XClose

Legal Services

Home
Menu

Transfer of personal data overseas

It is important to understand that all transfers of personal data to a country outside the EEA require what is known as an “adequacy” assessment. This means that we need to be sure that the country the personal data is to be transferred to offers the same level of protection for personal data that we have in the UK, and which as a result of the EU directive, is also available throughout the EEA. The protections needed relate to data security, transparency of use and an individual's rights. The term 'transfer' covers any form of access to personal data from overseas not just a permanent physical movement of the data.

Sending personal data to a country outside of the EEA

It is important to understand that all transfers of personal data to a country outside the EEA require what is known as an “adequacy” assessment. This means that we need to be sure that the country the personal data is to be transferred to offers the same level of protection for personal data that we have in the UK, and which as a result of the EU directive, is also available throughout the EEA. The protections needed relate to data security, transparency of use and an individual's rights. The term 'transfer' covers any form of access to personal data from overseas not just a permanent physical movement of the data.

This can be achieved very easily if the country has already been approved by the EC as having adequacy. Previously Safe Harbour enabled a US company to declare adequacy status.

If the country is not on this list then we must either:

  • Make an assessment of adequacy ourselves; taking into account amongst other things, the nature of the personal data, the safeguards in place and any privacy legislation that exists in the destination country;
  • Put in place model contract clauses, these utilise specific contractual obligations created by the EC which must be adhered to;
  • Seek the explicit consent of the data subjects.

The Information Commissioner has produced guidance on international data transfers.

The new EU-US Privacy Shield

The European Commission and United States reached an agreement in early February 2016 on new rules for transatlantic transfers of personal data to replace the previous Safe Harbour agreement. The new 'EU-US Privacy Shield' has now been formally approved by the European Union's data protection authorities.

The US Department of Commerce has launched a website that provides individuals and companies with further details about EU-US Privacy Shield. The website includes information for companies about complying with the framework, the self-certification process and the Privacy Shield's principles. The Department of Commerce's website is now accepting self-certifications which means the framework is now in place.

The reason for the change

The European Court of Justice ruled on 6 October that the European Commission decision on the use of the US Safe Harbour agreement for transferring personal data from the EEA (European Economic Area) to the USA was invalid. This decision had implications for all those that regularly transfer personal identifiable information to companies or organisations based in the United States for any purpose, including UCL.

What does Privacy shield do?

Privacy Shield will enable a data controller based in an EU or EEA country to transfer personal data to a recipient based in the US and automatically comply with the 8th data protection principle.

It is important to note that the Privacy Shield will only apply as a means of legitimising a transfer of personal data to the US if the recipient company or organisation has signed up to the Privacy Shield framework. If not, any organisation wishing to initiate a new transfer of personal data to the US must continue to find an alternative means of ensuring there is an adequate level of protection for the personal data.

The new framework includes the following new provisions over and above the old Safe Harbour regime:

  • The US Department of Commerce will now oversee of how US firms implement the agreement
  • The US has will provide the EU with assurances relating to the terms of state access to data transferred from the EU
  • EU citizens unhappy about the regime will be able to challenge the Department of Commerce and the Federal Trade Commission (FTC) through their local data protection authority
  • The European Commission and the US Department of Commerce will carry out an annual joint review of the agreement.
Factsheet

The European Commission has published a factsheet about Privacy shield.

The implications of the changes for UCL

Existing transfers that had relied on Safe Harbour can continue if the recipient opts into Privacy shield and complies with those provisions. Any transfer continuing to cite Safe Harbour will be unlawful and open to enforcement action.

The implication is that UCL cannot enter into any new agreements which involve the transfer of personal data to the United States that rely on Safe Harbour.

Further information

If you are planning on transferring personal data to the USA either as part of a disclosure for a particular purpose such as collaborative research or because you are thinking of using a US based company to provide a particular service or function, please seek advice by contacting the UCL Data Protection team at: data-protection@ucl.ac.uk.

Updated: July 2016