Guidance on international transfers under GDPR

The request was successful.

Dear Information Commissioner’s Office

Your recent guidance on international transfers [https://ico.org.uk/for-organisations/gui... states that a transfer is restricted only if "you are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply".

I understand that your general counsel, Ms. Emma Bate, has recently explained this guidance in the following terms: "A transfer of personal data outside the EEA is not restricted by Chapter V of the GDPR if the data, when held by the non-EEA recipient, is still protected by the extraterritorial scope provisions of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside of the protection of the GDPR."

I would be obliged for the following:

1. A copy of the presentation in which Ms. Bate made this comment;

2. Any training materials, lines to take or casework advice notes provided to your staff on this point of non-EEA transfers which are permitted because they are "still protected by the extraterritorial scope provisions of the GDPR";

3. Information as to when and by whom the interpretation that non-EEA transfers are permitted if they are "still protected by the extraterritorial scope provisions of the GDPR" was adopted; and

4. Details of the legal reasoning relied upon in reaching the interpretation that non-EEA transfers are permitted if they are "still protected by the extraterritorial scope provisions of the GDPR". To the extent that this may involve information protected by legal professional privilege, I would be obliged if you would take the following points into account in applying the public interest test in s.42.

4.1 It appears that this interpretation of the GDPR has never before been adopted by a national or sub-national supervisory authority.

4.2 It appears that this interpretation of the GDPR was adopted without any public consultation on this point.

4.3 This interpretation of the GDPR impacts on the fundamental rights of a very large number of people and has a significant financial impact on the commercial interests of very many firms.

4.4 There is therefore a compelling public interest in examining the reasoning behind the interpretation to determine if it is correct before it is relied upon in a way which will prejudice either (or both) fundamental rights and commercial interests. If this interpretation is incorrect then many individuals will have had their rights compromised by the transfer of their data to third countries in circumstances which are not permitted by the GDPR, and will expose many firms to regulatory action and actions for damages which may have significant financial impact.

Yours faithfully

Dr. TJ McIntyre

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

9 October 2018

 

Case Reference Number IRQ0790856

 

Dear T J McIntyre

Thank you for your recent request for information. We received your
request on 1 October.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 29 October. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
 
 
 

Jessica Duckworth
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 4146497  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

1 Attachment

30 October 2018

 

Case Reference Number IRQ0790856

 

Dear T J McIntyre

Thank you for your recent request for information. We received your
request on 1 October.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
“Your recent guidance on international transfers
[https://emea01.safelinks.protection.outl...
states that a transfer is restricted only if "you are sending personal
data, or making it accessible, to a receiver to which the GDPR does not
apply". I understand that your general counsel, Ms. Emma Bate, has
recently explained this guidance in the following terms: "A transfer of
personal data outside the EEA is not restricted by Chapter V of the GDPR
if the data, when held by the non-EEA recipient, is still protected by the
extraterritorial scope provisions of the GDPR. The rationale being that no
additional protection is needed as the GDPR still applies, so this is not
a transfer outside of the protection of the GDPR." I would be obliged for
the following: 1. A copy of the presentation in which Ms. Bate made this
comment; 2. Any training materials, lines to take or casework advice notes
provided to your staff on this point of non-EEA transfers which are
permitted because they are "still protected by the extraterritorial scope
provisions of the GDPR"; 3. Information as to when and by whom the
interpretation that non-EEA transfers are permitted if they are "still
protected by the extraterritorial scope provisions of the GDPR" was
adopted; and 4. Details of the legal reasoning relied upon in reaching the
interpretation that non-EEA transfers are permitted if they are "still
protected by the extraterritorial scope provisions of the GDPR". To the
extent that this may involve information protected by legal professional
privilege, I would be obliged if you would take the following points into
account in applying the public interest test in s.42. 4.1 It appears that
this interpretation of the GDPR has never before been adopted by a
national or sub-national supervisory authority. 4.2 It appears that this
interpretation of the GDPR was adopted without any public consultation on
this point. 4.3 This interpretation of the GDPR impacts on the fundamental
rights of a very large number of people and has a significant financial
impact on the commercial interests of very many firms. 4.4 There is
therefore a compelling public interest in examining the reasoning behind
the interpretation to determine if it is correct before it is relied upon
in a way which will prejudice either (or both) fundamental rights and
commercial interests. If this interpretation is incorrect then many
individuals will have had their rights compromised by the transfer of
their data to third countries in circumstances which are not permitted by
the GDPR, and will expose many firms to regulatory action and actions for
damages which may have significant financial impact.”
 
Our response 
 
I can confirm that we hold information in the scope of your request.
 
I will respond to your request following your own numbering.
 
1. I have attached a copy of the presentation where Emma Bate made the
relevant comment to this response.
 
2. No information held – there have been no training materials, lines to
take or casework advice notes provided to staff on the point of non-EEA
transfers.
 
3 and 4. The International Transfers guidance, which includes this
interpretation, was written by the in-house legal team and the Policy
team, working in collaboration. There is no separate documentation which
sets out the date of adoption or the legal reasoning, and therefore
nothing further to disclose.
                                
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [1]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator. I have included information
about how to do this separately.
 
Yours sincerely,
 
 
 
 

Jessica Duckworth
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 4146497  F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [4]privacy
notice

 
 
 

 

References

Visible links
1. https://ico.org.uk/media/about-the-ico/p...
2. http://ico.org.uk/
3. https://twitter.com/iconews
4. https://ico.org.uk/global/privacy-notice/

Charlie Milton left an annotation ()

'A transfer of personal data outside the EEA is not restricted by Chapter V of the GDPR if the data, when held by the non-EEA recipient, is still protected by the extra territorial scope provisions of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies'

In what case would the extra territorial scope not apply to international transfers for EEA-based data subjects?