[co-author: Lorraine Matthews]
Organisations that make international transfers of personal data have undergone significant challenges and changes over the last few years. With the invalidation of the Privacy Shield agreement in 2020 and the introduction of the “New Standard Contractual Clauses” in 2021, businesses have had to adjust their data protection measures and transfer mechanisms and must continue to keep abreast of fast-changing regulations. Failure to comply with up-to-date data protection laws and data transfer rules can lead to commercial and reputational damage as well as regulatory sanctions with corrective measures, including orders to cease transfers of personal data and significant financial penalties.
Quick Hits
- European (and UK) regulators are actively penalising organisations that fail to protect EU personal data that is being transferred internationally.
- Organisations that transfer personal data outside of the EU must ensure that data is safeguarded to the same level as it would be within the EU.
- Transfers of personal data include transfers within the same organisation.
- Organisations based outside the EU may be directly subject to EU data protection laws through extraterritorial effect.
Keeping Up to Date
For organisations processing EU (and UK) personal data, organisations may want to ensure that when this personal data is transferred internationally, it is afforded the same protection that it would benefit from within the EU (and/or UK). This means putting in place transfer mechanisms such as EU-approved Standard Contractual Clauses (SCCs) (and UK Addendum or International Data Transfer Agreements) or other General Data Protection Regulation (GDPR)-compliant international data transfer mechanisms such as the EU-U.S. Data Privacy Framework (DPF) and U.S.-UK Data Bridge (or other extensions to the framework, where applicable).
Regulators have the potential to issue heavy fines to organisations that implement and rely on incorrect or invalid transfer mechanisms in the normal course of their business operations, such as when transferring personal data to a non-EU third-party service provider or a non-EU office within the same organization (e.g., from EU offices to U.S.-based headquarters). Many organisations have already faced regulatory scrutiny and received large financial penalties, with the number of regulatory actions in general increasing annually. There is no doubt that European regulators are actively monitoring compliance with, and are serious about the enforcement of, the GDPR, with a particular focus on international transfers. The Information Commissioner’s Office, the UK’s data protection authority, may well follow their example.
Identifying the Most Appropriate Transfer Mechanism
When assessing which transfer mechanism to use, there are important distinctions to consider. Organisations transferring personal data from the EU to the United States may choose to rely on the DPF for these transfers and may want to ensure that the transfer will be compliant with relevant data protection laws and regulations, including assessing the impact of any onward transfers and implementing measures to ensure that U.S. entities receiving the personal data under the DPF remain compliant with the DPF.
When relying on SCCs as a transfer mechanism, there is a legal obligation to undertake an initial data privacy assessment (Transfer Impact Assessment or TIA) and periodic reassessment of transfers, to assess any recent developments and regulatory changes relevant to transfers and the potential risks these present. Organisations may want to use SCCs with other contractual obligations between the parties sending and receiving personal data. The contractual provisions would set out measures and responsibilities on both parties to ensure the safeguarding of personal data throughout the transfer. An organization may also want to evaluate the robustness of a chosen transfer mechanism against the organization and its business needs to mitigate against the risk of international transfers operating on an invalid or outdated mechanism and against operational interruptions.
Privacy activists in the EU have indicated an intent to challenge the validity of the DPF, potentially resulting in the invalidation of the mechanism, something organisations have already seen with its predecessor, the Privacy Shield and the Safe Harbour Agreement. Organisations completing transfers under an invalid framework may want to ensure that an alternative transfer mechanism, such as an SCC, is put into place immediately, or cease all transfers of personal data under the DPF, to avoid breaching of data protection laws and regulations and protect against possible claims for violation of the GDPR.
Financial Penalties
For failure to implement appropriate protection for international transfers of personal data, the GDPR establishes fines of up to €20 million or 4 percent of an organization’s annual global turnover, whichever is higher. It is worth noting that violations of GDPR requirements directly concerning individuals’ rights and freedoms, sensitive data, consent requirements, and data transfers incur the highest fines.
EU regulators continue to impose significant fines for GDPR breaches, many relating specifically to international transfer of personal data*. Some examples of fines imposed are set out below:
Regulators remain active in ensuring organisations operate within the confines of relevant data protection laws and regulations. Employers might want to assess their operations to understand what data transfers are taking place in the normal course of business and identify any extra safeguards. Employers may also want to identify transfer mechanisms that can be implemented to protect personal data – having an appropriate transfer mechanism in place is a legal requirement. Due to the extraterritorial effect of the GDPR organisations, further fallout from the Schrems II judgement is likely to come.