Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Data Protection & Cyber Security
Russian law does not prohibit cross-border (international) transfer of PII. The key requirements to the international data transfers are i) conclusion of the data processing agreement and ii) ensuring legal ground to the transfer.
Legal grounds for the international transfer depend on country where the data recipient is located. In this regard, there are jurisdictions providing adequate level of data protection and those who fail to provide that level.
“Adequate” jurisdictions are:
- States - parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) – e.g., European Union members; and
- Countries considered adequate by Roskomnadzor (e.g. Australia, Israel, Canada, New Zealand, Republic of Korea, Kazakhstan, Singapore, Chile, Japan etc.).
Where PII is transferred to “adequate” jurisdictions, general list of legal grounds apply. If the jurisdiction is not adequate, legal grounds enabling transfer are quite limited (e.g. data subjects' written consent (which must meet a number of requirements to its form and content), performance of the contract to which the data subject is a party).
Under the Data Protection Law, the transfer of personal data to countries or to international organizations which do not grant an appropriate level of protection according to the Data Protection Authority’s criteria is forbidden. However, the transfer of personal data to non-adequate countries is permitted when: (i) the data subject consents to the transfer or (ii) when adequate level of protection arises from (a) contractual clauses (international data transfer agreements or (b) systems of self-regulation (as binding corporate rules).
Rule Number 60 - E/2016, issued by the Data Protection Authority, establishes that personal data can be transferred with no further safeguards to member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only the private sector), New Zealand, Andorra, and Uruguay. Moreover, very recently Resolution Number 34/2019 included the U.K. and Northern Ireland in the white list of adequate jurisdictions for the transfer of personal data.
Furthermore, Rule Number 60 - E/2016 approved two sets of standard model clauses for data transfer agreements. In the event that parties choose not to use these models and sign a data transfer agreement that does not reflect the principles, safeguards, and content contained in the model clauses, their agreement will need to be submitted to the Data Protection Authority for approval within 30 days of its execution.
Additionally, Resolution Number 159/2018 approved a set of guidelines for binding corporate rules as a self-regulating mechanism available for multinational companies to legitimize international data transfers within their group.
LGPD regulates transfer of data outside jurisdiction. International transfer of personal data is only allowed in the following cases:
- To countries or international organizations that provide a level of protection of personal data that is adequate to the provisions of the LGPD;
- When the controller offers and proves guarantee of compliance with the principles, rights of the data subject and the regime of data protection established in the LGPD, in the form of:
a) Specific contractual clauses for a given transfer;
b) Standard contractual clauses;
c) Global corporate rules;
d) Regularly issued stamps, certificates and codes of conduct;
- When the transfer is necessary for international legal cooperation between public intelligence and investigation bodies, in accordance with instruments of international law;
- When the transfer is necessary for the protection of the data subject's or a third party's life or physical safety;
- When the National authority authorizes the transfer;
- When the transfer is the result of a commitment assumed in an international cooperation agreement;
- When the transfer is necessary for the execution of a public policy or legal attribution of a public service;
- When the data subject has provided specific and highlighted consent for international data transfer, with prior information about the international nature of the operation, with this information being clearly distinct from other purposes;
- For compliance with legal or regulatory obligation by the controller, when necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party, at the request of the data subject and for the regular exercise of rights in judicial, administrative or arbitral procedures.
The general requirements with regard to transfers of personal data according to the GDPR apply. The free movement of personal data within the EU is neither restricted nor prohibited (Article 1, para. 3 GDPR).
The GDPR restricts transfers of personal data outside the EU. It allows for transfers outside the EU to third countries or international organisations in compliance with certain conditions set out in Articles 44 to 50. These conditions allow for transfers:
- On the basis of an EU adequacy decision (Article 45 GDPR)
- Subject to appropriate safeguards (Article 46, GDPR)
- Under binding corporate rules (Article 47 GDPR)
- Under approved codes of conduct and certification mechanisms (Article 40 GDPR)
- If based on an international agreement, such as a mutual legal assistance treaty (Article 48 GDPR)
- Under a specific derogation (Article 49 GDPR), such as:
- transfers due to important reasons of public interest;
- transfers qualified as not repetitive and that only concern a limited number of data subjects
- transfers necessary for the establishment, exercise, or defence of legal claims
- non-repetitive transfers involving personal data related to only a limited number of data subjects
- Under international cooperation mechanisms (Article 50 GDPR).
No additional national rules have been adopted with regard to transfers of personal data outside Bulgaria. Cross-border transfers of PII do not require notification to or authorization form the CPDP.
Currently, the most commonly used instrument/ safeguard for lawfully transfering personal data outside EU are the EU standard data protection clauses (Art. 46, para. 2, item ‘c’ GDPR). However, it really depend on the specific data transfer which instrument is the most appropriate one.
Data transfers abroad are governed by art. 6 FADP. The mechanism is identical to the one in the GDPR:
- Data transfers to countries with adequate data protection laws in place are permitted without further safeguards (art. 6 para. 1 FADP). FDPIC has published a country list (see here).
- For data transfers to countries without adequate data protection laws additional safeguards are required. Art. 6 para. 2 FADP contains a list with accepted safeguards. As obtaining consent from all data subjects is often not a viable option, the most common safeguards are either contractual safeguards accepted by the FDPIC – currently the FDPIC accepts its own template outsourcing agreement or the EU standard clauses –, or corporate binding rules.
- In case that companies use contractual safeguards or corporate binding rules, they must inform the FDPIC about that use. In the case of the use of the template outsourcing agreement of the FDPIC or the EU standard clauses, the companies must solely inform the FDPIC once that they use them for any data transfer abroad. However, the respective templates must be used without any modifications. In all other cases, copies of the contracts must be sent to the FDPIC for review.
Transfers of personal data to third countries or international organizations are restricted and they shall take place only if they are subject to the conditions laid down in chapter 5 of the GDPR which grant a sufficient level of protection of natural persons affected by the processing.
A transfer of personal data to third countries or international organizations only will be acceptable if a) the Commission has decided that the third country or territory ensures an adequate level of protection; b) in the absence of a decision on adequacy, only with the provision of appropriate safeguards by the controller or processor. These safeguards may be, without requiring any specific authorization from a supervisory authority: legally binding and enforceable instruments between public authorities or bodies, binding corporate rules for company groups, the adoption of standard data protection clauses adopted or approved by the Commission, approved codes of conduct together with binding and enforceable commitments and certification mechanisms also together with binding and enforceable commitments, both pursuant to articles 40 and 42 GDPR. On the other hand, the parties can also sign contractual clauses or, if applicable provisions to be inserted into administrative arrangements, although they will be subject to the authorization from the competent supervisory authority.
Currently, the Data Privacy Act, does not encompass a specific provision in this respect. Though, any use of the data will require consent/authorization of the holder/subject of the personal data, if it is not subject to the exceptions mentioned in this document (transfer is a kind of personal data processing, therefore, all the data privacy rules shall apply, including the consent requirements).
According to European data protection law, there is no adequate level of data protection in countries outside the EU. In the opinion of the EU, the legal systems of these countries cannot adequately guarantee the protection of personal data. For this reason, Artt. 44 et seq. GDPR restricts international data transfers. Personal data may only be transferred to so-called "third countries" if
- An adequate level of data protection is ensured in the receiving State. The European Commission may take a decision to determine that a given country, but also an economic sector or an area outside the EU, ensures a high and therefore "adequate level of data protection". At present, however, the list of countries for which the Commission has adopted adequacy decisions is manageable: Andorra, Argentina, Canada (private entities only), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Men, Jersey, New Zealand and Uruguay. For the USA, there is only a sector-specific adequacy decision by the Commission. Personal data may only be transferred without further restrictions to US companies certified under the EU-U.S. Privacy Shield program.
- the data importer establishes an adequate level of data protection through appropriate safeguards. The main alternative means of transmission are
- Standard contractual clauses: These are data protection contracts provided for by the Commission and concluded between the data receiving and transmitting unit.
- Binding corporate rules: Companies can also set their own internal rules for the cross-border transfer of personal data within the group and have them approved by the competent supervisory authority.
- Code of conduct: Business associations now have the opportunity to draw up data protection codes of conduct for their sectors which will have to be approved by the respective supervisory authority.
- Approved certifications: In the future, companies will also be able to prove compliance with the GDPR by means of an officially recognized "data protection certification".
- Additionally, the GDPR, like previous data protection law, allows exceptions for the transfer of personal data to companies in third countries for which there is neither an adequacy decision by the Commission nor the above-mentioned alternative instruments. The list of existing exceptions is broad, but their application is subject to strict conditions. However, such data transfers require the upfront approval of the respective supervisory authority.
Transfer of PII outside India is not restricted. The Privacy Rules permit transfer of PII and sensitive PII by a transferor to a transferee, irrespective of whether such transferee is located within or outside India.
Such transfer is subject to the following conditions: -
(a) the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules; and
(b) the Data Subject consents to such transfer or the transfer is necessary for performance of a lawful contract between the transferor and the Data Subject.
There is no requirement to notify or seek authorisation from a regulator before transfer of PII or sensitive PII outside India.
Sector Specific Issues
Further to a directive issued by the Reserve Bank of India on April 6, 2018, payment system providers (such as banks, non – bank licensees which operate payment systems, card networks such as Visa, Mastercard, etc.) and payment intermediaries operating in the payments sector in India were mandated to comply with data localization norms. The directive requires all data (i.e. end-to-end transaction details) relating to payment systems to be stored in India. Only the foreign leg of a payment transaction is permitted to be stored outside India.43
The Privacy Bill proposes incremental requirements for cross-border transfer of PD and SPD, such as: -
(a) The transfer will be made in accordance with model contract clauses or intra group schemes to be approved by the Authority, unless some country – specific relaxation has been given by the Authority;
(b) A copy of such transferred PD should be stored by the data fiduciary in a server or data centre located in India; and
(c) 'Critical personal data' (which would be a sub-category of PD, to be notified by the Central Government) will be processed in a server or data centre located in India only.
Draft E-Commerce Policy
Lastly, under the Draft National eCommerce Policy ("Draft E-Commerce Policy"),44 the Department of Promotion of Industry and Internal Trade has proposed restrictions on cross – border transfer, storage and use of Indian user data generated from social media, search engines, etc.45
43 - There was a lot of resistance from the industry & industry bodies in terms of difficulty in implementing such segregation, costs involved etc. However, the Reserve Bank of India has still gone ahead and implemented the directive.
44 - The Department of Promotion of Industry and Internal Trade formulated the Draft E-Commerce Policy and had invited comments from stakeholders on the same.
45 - The Draft E-Commerce Policy is also at a draft stage and has been subject matter of significant debate.
According to Article 37 of the CSL, CIIOs shall store personal information and important data gathered and produced during operations within the territory of the People's Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business needs, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council.
As for network operators, the authorities only released the draft versions of the applicable regulations related to cross-border data transfer. Under the applicable draft, when a network operator provides overseas parties with personal information and important data gathered and produced during operations within the territory of the People's Republic of China, a security assessment shall be conducted43 and personal information subjects shall be notified regarding the purpose, scope, type and the country or region in which the recipient is located and shall consent to the transfer with limited exceptions.44 A growing number of entities have consulted, and some have started preparing for conducting the security assessment.
43 - Measures on Security Assessment for Cross-border Transfer of Personal Information and Important Data (Draft for Comments) (《个人信息和重要数据出境安全评估办法（征求意见稿）》). § 2.
44 - Measures on Security Assessment for Cross-border Transfer of Personal Information and Important Data (Draft for Comments). § 4.
Under MCI Regulation 20/2016, there is no restriction of cross-border transfer of Personal Data, but there are certain compliance requirements that need to be fulfilled, which are:
(i). submission of notification regarding the intended transfer of Personal Data to abroad, which at least contains information of: the name of country of destination, the name of recipient, date of transfer, and purpose of transfer;
(ii). requesting for advocacy, if required; and
(iii). submission of report regarding the result of cross-border transfer.
Nevertheless, there is lack of supervision from the MCI in the implementation of the above compliance requirements.
Specifically, for ESO for Public Services, GR 82/2012 requires them to place their data center within the territory of the Republic Indonesia. By this provision, ESO for Public Services that manages Personal Data may be prohibited from transferring the Personal Data to any party located in other countries for storing purposes. In practice, it is common for private business entities that are considered as ESO for Public Services to outmaneuver this requirement by taking up practical approach on the arrangement of storages location.
Under article 13 of the GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
However, transfer of PII to a third country (outside the EEA) or to an international organization shall only take place if the same level of protection of the data subjects guaranteed by the GDPR is ensured by an adequacy decision of the European Commission or the adoption of appropriate safeguards.
Up to date the European Commission has issued several adequacy decisions attesting that the following third countries ensure an adequate level of protection: Switzerland, Canada, Argentina, Guernsey, Jersey, Man Island, Faroe Island, Andorra, Israel, Uruguay, New Zeeland, United States for organizations that are certified under the Privacy Shield Framework and Japan. Transfers made under these adequacy decisions do not require any specific authorization.
In the absence of an adequacy decision, transferring personal data to a third country or an international organization shall only take place if the controller or the processor relies on one of the following safeguards:
a) Legally binding and enforceable instrument between public authorities or bodies;
b) Binding corporate rules approved by the competent Supervisory Authority;
c) Standard data protection clauses (Controller-to-Controller or Controller-to-Processor) adopted by the European Commission;
d) Standard data protection clauses adopted by the CNPD and approved by the European Commission;
e) An approved code of conduct;
f) An approved certification mechanism.
Furthermore, article 49 of the GDPR also foresees derogations for specific situations, in the absence of an adequacy decision or of the above appropriate safeguards, allowing transfers to a third country or an international organisation in the following cases:
a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
d) the transfer is necessary for important reasons of public interest;
e) the transfer is necessary for the establishment, exercise or defence of legal claims;
f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
g) the transfer is made from a register which according to the applicable law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by law for consultation are fulfilled in the particular case.
Finally, if none of the above can apply, a transfer to a third country or an international organisation may take place only if the transfer (i) is not repetitive (ii) concerns only a limited number of data subjects (iii) is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and (iv) the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. However, the controller is required to inform the supervisory authority of the transfer.
Transfers of personal data to countries outside the EEA are restricted. These restrictions apply to all transfers, no matter the size of transfer or how often they are carried out.
To enable a restricted transfer to take place a business must identify if the transfer is to a country which is covered by an EU Commission “adequacy decision”. Details of such countries can be found on the Information Commissioner's Office's website at www.ico.org.uk. If there is no adequacy decision then the business must put in place an appropriate safeguard to enable the transfer to take place. Most businesses use the EU Commission model contracts however there are other mechanisms such as binding corporate rules for internal group transfers that can be used.
In the absence of a EU Commission adequacy decision, or of appropriate safeguards, a transfer shall only take place if one of the specific derogations/conditions apply such as the data subject has given their explicit consent, the transfer is necessary for performance of a contract, or for important reasons of public interest or the establishment, exercise or defence of legal claims or necessary to protect the vital interests of the data subject or another where the data subject is physically or legally unable to give consent.
It is also still possible to rely on Privacy Shield for transfers to the USA, subject to any potential future case-law challenges.
A controller should consider the impact that Brexit will have on its processing arrangements. In particular, flows of data from the EU to the UK should be assessed and a decision made as to the whether adequate safeguards need to be put in place post Brexit. In relation to transfers from the UK to the EU the UK government has stated that these transfers can continue as there will be a transitional provision for a UK adequacy decision in respect of the EU countries. Thought should also be given as to the data protection regime that will apply to a controller with European operations post Brexit as it will be subject to the UK and European data protection regimes.
Yes, the transfer of personal data outside the EU and European Economic Area (EEA) is restricted. Such transfer is only permitted if:
- There is a decision from the European Commission that, for example, a certain country outside the EU/EEA ensures an adequate level of protection;
- Appropriate protection measures has been taken, for example Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC); or
- Special situations and single cases.
Among the countries that, according to the European Commission, have an adequate level of protection, the European Commission has also assessed that the level of protection is adequate in US if the recipient has joined the so-called Privacy Shield Network. This is however currently being tried by the European Court of Justice.
There are no requirements to notify or obtain consent for the cross boarder transfer from the Swedish Data Protection Authority.
Transfers to third countries can take place if there is a Commission Adequacy Decision or other appropriate safeguards such as BCRs, standard contractual clauses duly adopted and approved, legally binding and enforceable instruments between authorities or bodies, approved code of conducts or certification mechanisms. In the absence of an adequacy decision or of appropriate safeguards, derogations can be used to frame the data transfers as below mentioned:
-consent of data subject,
-performance of a contract, with further nuances to this respect,
-the transfer is necessary for important reasons of public interest,
-the transfer is necessary for the establishment, exercise or defence of legal claims,
-transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent,
-the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. As an exception to the previously mentioned derogations compelling legitimate interests are also foreseen in cases when transfer is not repetitive and concerns a limited number of data subjects.
Under the GDPR, the HDPA has clarified that the issuance of a national license is not required when transfers are governed by Commission Adequacy Decisions or by appropriate safeguards as aforementioned, unless they are ad hoc contractual clauses between data importers and data exporters, or they concern administrative provisions between public authorities, also including enforced and substantial rights of the data subjects, such as Memorandum of Understanding. In the last case, a license is required, since the administrative arrangements of such kind are not legally binding. Furthermore, for the BCRs, since they are now approved under the cooperation mechanism on a European level, in accordance with the GDPR provisions, a national license is not required. Furthermore, the HDPA has specified that the derogations stipulated in the GDPR as a tool to govern international transfers should be interpreted strictly, without the requirement of issuing a license to this respect. However, if the transfer is based on the compelling legitimate interests of the data controller provided that all conditions foreseen to this respect are fulfilled, the HDPA should be informed on the transfer and extra information should be further provided to the data subject to this respect. Furthermore, the HDPA has also specified that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer.
Under the previous regime a notification of the transfers based on a Commission Adequacy Decision or Standard Contractual Clauses was required before the HDPA and for the BCRs a national license was required to be issued. In legal practice, the most common tool to address intragroup data transfers across the world is the BCRs. In the event where transfers take place in a more limited way, standard contractual clauses are also used in their current form without prejudice to any future update, they may be subject to.
Article 9 of the Law No. 6698 prescribes principles and procedures in relation with cross-border personal data transfers.
In this regard, Article 9(1) of the Law No. 6698, introduces a general rule which restricts the cross-border transfer of personal data without obtaining the explicit consent of the data subject. Article 9(2), on the other hand, further provides for a derogation from the said general rule in the following circumstances:
- In the event that (i) the conditions specified under Article 5 and Article 6 of the Law No. 6698 are deemed applicable, and (ii) the recipient country ensures an adequate level of personal data protection, the related transfer operation is permitted to be performed.
- In the absence of an adequate level of personal data protection within the recipient country, the related transfer operation shall be permitted provided that; (i) the data controllers in Turkey and in the recipient country undertakes to ensure an adequate level of protection in writing, and (ii) the approval of the Board is obtained.
As of April 2019, the Board has not yet published the list of “secure countries” and currently all third countries are considered as unable to provide an adequate level of personal data protection. Thus, only the explicit consent of the data subject and the written undertaking and Board approval procedure options are left for lawfully transferring personal data from Turkey to abroad.
The transmission of personal data within the European Economic Area ("EEA") is not subject to any restrictions and is therefore unregulated.
A data transfer outside the EEA is only permitted if the requirements of art. 44 et seq. GDPR are met. As far as possible, enterprises will use the EU standard contractual clauses in such cases.
Transfers of personal data to countries outside the EEA are restricted. These restrictions apply to all transfers, no matter the size of transfers or how often they are carried out.
To enable a restricted transfer to takes place, a business must identify if the transfer is to a country which is covered by an EU Commission 'adequacy decision'.
Details of such countries can be found on the CNIL's website or on the EU Commission's website.
If there is no adequacy decision then the business must put in place an appropriate safeguard to enable the transfer to take place. Most businesses use the EU Commission model contracts however there are other mechanisms such as binding corporate rules for internal group transfers that can be used. More details on what can regarded as appropriate safeguards are provided for by Articles 46 and 47 of the GDPR.
In the absence of a EU Commission adequacy decision, or of appropriate safeguards, a transfer shall only take place if one of the specific derogations/conditions apply such as the data subject has given their explicit consent, the transfer is necessary for performance of a contract, or for important reasons of public interest or the establishment, exercise or defence of legal claims or necessity to protect the vital interests of the data subject or another where the data subject is physically or legally unable to give consent. The full derogations are listed in Article 49 of the GDPR.
It is also still possible to rely on Privacy Shield for transfers to the USA, subject to any potential future case-law challenges.
In view of Brexit, flows of personal data from the EU to the UK could be impacted. See the United Kingdom section for more on that.