ICO Brings Some Welcome Clarification to the GDPR’s International Transfer Rules

David Smith

One of the challenges thrown up by the GDPR is understanding the interrelation between the extra-territorial scope provisions in Article 3 and the restrictions on international transfer in Chapter V. How, for example, do the international transfer restrictions apply, if they apply at all, to a data controller that has no presence in the EU yet is caught by the GDPR because, through its online activities, it offers goods or services to data subjects who are in the EU? Given the piecemeal way in which the GDPR was developed it is perhaps understandable that all of us, including the data protection authorities, are left with some difficult questions to answer. The clarification provided in the ICO’s latest guidance is therefore most welcome.

In its guidance the ICO introduces a distinction between what it calls “restricted transfers” to which all the requirements of Chapter V apply and other transfers which are therefore unrestricted. The guidance says that you are making a restricted transfer if, amongst other things:

  •  you are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually because they are located in a country outside the EU;
  • the receiver is a separate organisation or individual. The receiver cannot be employed by you or by your company. It can be a company in the same group.

Thus most transfers will  be “restricted” ones and there is no great change in the ICO’s guidance around standard contractual clauses, binding corporate rules and the application of the other transfer mechanisms. What about unrestricted transfers though?  It follows from the ICO guidance that a transfer will be an unrestricted one if either:

  • you are sending personal data, or making it accessible, to a receiver to which the GDPR does apply even though it is located in a country outside the EU. An example might be a transfer from a financial adviser in the EU to a bank in the US in connection with a product that the bank clearly offers to individuals in the EU. The bank might not be established in the EU but the GDPR would nevertheless apply to its relevant activities by virtue of Article 3.2(a);
  • the receiver is not a separate organisation. An example might be where the receiver is one of your employees perhaps located in a satellite office that is not a separate legal entity but is nevertheless located in a country outside the EU. Another example might be a non-EU business with its head office outside the EU that has a branch office which, although located in the EU, is part of the same legal entity as the head office and which sends HR data from within the EU to its non-EU  head office.

Essentially the ICO’s position is that if the processing of the personal data remains subject to GDPR after transfer, then its transfer outside the EU does not need to be restricted because such a transfer ought not to undermine the level of protection provided by the GDPR. The thinking behind this is that the restrictions on international transfers in Chapter V need only be applied in so far as they are needed “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.

An obvious question that follows is what will be the position if the receiver in the third country then passes the personal data on to another organisation where the data will not be subject to the GDPR, whether that other organisation is in another third country, or even in the same country. Presumably the personal data cannot end up in a third country outside the scope of the GDPR without a restricted transfer taking place at some point in the chain. The ICO’s position is that this restricted transfer occurs when the receiver passes the personal data on to another organisation where the data will not be subject to the GDPR regardless of where the organisation is located. Whilst it might require a certain twist of logic to accept that an international transfer under the GDPR can occur at the point at which one organisation in a third country is passing the personal data to another organisation in the same country, without the personal data actually moving across an international border, this may well be a small price to pay if businesses are to benefit from what seems to be a sensible and proportionate approach to interpreting and applying the GDPR in this challenging area.

A more difficult and, as yet unanswered, question is what would be the position if personal data that are initially caught by the GDPR after transfer, by virtue of Article 3(2), subsequently cease to come within the GDPR’s scope without necessarily leaving the hands of the receiver in the third country. This may be a less common scenario but could occur because the receiver goes on to process the data for activities that are neither related to the offering of goods or services to data subjects in the EU nor to monitoring of their behaviour, or because the data subjects concerned cease to be in the EU.  Whilst it might require a necessary twist of logic to conclude that a restricted international transfer takes place when a non-EU controller, subject to the GDPR, makes a transfer to another non-EU controller in the same country, albeit one not caught by the GDPR, it arguably requires a rather more substantial mental gymnastics to conclude that a restricted international transfer is also taking place when the processing of personal data leaves the scope of the GDPR  without the data even being transferred from one controller to another, let alone moved across any border. There is also a more practical question of how, in such circumstances, the controller could be expected to satisfy the international transfer restrictions in Chapter V, other than by obtaining the data subject’s explicit consent, as it clearly will not be in a position to enter into contractual clauses with itself.

Even if some questions have still to be answered the ICO’s latest guidance will undoubtedly be helpful to businesses struggling to apply the GDPR’s international transfer requirements. How far though does this guidance reflect the thinking of the other EU data protection authorities and of the European Data Protection Board (EDPB) or is it just the ICO’s own interpretation of the GDPR? We do not know the answer to this but the ICO is still an active participant in the EDPB’s activities and, given the sensitivities around Brexit and the adequacy of the UK’s data protection regime, it would be surprising if the ICO was moving significantly away from the approach favoured by its fellow EU regulators. Perhaps we will only know for certain once we see the EDPB’s own guidelines on the subject. We can only speculate on when this might be but, hopefully these guidelines, when published, will provide us with the remaining answers.