Data Protection and Sending Data Abroad

7th June 2021 Commercial Litigation

One of the increasingly complex issues caused by the UK leaving the EEA is the question of whether and how UK companies can send personal data to other countries for processing.

The first point to bear in mind is that the concept of processing is far wider than many people properly appreciate. For example, sending names and email addresses to the USA by using an online tool that does mailshots is overseas processing of personal data and falls within the GDPR. In fact, a German data protection regulator recently threatened to fine a company for doing just this by using the US-based Mailchimp package to carry out a mailshot. In the end the company promised not to use Mailchimp in future and so the fine was not levied but it is worth noting as an example of how easy it can be to transfer personal data abroad without realising.

The next thing to consider is whether the country involved is already authorised, known as an adequacy decision under the GDPR. The UK allows free transfer of data to EEA countries and recognises them as approved. Currently the EEA also allows free transfer to the UK and this is likely to continue thanks to the adequacy decision process being conducted by the European Commission. There are a range of other countries approved by the European Commission and the UK also recognises all of these. The UK also has its own approval for Gibraltar and it has intimated that it intends to work on securing more adequacy decisions to enable easier data transfers to promote business. It is worth noting that data transfers to the USA are not currently approved in any way at all and so further consideration will be needed if data is being transferred to an organisation based there. If the country that the data is going to is on the approved list then nothing further needs to be done.

If the data transfer is to be made outside an approved country, to the USA for example, then a risk assessment will need to be done. In the case mentioned above the main problem with the German company using Mailchimp was that they had not done a risk assessment for the USA. A risk assessment will need to consider what data is being sent and its level of sensitivity, what data protection controls are in place in the country, and whether they are actually properly enforced. One of the big problems with the USA, for example, is that its intelligence services have very wide powers to obtain data from private companies with limited oversight and appear to have used those powers liberally. A risk assessment may need to conclude that the risk of transferring the specific data to the country concerned is unjustifiable but it may also allow for less risky forms of transfer such as allowing access to the data via an encrypted link to a server in the UK or may conclude that the objectives can be met with the transfer of less data and that this lesser transfer is an acceptable risk.

Once a risk assessment has been done then appropriate controls need to be put in place. Larger multi-national may put together binding corporate rules but these need to be approved by the appropriate regulator and so this kind of exercise is not likely to be economic for most companies. The more usual way forward is to use Standard Contractual Clauses (SCCs). The European Commission had an approved set from before the UK’s departure from the EU. These are therefore acceptable for the use of UK companies. The ICO has a set of these adapted for UK use on its website. They are likely to need further adjustment to be used in practice but they form a model which can be worked from. The EU has just approved a new set of SCCs. These are not suitable for UK use and can only be used by entities that are subject to the EU GDPR (some UK companies will be). The ICO is working on its own set of SCCs which it expects to produce at some point in 2021. Whether these will be better or worse then the EU version is open to argument.

Companies must remember that the use of online tools can easily involve data transfers to countries that are not subject to adequacy decisions. It is important to be careful when using new online processing tools and think about whether risk assessments and SCCs need to be used first.

We're Social

David Smith is a Partner located in Londonin our Commercial Litigation department

View other posts by David Smith

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest