Transferring personal data overseas: what’s changing?
There have been a number of recent developments affecting overseas transfers of personal data. This update looks at changes to transfers of personal data to and from Japan, as well as addressing how Brexit will affect transfers of personal data to and from the UK.
Personal data transfers between the EU and Japan
The General Data Protection Regulation (“GDPR”) provides that transfers of personal data to countries outside the European Economic Area (“EEA”) (known as “third countries”) are restricted unless appropriate safeguards are in place.
One such appropriate safeguard is the existence of a European Commission adequacy decision in respect of the recipient country. An adequacy decision is issued where the European Commission has concluded that the legal framework in the recipient country ensures an adequate level of protection for personal data.
The European Commission has recently adopted an adequacy decision in relation to Japan, on the basis that the data protection standards in Japan and the EU are equivalent. This means that companies in the EEA who transfer personal data to Japan will no longer need to rely on other safeguards, such as the data subject’s consent, or approved model contractual clauses.
It took some two years of negotiation before the European Commission would grant adequacy to Japan and, in order to obtain an adequacy decision, Japan has had to put in place a number of additional safeguards to ensure that personal data transferred from the EEA will be protected in line with European standards.
The impact of Brexit on personal data transfers to and from the UK
When the UK leaves the EU, it will become a third country and, as such, will be subject to the same restrictions relating to transfers of personal data to and from the EEA as other non-EEA countries. Whilst ideally the European Commission would grant the UK an adequacy decision, we can see from the experience of Japan that this can take some time and, although likely given the current alignment of UK and EU data protection law, an adequacy decision in favour of the UK is not a fait accompli.
Brexit therefore raises a number of difficult issues for UK companies who transfer personal data to and receive personal data from other companies in EEA countries. If you conduct such transfers, you will need to start preparing for Brexit now in order to ensure that your data flows can continue to run smoothly after Brexit.
We suggest you start by mapping your current personal data flows in and out of the UK. By understanding your data flows, you will be able to identify where you will need to take action to implement new safeguards and give proper consideration to the available options, such as model contractual clauses, binding corporate rules, or – for certain limited occasional transfers – reliance on one of the derogations from the general rule restricting transfers of personal data outside the EEA.
We have produced an easy to follow guide, Impact of Brexit on international transfers of personal data and cross-border processing, which summarises the pre- and post-Brexit legal position.
It explains how different versions of Brexit may affect international transfers of personal data, when you will be able to continue with international transfers of personal data and the safeguards that will be needed in different circumstances. It also considers some additional steps that UK organisations processing personal data of individuals in the EEA will need to take for compliance with data protection law after Brexit.
For more information and to purchase your copy of the guide, email Jane Coffey.