Are there restrictions on the transfer of personal data overseas?
Technology (second edition)
Yes. Under MOCI Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic Systems (December 1, 2016) (“MOCI Reg”), the transfer of personal data overseas requires the local transferor to satisfy a coordination requirement with the MOCI and to fulfil any regulatory provision regarding the cross-border transfer of personal data (i.e., consent). The coordination requirement consists of:
a. reporting any plan to transfer personal data, which must contain at least the name of the receiving country, the full name of the receiver, date of implementation, and the reason/purpose of the transfer;
b. requesting advocacy, if necessary; and
c. reporting the result of the transfer.
Yes. A transfer of personal data to a country outside the EEA that does not provide for an adequate level of protection may only take place if additional requirements have been met. For example, a data transfer agreement based on EC Model Clauses or other additional safeguards may be necessary.
As mentioned in the previous answer, the LGPD, when effective, will impose strict requirements for international data transfer. It provides that international data transfer shall be permitted solely in the following circumstances:
(a) to countries with an adequate level of protection (to be determined by the national data protection authority);
(b) through the use of standard contractual clauses, binding corporate rules, seals, certificates and codes of conduct approved by national data protection authority;
(c) with the specific and prominent consent of the data subject, case which prior information on the international character of the operation shall be provided, clearly distinguishing this from other purposes;
(d) to comply with a legal or regulatory obligation;
(e) when necessary for the performance of a contract;
(f) for the protection of life and physical safety of the data subject or third party;
(g) for the regular exercise of rights in judicial, administrative or arbitral proceedings;
(h) when necessary for international legal cooperation between intelligence, investigation and prosecution public bodies, in accordance with the instruments of international law;
(i) based in a commitment made in an international cooperation agreement;
(j) when authorized by the national data protection authority; and
(k) when necessary for the execution of public policy or compliance with the legal attribution of the public service.
Yes. Like the Data Protection Directive, the GDPR restricts transfers of personal data outside the European Economic Area (EEA) in order to ensure that the same level of protection offered by the GDPR, which has direct effect in Luxembourg, is not undermined. Personal data can only be transferred outside the EEA to third countries or international organizations, provided they are in compliance with the conditions for transfer, as further stipulated in Articles 44-50 of the GDPR.
The Commission can make findings of adequacy in relation to a third country, according to Art. 45(1) of the GDPR. Cross border data transfers to such “adequate” countries are generally permitted and do not require prior approval from a supervisory authority.
According to Art. 46 of the GDPR, transfers of personal data can be made in the absence of adequacy decisions where the controller or processor receiving the personal data have provided adequate safeguards, i.e. provided that enforceable data subject rights and legal remedies are available. The list of appropriate safeguards includes, amongst others, binding corporate rules, a legally binding and enforceable instrument between public authorities or standard contractual clauses adopted by or approved by the Commission.
The transfer of personal data abroad is subject to the provisions of GDPR, no national regulations being enacted in this respect.
In general terms, personal data cannot be transferred from Spain to countries that are located outside the European Economic Area, unless:
- The EU commission has decided that the country from which the company importing the data offers an adequate level of data protection. Currently the EU Commission has stated that the following countries provide such an adequate level: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework); or
- The data controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In practice this means that where the data exporter and the data importer adopt contractual safeguards (such as entering into the Standard Contractual Clauses published by the EU Commission or Binding Corporate Rules), the transfer of personal data will be deemed lawful; or
- One of the de-regulations foreseen by Article 49 of the GDPR applies to the transfer. These include the consent of the affected individuals, the need to ensure the adequate enactment of a contract with the data subject, the need to establish, exercise or defend legal claims or the need to protect a vital interest of a data subject.
The Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (RSPP-SPD Rules) permit the transfer of personal data outside India subject to the condition that the same level of data protection is adhered to in the other country, which is applicable to the body corporate under the RSPP-SPD Rules in India.
However, the Reserve Bank of India (RBI) has mandated that all data of payment system operators in respect of transactions in the payments eco-system should be stored within the Country.
The article 9 of Law on Protection of Personal Data numbered 6698 about the transfer of personal data abroad prohibits transfer of personal data without obtaining the explicit consent of the data subject. Nevertheless, second paragraph of the article 9 of the DP Law permits the transfer of personal data abroad without the data subject’s explicit consent where the following cumulative conditions are met:
- If one of the conditions set forth in the second paragraph of article 5 or third paragraph of article 6 is present and
- (i) The foreign country to which the personal data will be transferred has an adequate level of protection, or;
(ii) in case there is not an adequate level of protection, if the data controllers in Turkey and abroad undertake to provide an adequate level of protection in writing and the permission of the Data Protection Board exists.
On 17 May 2018 the Board have announced the minimum undertakings that must be given by the data controller residing in Turkey and the data processor to which the personal data will be transferred residing abroad.
There are no restrictions regarding transfer of data between states in the EEA.
The GDPR stipulates when transfers of personal data to an area outside of the EEA are allowed. In short, transfers are permitted when:
- there is a decision from the Commission stating that a third-party state ensures an adequate level of protection for personal data;
- the data controller has made suitable protection measures, such as Binding Corporate Rules or Standard Contractual Clauses;
- special situations and single cases require it, such as e.g. when the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject's request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person; the transfer is necessary for important reasons of public interest.
Personal data may only be transferred outside Switzerland if the privacy of the data subject is not seriously endangered, in particular due to the absence of legislation that guarantees adequate protection in the jurisdiction where the recipient resides. The Federal Data Protection and Information Commissioner (FDPIC) has published a list of jurisdictions that provide adequate data protection ( https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html). The EEA countries and Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay are generally considered to provide an adequate level of data protection as regards personal information of individuals (however, many do not as regards personal information of legal entities), while the laws of all other jurisdictions do not provide adequate data protection.
As regards the US, Switzerland and the US in February 2017 agreed on the Swiss-US Privacy Shield as a new framework for the transfer of personal data from Switzerland to the US, thereby replacing the US-Swiss Safe Harbor Framework. US companies processing personal data may self-certify to the Swiss-US Privacy Shield with the US Department of Commerce and thus publicly commit to comply with the new framework. Switzerland acknowledges that the level of protection of personal data for such certified US companies is adequate. As a result, Swiss companies are able to transfer personal data to those US business partners without the need to procure the consent of each data subject or to put additional measures in place.
In the absence of legislation that guarantees adequate protection, personal information may only be transferred outside Switzerland if sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad, the data subject has consented in the specific case, the processing is directly connected with the conclusion or the performance of a contract (and the personal information is that of a contractual party) or disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules (further justifications apply). In practice, data transfer agreements or data transfer clauses (i.e. binding corporate rules) are regularly used to ensure an adequate level of protection in cross-border data flows within the same legal person or company or between legal persons or companies that are under the same management. It is the responsibility of the data transferor to ensure that an agreement is concluded that sufficiently protects the rights of the data subjects and to notify such agreements to the FDPIC. The FDPIC provides a model data transfer agreement which can be accessed on its website. The model data transfer agreement is based on Swiss law and reflects to a large extent the standard contractual clauses of the European Commission for data transfers.
The Cyber Security Law introduces the rule of data localization for operators of Critical Information Infrastructure’ (CII). Personal information and important data which is collected and generated by operators of CII during operating their business in China should be stored in China. CII means the infrastructures used for public communications, information service, energy, transport, water conservancy, finance, public services, e-government affairs and other important industries and fields and other infrastructures that, once they are destroyed or any function loss of data leakage occurs, will result in serious damage to national security, national economy and people's livelihood and public interests. Where there is a business necessity and the entity needs to transfer the personal information and important data to overseas, it should conduct a security assessment process.
In April, 2017, the CAC issued the Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (Draft for Comments) (“First Draft of Measures”). As one of the important supporting regulations associating with the Cyber Security Law, the First Draft of Measures specify the personal information and important data export security assessment requirements found in the Cyber Security Law. Succeeding the First Draft of Measures, CAC disclosed a second draft of Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (“Second Draft of Measures”) in May, which modified the First Draft of Measures in some aspects.
Pursuant to the Article 2 of the Second Draft of Measures, when a network operator provides overseas parties with personal information and important data gathered and produced during operations within the territory of the P.R.C (Cross-border Data Transfer), it shall conduct a security assessment in accordance with the Measures. This implies that not only operators of CII, but all network operators should conduct the security assessment if they transfer personal data to overseas. However, as addressed, both of the First Draft and the Second Draft of Measures, through they conflict in the above aspect, are still draft versions, and the formal version has not been issued yet.
In addition, the Guidelines for the Security Assessment of Data Cross-border Transfer, which is also a draft version yet, provides further guidance on how the security assessment might be carried out.
Overseas transfers are not per se prohibited under the Data Protection Legal Framework.
All transfers of personal data, however, are subject to the consent (in the forms described above) of the relevant data subjects, except for the limited cases set forth below. Controllers must inform data subjects about data transfers through the relevant privacy notice. Transfers must be limited to the purposes described in the privacy notice and the data controller must provide to the data recipient the privacy notice to which data subjects consented in connection with the processing of their personal data, for the purposes set forth therein.
All data transfers, domestic and international, must be documented. Data controllers and data recipients must enter into a data transfer agreement in which the recipient acquires the same data processing obligations as those imposed to the controller by the Data Protection Legal Framework. Additionally, the agreement must contain the terms under which data subjects consent to the processing of their personal data.
The data controller may transfer personal data without obtaining prior consent from the data subjects when the transfer is:
i. required or exempted from consent under Mexican law or an international treaty;
ii. necessary for medical purposes;
iii. made to data controller’s related entities;
iv. necessary as a consequence of an agreement executed or to be executed between the data controller and the relevant data subjects;
v. necessary or legally required to safeguard public interest or for law enforcement purposes;
vi. necessary for the recognition, exercise or defence of a right in a legal proceeding, or
vii. necessary to maintain or fulfil a legal obligation between the data controller and the data owner.
A data user may transfer personal data out of Malaysia only in the following circumstances provided under Section 129(3) of the PDPA:
(a) “the data subject has given his consent to the transfer;
(b) the transfer is necessary for the performance of a contract between the data subject and the data user;
(c) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which (i) is entered into at the request of the data subject; or (ii) is in the interests of the data subject;
(d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
(e) the data user has reasonable grounds for believing that in all circumstances of the case—
(i) the transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii) if it was practicable to obtain such consent, the data subject would have given his consent;
(f) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;
(g) the transfer is necessary in order to protect the vital interests of the data subject; or
(h) the transfer is necessary as being in the public interest in circumstances as determined by the Minister.”
The transfer of personal data out of the territory of the European Union is permitted only if the destination country provides a level of protection that is considered as “adequate” by the EU Commission, that is, equivalent to the protection afforded within the EU, or if the controller or processor has provided appropriate safeguards so that data subjects may still be able to enforce their rights when their data is transferred.
It should be emphasized that acceding remotely to data from abroad, irrespective of where data is stored, is considered as a transfer and, therefore, requires compliance with the GDPR.
In the absence of an adequacy decision, the appropriate safeguards which the data controller or data processor in the third country must provide may include:
- a legally binding and enforceable instrument between public authorities or bodies;
- the data importer’s commitment to binding corporate rules applied within the group of enterprises to which both the data exporter and itself belong;
- joint subscription, with the data controller, to standard data protection clauses adopted or approved by the Commission for this purpose;
- adherence to an approved code of conduct with binding and enforceable commitments; or
- certification through an EU approved mechanism.
Once such safeguards are in place, the concerned data may be transferred outside the EU without the need for an individual authorization, provided that enforceable data subject rights and effective legal remedies for data subjects remain available. As an alternative safeguard, the data exporter and data importer may agree on their own terms and conditions (rather than the EU standard clauses), but then the data transfer will be subject to prior authorization by the competent supervisory authority.
The requirement for an adequacy decision by the EU Commission or for individual commitments to safeguards by the data importer may be set aside where:
- the data subject has been informed of the possible risks of the transfer and expressly consents to such transfer,
- or where the transfer is necessary for the performance of a contract between the data controller and the data subject; or necessary for important reasons of public interest; or for the establishment, exercise or defence of legal claims; or for the protection of an individual’s vital interests, where the data subject cannot provide consent.
In addition, it should be noted that a data transfer required from the data importer by a judgment or an administrative decision issued in the third country will only be recognised or enforceable under EU law if it is based on an international agreement, such as a mutual legal assistance treaty.
The EU applies restrictions on the transfer of personal data overseas. These are grounded in Art. 44 et seqq. GDPR. These supplementary rules set higher requirements on the lawfulness of the transfer of personal data to a third country outside of the EU or international organisations. In addition to compliance with the general requirements of the GDPR, a transfer of data in this sense may take place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. The decision on adequacy depends on whether the third country offers an adequate level of protection that is comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context.
When there is no adequacy decision pursuant to Art. 45 GDPR, personal data may only be transferred to a recipient in that country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available pursuant to Art. 46 (1) GDPR. In practice the most common measure is the implementation of the EU model clause. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA have established the so-called “EU-US Privacy Shield” since August 2016. It provides for an opportunity for US companies which would like to receive data from the EU to register in a list of the US Federal Trade Commission (FTC) and thereby commit to comply with the fundamental principles of EU data protection laws. The Privacy Shield has replaced the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). As many principles of Safe Harbor are again found in the Privacy Shield, some scholars are of the opinion that there is a risk that also the Privacy Shield may be successfully challenged in the European Courts.
Yes. If any personal data collected will be transferred out of Singapore, the transferring organisation has to ensure that the recipient organisation overseas provides a standard of protection to the personal data transferred that is comparable to that under the PDPA. This may be achieved by either:
(a) entering into a legally binding agreement with the recipient;
(b) ensuring that the recipient is under binding corporate rules that prescribe a similar level of protection; or
(c) verifying that the applicable law, in the jurisdiction that the personal data will be transferred to, provides a level of protection that is comparable to the PDPA.
The Personal Data Protection Commission ("PDPC"), the statutory body responsible for the administration and enforcement of the PDPA, recommends that when entering into a legally binding agreement with the recipient, the transferring organisation should, as a minimum, ensure certain key PDPA principles are protected.
In addition, the organisation is required to seek the individual's consent to the transfer of the individual's personal data overseas and, prior to seeking that consent, the organisation is required to provide the individual with a reasonable summary in writing of the extent to which the personal data transferred to those countries will be protected to a standard comparable to the protection under the PDPA.
APP 8 regulates the disclosure of an individual's personal information overseas as opposed to the transfer of such information overseas. As a consequence, APP 8 applies to personal information held in Australia but accessed from overseas.
APP 8.1 provides that, subject to limited exceptions, an organisation must take reasonable steps to ensure the overseas recipient of personal information does not breach the APPs with respect to that information. If an organisation does disclose personal information to an overseas recipient and that recipient engages in conduct amounting to a breach of APP 8.1, section 16C of the Privacy Act 1988 (Cth) deems the disclosing organisation to have itself engaged in the conduct and breached the APPs. This leaves the disclosing organisation liable for an interference with privacy and subject to the penalties contained in the Privacy Act.
To avoid the APP 8.1 obligation and potential liability as a consequence of section 16C, an organisation must obtain informed consent to the disclosure of their personal information overseas from the affected individual(s).
Where personal data may be transferred, there are no statutory restrictions on the transfer of such data overseas.
Under the APPI, personal data may not be transferred to a third party located outside of Japan without the prior consent of the relevant individual unless:
(i) the relevant third-party transferee is located in a foreign country that the Commission considers has the same level of protection of personal information as Japan (in July 2018, the EU and Japan reportedly agreed to a mutual adequacy arrangement, but at the time of writing, no country is officially designated as such by the Committee);
(ii) the relevant third-party transferee has established a system to continuously ensure its undertaking of the same level of protective measures as personal data users would be required under the APPI; or
(iii) the transfer falls under an enumerated exception in the APPI.
Transfers of personal data to third countries, i.e. outside the European Economic Area (EEA), are regulated by chapter V of GDPR, which lays down the conditions that must be met in order to make such transfers admissible. These conditions can be divided into four ‘layers’.
Firstly, a transfer of personal data to a third country may take place based upon EU Commission decisions ascertaining an adequate level of protection in a given country in accordance with Art. 45 GDPR (adequacy decisions).
Secondly, such a transfer may take place based on one of the conditions enumerated in Art. 49 GDPR (the so-called derogations, e.g. the data subject’s explicit consent). If any one of the derogations applies, there is no need to ensure the appropriate safeguards set out in Art. 46 GDPR.
Thirdly, if none of the derogations applies, and if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, the transfer is admissible without ensuring the appropriate safeguards set out in Art. 46 GDPR provided that the controller:
- has assessed all the circumstances surrounding the data transfer and
- has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data;
- has informed the supervisory authority of the transfer;
- has informed the data subject of the transfer and on the compelling legitimate interests pursued.
Finally, in cases where the above ‘layers’ are not applicable, the transfer of personal data to a third country is admissible provided that the appropriate safeguards set out in Art. 46 GDPR are guaranteed, i.e.:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the Commission;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission;
- an approved code of conduct;
- an approved certification mechanism;
- subject to the authorisation from the competent supervisory – contractual clauses;
- subject to the authorisation from the competent supervisory – provisions to be inserted into administrative arrangements between public authorities or bodies.