far, so good, however the ICO view is not held by all members of the European Data Protection Board. The EDPB replaced the Article 29 Working Party and is a committee made up of representatives from the National Data Protection Authorities of all EU member states. Some members of the EDPB hold the opinion that access to data stored in the EEA by employees based outside of the EEA constitutes a restricted transfer. Guidance will no doubt be agreed and published in due course.
Controllers located outside the EEA
Many businesses in the UK offer services involving personal data processing to organisations located outside the EEA.
A further scenario where we sought the input of the ICO was in relation to personal data relating to data subjects resident outside the EEA whose data is collected by a controller in the same territory. With the increase in Software as a Service for example, that data could then be processed in the EEA. How would Article 44 apply in this case?
Access to the data held in the EEA by a controller located in a third country would be a restricted transfer under GDPR, as it was under the Data Protection Act 1998. Under the 1998 Act (and the EU Directive it was based on) there was a saving provision, the Adequacy Test. This allowed the potential prejudice to the data subjects to be taken into account when deciding whether or not a restricted transfer should take place. The general rule was that to transfer personal data relating to subjects resident in a third country back to that same country did not prejudice their rights as their data was already processed in that jurisdiction.
There is no similar provision to the Adequacy Test in GDPR. Other “appropriate safeguards” from Article 46, grounds to authorise the transfer, must be sought. This is easier said than done. There are currently no Model Clauses covering the transfer of data from an EU based processor to a controller based outside of the EEA. The only apparently applicable grounds would be that the transfer is made with the consent of the data subject. This would require the overseas controller to undertake an exercise of obtaining consent which would presumably need to meet the strict requirements of GDPR around what constitutes consent. Service providers based in the EEA might consider adding an appropriate clause requiring clients to obtain consent of data subjects to the processing of their data by the client but it would not be clear that this has been enforced.
For the time being there is little to do except be aware that there are issues to be resolved around restricted transfers and wait for further guidance from the EDPB and the ICO as to an appropriate course of action should these issues affect your business. If you need support with any aspect of this, do get in touch.
Mandy P Webster, Data Protection Consultant