Welcome to our regular feature with the Jersey Office of the Information Commissioner (JOIC). Data protection can be a complex subject, so we have partnered with JOIC to help make it more understandable and answer your questions.
Today, we are joined by Paul Vane, Deputy Information Commissioner.
Getting back to basics
What does our Data Protection law say about transferring personal data overseas?
Part 8 of the Data Protection (Jersey) Law 2018 provides that personal data should not be transferred to a third country without the receiving country ensuring an adequate level of protection for the rights and freedoms of individuals in respect of the processing of their personal data.
The provision is identical to the equivalent provision in the GDPR, however it is not a new concept. Since the first European Data protection Directive came into force in 1995, and Jersey’s data protection law 10 years later in 2005, there has always been a requirement to ensure personal data is protected when transferring it overseas.
So what this means in practice is that before transferring personal data overseas, you need to check a couple of things:
- Are you transferring to a third country? i.e. a country OUTSIDE of the European Union or European Economic Area?
- If so, does that third country have adequate safeguards in place (i.e. an essentially equivalent data protection regime to that of the EU) to protect the personal data of its citizens?
What is the impact of Brexit on Adequacy status?
Since May 2008, Jersey has enjoyed what’s known as ‘Adequacy status’ in the eyes of the European Commission.
This means that the European Commission is satisfied that the data protection regulatory framework in Jersey offers an essentially equivalent level of protection for individuals as the GDPR. But what happens if you are transferring personal data to a non-EU country or a third country that does NOT have adequacy status?
Outside of Europe, the UK is probably the most likely place you will be wanting to transfer data to. But if you apply the Law, the UK is not in the EU, and they do not yet have ‘adequacy status’ from the European Commission. So can you still transfer data to the UK? The first question to consider is were they ‘adequate’ BEFORE Brexit?’
The UK were part of Europe, so no adequacy decision was needed. So, that being the case, what effect has Brexit had? Why are transfers to the UK problematic?
Simply put, the UK is now a third country with no rubber stamp from the European Commission, and because of that any transfer of data to the UK would not be lawful UNLESS another transfer mechanism could be used.
Jersey had the foresight to plug the gap while the UK seeks an adequacy assessment from the European Commission. The States Assembly amended Jersey’s data protection law to recognise the UK as ‘adequate’ (based on their near-equivalent data protection Act and their recent membership of the EU) until they receive a positive adequacy assessment.
The sunset clause expires at the end of 2021 for the UK to get their adequacy status. If they don’t this could potentially cause a problem.
The indications are good so far, in that a draft decision confirming that the UK regime meets the adequacy standard has been issued by the European Commission. A final decision should hopefully be issued the summer of 2021.
But for the moment, personal data CAN be transferred to the UK because of the amendment applied to the DPJL last year.
In the absence of an adequacy decision, the Law also allows a transfer to a third country if the controller or processor has provided ‘appropriate safeguards’ and on condition that enforceable data subject rights and effective legal remedies for data subjects comparable to those under the Law are available in that third country or organisation. So let’s look at a few of the other more common methods used that provide those ‘appropriate safeguards’.
- Standard Contractual Clauses – These are model data protection clauses which enable the free flow of personal data when embedded in a contract.
- Binding Corporate Rules – Binding Corporate Rules or ‘BCRs’ form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s Jersey entities to the group’s non-EEA entities.
- Consent – If relying on consent, it must be explicit. You will need to ensure the data subject is fully informed of the risks so as to be sure that the consent is both specific and freely given, as per the usual rules around consent.
- Other transfer mechanisms – In addition, Codes of conduct approved by the Regulator can be used as a transfer tool in certain specific circumstances. These include binding and enforceable commitments for the controller, processor and recipient in the third country and should include appropriate safeguards and data subject rights.
Transfers of personal data to the US – Top Tips
- Find a transfer mechanism. Standard Contractual Clauses are still a valid transfer mechanism and may provide a suitable alternative for you if you can satisfy yourself that data subjects can be guaranteed an essentially equivalent level of protection in the receiving jurisdiction. For inter-group transfers, you could also consider Binding Corporate Rules, remembering that these must be approved in advance of any transfers by the JOIC. You should also consider the exceptions at Schedule 3 of the Law and which may permit the transfer of data in specific circumstances.
- Map out your data flows. Critically examine all your flows and identify what safeguards you have in place for transfers to non-EU jurisdictions. Also assess the level of protection offered to personal data in the jurisdiction to which you are transferring the data; look at access to the Court system, understand the ability to seek legal recourse if things go wrong and look at the availability and powers of any regulator/ombudsman. You may also want to consider whether the authorities in that jurisdiction can access the information and on what basis, and what level of Government-lead surveillance exists in the receiving jurisdiction.
- Re-assess your Processing contracts. If you use a service provider/Processor in the US, make sure the processing contract reflects the appropriate mechanism and safeguards for transferring personal data. You may also want to consider changing your provider to one that can offer an adequate level of protection for data subjects.
- Keep an eye on the news. The European Data Protection Board (EDPB) will very likely publish updates on the legality of data transfers where SCCs have been used. They have already done so. Keep in mind the CJEU position on SCCs may change.
- Provide additional safeguards. Try not to rely on one single mechanism for your data transfers. Instead, try using SCCs plus another mechanism to ensure you are offering the best protection you can to the personal data you are transferring.
Contacting the Jersey Office of the Information Commissioner (JOIC)
Explore the resources and guidance available on the JOIC’s website.
Or call the office on 01534 716530 to speak to a member of the team.
Do you have a question about Data Protection that you would like answered? Drop us an email to [email protected]