Are there restrictions on the transfer of personal data overseas?
Technology (3rd edition)
The Data Protection Law allows the transfer of personal data to third countries where either:
- The data subject has given his or her consent to the transfer.
- The transfer stems from the purposes of the processing or is necessary for the implementation of these purposes.
To transfer personal data to a third country, the permission of the PDPA is required. The PDPA will grant permission if it considers that the data transfer agreement ensures an adequate protection of personal data.
The PDPA's permission is not required if personal data is transferred to a country that ensures an adequate level of protection of personal data. An adequate level of protection is presumed where either:
- Personal data are transferred in compliance with international agreements.
- Personal data are transferred to a country included in a list officially published by the PDPA.
The Data Protection Law does not distinguish between transfers of data abroad within the same group of companies or to a third company. Therefore, the above rules apply in both scenarios.
Personal data held by state bodies can only be transferred to foreign state bodies under interstate agreements.
A data processor and an authorised person must enter into a data transfer agreement. Agreements for the transfer of data abroad must ensure an adequate level of protection of personal data.
A data transfer agreement between a processor and an authorised person must include the following information:
- Legal grounds and conditions for the processing.
- Purpose(s) of the processing.
- List of processed personal data.
- Data subjects concerned by the processing.
- Persons to whom personal data can be transferred.
- Technical and organisational measures for the protection of personal data.
- Any other necessary information.
A data transfer agreement is not sufficient to legitimise transfer, unless the law allows transfer without the data subject’s consent and the agreement provides an adequate level of protection.
When data is transferred to a country that does not ensure an adequate level of data protection, permission from the Personal Data Protection Agency is required for the transfer, based on an analysis of the data transfer agreement
The current legislation contains no provisions or mandate to the effect that physical or legal entities shall maintain a local file for the storage of personal data under their responsibility. However, reiterated reference is only made with respect to the safekeeping and confidentiality obligations that must be observed whenever such information is handled. Data storage services and Data Centers are generally available and/or operating in the country, most of which offer storage and data recovery services in different jurisdictions without any penalties.
There is no explicit statutory provision prohibiting the transfer of data of an Egyptian company out of Egypt. Having said that, Data Protection Law Draft includes provisions restricting the transfer of personal data overseas and requiring obtaining the relevant competent authority’s approval before undertaking any transfer of personal data to any foreign state.
On a related front, please note that, as a general practical rule, the relevant person’s prior written consent to storage of data abroad must be obtained. This is particularity important in the case of Government-affiliated customers or in the case of storing data regarding public utilities, given that it seems that this service is intended to also be offered and provided in respect of public utilities.
When transferring personal data outside the European Economic Area (the EEA), the rules specified in the GDPR must be followed. As a general rule, it is permitted to transfer personal data outside of the EEA only to countries regarding which the European Commission has made a so-called “adequacy decision”, which means that the level of personal data protection in that country is sufficient.
If a data controller wants to transfer personal data to a country about which no adequacy decision has been made, then the rules stipulated in articles 46-49 of the GDPR must be followed. Personal data can be transferred to a third country only based on the data subject’s consent, if binding corporate rules are used, if a contract containing standard contractual clauses is entered into between the data controller and the recipient, or on some other legal basis stipulated in articles 46-49.
The transfer of personal data out of the territory of the European Union is permitted only if the destination country provides a level of protection that is considered as “adequate” by the EU Commission, that is, equivalent to the protection afforded within the EU, or if the controller or processor has provided appropriate safeguards so that data subjects may still be able to enforce their rights when their data is exported.
It should be emphasized that accessing remotely to data from any location abroad, irrespective of where data is stored, is considered as a transfer to that location and, therefore, requires compliance with the GDPR.
In the absence of an EU decision recognizing the country of destination as adequate, the appropriate safeguards which the data controller or data processor in the third country must provide may consist of a joint commitment, with the data exporter, to comply with the standard data protection clauses adopted or approved by the EU Commission for this purpose; the data importer’s commitment to binding corporate rules applied within the group of companies to which it belongs, if the data exporter is an affiliate of the same group; a legally binding and enforceable instrument, if the parties are government bodies; adherence to a code of conduct approved by the CNIL and entailing binding and enforceable commitments; or compliance with an approved certification mechanism.
Once such safeguards are in place, the concerned data may be transferred outside the EU without the need for an individual authorization, provided that enforceable data subject rights and effective legal remedies for data subjects remain available. As an alternative safeguard, the data exporter and data importer may agree on their own terms and conditions (rather than the EU standard clauses), but then the data transfer will be subject to prior authorization by the competent national regulatory authority.
It should be noted that a data transfer required from the data importer by a judgment or an administrative decision issued in the third country will only be recognised or enforceable under EU law if it is based on an international agreement, such as a mutual legal assistance treaty. In light of applicable sanctions, such requirement may work as a deterrent to providing personal data to foreign governments acting outside the control of a judge (such as under a proposal for a deferred prosecution agreement in the US).
Under the PRC Cybersecurity Law, aside from the requirement applicable to all operators to obtain consent from data subjects, a ‘critical information infrastructure operator’ (CIIO, i.e., in essence, an entity involved in important industries or undertakings with the potential to seriously impair national security, the national economy, people’s livelihoods or other public interests) is also subject to certain ‘security assessment’ procedures before transferring data with personal information (or other important data) overseas. While there are no currently binding rules establishing the specifics of such security assessments, draft regulations detail a multi-part security assessment procedure and set out additional obligations, including the need for certain contractual arrangements with the recipients of such data transfers.
The transfer outside of Israel of personal data from a database in Israel is regulated by the Protection of Privacy Regulations (The Transfer of Data to a Database outside the State Borders), 2001 (the 'Transfer Regulations').
The Transfer Regulations prohibit the transfer of personal data from a database in Israel to a database located abroad, unless the receiving country in question ensures a level of protection of data which is not lower than the level of protection provided for under the Israeli law. The Transfer Regulations lay down a number of principles that should be reviewed in order to determine whether or not a country provide an adequate level of protection which enables the transfer of data aboard, including principles which relate to the collection and the processing of the data, the possession, use and the transfer of the data, the reliability and up-to datedness of the data, the grant of the right to view the data and amend it as well as the obligation to take appropriate security measures in order to protect the data.
Notwithstanding the above, the Transfer Regulations lay down several conditions which enable the transfer of data from a database in Israel to a database abroad, even when the law of the country in which the data is received provides a level of protection which falls below that which is provided for under Israeli law. Upon the fulfilment of any one of the following, the transfer of data, as aforementioned, shall be permitted: (1) the receipt of the consent to the transfer of the data from the person who is the subject of the data; (2) it is not possible to receive the consent of the person who is the subject matter of the data and the transfer of the data is vital for the protection of his/her health or bodily well-being; (3) the data is being transferred to a corporation under the control (i.e. the ability to direct the activities of an entity) of the owner of the Israeli database and it has ensured the protection of privacy following the transfer; (4) the data is being transferred to someone who has undertaken in an agreement, with the owner of the Israeli database, to fulfil the conditions laid down in Israel for the maintenance and use of the data; (5) the data has been published or opened up to the public by an authority under law; (6) the transfer of the data is necessary for the protection of public welfare or security; (7) the transfer of data is obligatory under Israeli law; and (8) the data is being transferred to a database in a country that is either: (a) a party to the European Convention for the Protection of the Individual with regard to Automatic Processing of Personal Information; (b) receives data from member states in the European Union, under the same conditions of receipt; and (c) the Registrar has notified with respect to such country, in a notification which has been published in the Official Gazette, that there exists in such country a designated authority to protect privacy, after it has reached an arrangement for cooperation with such authority (no such notification has been published to date).
In addition to the fulfilment of the above conditions, under the Transfer Regulations, the owner of the database must ensure (by way of a written obligation from the recipient of the data), that the recipient is taking steps to ensure the privacy of the person to whom the data relates, and that the recipient undertakes that the data shall not be transferred to any person other than himself/herself, whether such person be in the same country or not.
The GDPR - under Section 44 and following - provides for specific restrictions on the transfer of personal data overseas, i.e. to a country outside the European Union or to an international organization.
Said transfer is generally allowed only if: (a) there is an adequacy decision issued by the European Commission, confirming that the relevant third country offers an adequate level of protection, (b) the controller or processor has provided appropriate safeguards for the transfer, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available, (c) derogations for specific situations are applicable (such as, for example, the explicit consent of the data subject, the transfer is necessary for the performance of a contract or for the establishment, exercise or defense of legal claims).
Under certain conditions, the transfer of personal data outside the European Union in violation of said conditions could be punished as a crime, pursuant to Section 167 of the Privacy Code.
Under the APPI, personal data may not be transferred to a third party located outside of Japan without the prior consent of the relevant individual unless:
- the relevant third-party transferee is located in a foreign country that the Commission considers has the same level of protection of personal information as Japan (only the 31 member countries of the EEA are officially designated as such by the Committee based on the framework for the mutual and smooth transfer of personal data between Japan and the EU that was implemented on January 23, 2019);
- the relevant third-party transferee has established a system to continuously ensure its undertaking of the same level of protective measures as personal data users would be required under the APPI; or
- the transfer falls under an enumerated exception in the APPI.
A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless specified by the Minister, upon the recommendation of MCMC or, by notification published in the Gazette.
Notwithstanding the above, a data user may transfer personal data out of Malaysia in the following circumstances:
(a) “the data subject has given his consent to the transfer;
(b) the transfer is necessary for the performance of a contract between the data subject and the data user;
(c) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which:-
(i) is entered into at the request of the data subject; or
(ii) is in the interests of the data subject;
(d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
(e) the data user has reasonable grounds for believing that in all circumstances of the case—
(i) the transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii) if it was practicable to obtain such consent, the data subject would have given his consent;
(f) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;
(g) the transfer is necessary in order to protect the vital interests of the data subject; or
(h) the transfer is necessary as being in the public interest in circumstances as determined by the Minister.”
Yes. A transfer of personal data to a country outside the EEA that does not provide for an adequate level of protection may only take place if additional requirements have been met. For example, a data transfer agreement based on EC Model Clauses or other additional safeguards may be necessary.
The Privacy Commissioner may prohibit a transfer of personal information from New Zealand to another state if the Commissioner is satisfied, on reasonable grounds, that the information has been, or will be, received in New Zealand from another state and is likely to be transferred to a third state where it will not be subject to a law providing comparable safeguards to the Privacy Act, and the transfer would be likely to lead to a contravention of the relevant OECD Guidelines.
The Privacy Bill, once enacted, will further restrict international transfers of personal information, such that international transfers shall only be permitted in circumstances where the agency is satisfied that either the destination jurisdiction has similar levels of protection for that personal information as New Zealand, or that the individual concerned has otherwise consented to the export after being informed that their personal information may not be as strongly protected as it would be under New Zealand law. The export of data to cloud service providers is expressly excluded from this clause of the Privacy Bill.
The EU applies restrictions on the transfer of personal data overseas. These are grounded in Art. 44 et seqq. GDPR. These supplementary rules set higher requirements on the lawfulness of the transfer of personal data to a third country outside of the EU or international organisations. In addition to compliance with the general requirements of the GDPR, a transfer of data in this sense may take place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. The decision on adequacy depends on whether the third country offers an adequate level of protection that is comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context.
When there is no adequacy decision pursuant to Art. 45 GDPR, personal data may only be transferred to a recipient in that country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available pursuant to Art. 46 (1) GDPR. In practice the most common measure is the implementation of the EU model clause. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA have established the so-called “EU-US Privacy Shield” since August 2016. It provides an opportunity for US companies which would like to receive data from the EU to register in a list of the US Federal Trade Commission (FTC) and thereby commit to comply with the fundamental principles of EU data protection laws. The Privacy Shield has replaced the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). As many principles of Safe Harbor are again found in the Privacy Shield, some scholars are of the opinion that there is a risk that also the Privacy Shield may be successfully challenged in the European Courts.
There is no restriction to transfer personal data from Indonesia to abroad. However, Article 22 (1) of MCI 20/2016 requires any personal data transferred outside Indonesia made by government and/or regional government institution, citizen and/or private entity having its domicile in Indonesia to undergo coordination process with the MCI. This coordination process is conducted by:
a. submitting a transfer of personal data implementation plan and
b. filing report of the implementation of personal data transfer plan to the MCI;
c. requesting for advocacy (only if necessary).
Subject to our responses to item 9 above, the restriction in terms of transfer of data overseas currently only applies to licensees of PTA, where such a licensee is required to take reasonable measures to prevent information about its subscribers, from being disclosed to third parties, including the licensee’s own subsidiaries, affiliates and associated companies.
Additionally, there is a draft data protection legislation which is in the process of being promulgated; once it is promulgated, it will impose obligations on data controllers to the effect that that personal data shall not be allowed to be transferred to any unauthorized person or system; provided that if personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, it shall be ensured that the country where the data is being transferred offers personal data protection equivalent to the protection provided under the Pakistani legislation, and the data so transferred shall be processed in accordance with the data protection legislation and, where applicable, the consent given by the data subject. However, since the law has not yet been promulgated, the requirements thereunder are not yet applicable.
The transfer of personal data abroad is subject to the provisions of GDPR, no national regulations being enacted in this respect.
Under the PIPA, personal data may not be transferred to a third party located overseas without notifying the data subject of certain information required by law and obtaining the data subject’s consent. Also, no cross-border data transfer agreement may include provisions that violate the PIPA.
Under the Network Act, when acquiring a data subject’s (i.e., user’s) consent for the transfer of personal data overseas, the data subject must first be notified of the following matters: (i) items of personal information to be transferred, (ii) countries to which the personal information will be transferred, along with the date, time, and method of transfer, (iii) name(s) of the third-party recipients and the contact information of each recipient’s privacy officer, and (iv) the third-party recipient’s purpose of use of the personal information and retention/use period. However, consent is not required if the overseas transfer is necessary to perform a contract entered into with the user for the provision of information and communications service and to promote the user’s convenience.
- The EU Commission has decided that the country from which the company importing the data offers an adequate level of data protection. Currently the EU Commission has stated that the following countries provide such an adequate level: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework); or
- The data controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In practice this means that where the data exporter and the data importer adopt contractual safeguards (such as entering into the Standard Contractual Clauses published by the EU Commission or Binding Corporate Rules), the transfer of personal data will be deemed lawful; or
- One of the de-regulations foreseen by Article 49 of the GDPR applies to the transfer. These include the consent of the affected individuals, the need to ensure the adequate enactment of a contract with the data subject, the need to establish, exercise or defend legal claims or the need to protect a vital interest of a data subject.
There are no restrictions regarding transfer of data between states in the EEA.
The GDPR stipulates when transfers of personal data to an area outside of the EEA are allowed. In short, transfers are permitted when:
- there is a decision from the Commission stating that a third-party state ensures an adequate level of protection for personal data;
- the data controller has made suitable protection measures, such as Binding Corporate Rules or Standard Contractual Clauses;
- special situations and single cases require it, such as e.g. when the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject's request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person; the transfer is necessary for important reasons of public interest.
International transfer of personal data is in general permitted under the PDPA. Meanwhile, the PDPA authorizes central competent authorities to impose restrictions on cross-border transfer of personal data if:
- the transfer would prejudice any material national interest;
- the transfer is prohibited or restricted under an international treaty or agreement;
- the country to which the personal data are to be transferred does not afford sound legal protection of personal data, thereby affecting the interests of the data subjects; or
- the purpose of the transfer is to evade the restrictions under the PDPA.
On September 25, 2012, the National Communications Commission (NCC) issued a blanket order prohibiting communications enterprises from transferring subscribers’ personal data to Mainland China on the grounds that data protection laws in Mainland China are still inadequate.
Yes. In principle, personal data may be transferred abroad upon explicit consent of the data subject. Personal data can be transferred abroad without the explicit consent of the data subject, only if there is one of the conditions set out under paragraph two of Article 5 and paragraph three of Article 6, provided that the country that the personal data will be transferred provides an adequate level of protection. If the protection is not adequate in such country, then the data controllers in Turkey and in that country can provide a written undertaking warranting an adequate level of protection, which should be approved by the Data Protection Board. The Board determines the countries where there is an adequate level of protection and announces them.
Under the GDPR, personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. The main two situations in which it is permissible for personal data to be transferred outside of the EU are:
- transfers on the basis of an adequacy decision - i.e. where the Commission has decided that a third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation (on exit date the UK will be a third country outside the EEA); and
- transfers subject to appropriate safeguards - i.e. if the Commission has not made a relevant adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The appropriate safeguards to include are set out in Article 46(2) of the GDPR.
Where personal data may be transferred, there are no statutory restrictions on the transfer of such data overseas.
APP 8 regulates the disclosure of an individual's personal information overseas as opposed to the transfer of such information overseas. As a consequence, APP 8 applies to personal information held in Australia but accessed from overseas.
APP 8.1 provides that, subject to limited exceptions, an organisation must take reasonable steps to ensure the overseas recipient of personal information does not breach the APPs with respect to that information. If an organisation does disclose personal information to an overseas recipient and that recipient engages in conduct amounting to a breach of APP 8.1, section 16C of the Privacy Act 1988 (Cth) deems the disclosing organisation to have itself engaged in the conduct and breached the APPs. This leaves the disclosing organisation liable for an interference with privacy and subject to the penalties contained in the Privacy Act.
To avoid the APP 8.1 obligation and potential liability as a consequence of section 16C, an organisation must obtain informed consent to the disclosure of their personal information overseas from the affected individual(s).