This briefing is a part of a Walkers series on the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL"), and deals with the transfer of personal data outside Guernsey. A "data transfer" occurs when an individual's personal data is sent outside of Guernsey. International data transfer is a complex field of data protection and this briefing will only provide a brief overview of the key elements.
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects is available here.
Are international data transfers permitted under the DPL?
Whether an international data transfer is permitted under the DPL depends on whether the international data transfer is to a Member statement of the European Union (the "EU"), to a member of the European Economic Area ("EEA"), an adequate jurisdiction or when the transfer is being made on the basis of available safeguards or is authorised by the ODPA.
Like Guernsey, there are several jurisdictions which have a European Commission "adequacy" decision. An "adequacy" decision from the European Commission (the "EC") is a green light for all transfers of data between any adequate jurisdiction and the EEA, as well as to/from the other adequate jurisdictions outside the EEA, known as "third countries". Jurisdictions that the EC deems "adequate" are considered to have a rigorous data protection regime in place that is broadly equivalent to that in the EU. Where a transfer is to an "adequate" jurisdiction, a controller can freely transfer data to and/or from that jurisdiction with no additional legal requirements arising and without having to implement any additional measures.
The European Commission has so far recognised the following jurisdictions as providing adequate protection:
- Andorra;
- Argentina;
- Canada (commercial organisations);
- Faroe Islands;
- Guernsey;
- Israel;
- Isle of Man;
- Japan;
- Jersey;
- New Zealand;
- Republic of Korea;
- Switzerland;
- the United Kingdom;
- the United States of America (commercial organisations participating in EU-US Data Privacy Framework);and
- Uruguay.
There are several large jurisdictions (e.g. China) that do not provide the legal protections for personal data in the same way as the EEA and third countries do ("Unauthorised Jurisdictions").
Transfers on the basis of available safeguards
A controller or processor may transfer personal data to a person in an unauthorised jurisdiction where the controller or processor is satisfied that one or more certain safeguards are in place in relation to the personal data, and there is a mechanism for data subjects to enforce their data subject rights and obtain effective legal remedies against the further controller or processor. The safeguards include:
- where both the transferor of the personal data and the further controller or processor are public authorities, a legally binding and enforceable agreement between the transferor and the further controller or processor;
- binding corporate rules approved by the ODPA, or by another competent supervisory authority under any provision of law equivalent or similar to the GDPR;
- standard data protection clauses;
- an approved code combined with binding and enforceable commitments of the further controller or processor to apply any relevant safeguards in the code, including as regards to data subject rights; or
- an approved mechanism combined with binding and enforceable commitments of the further controller or processor to apply the relevant safeguards in the mechanism, including as regards to data subject rights.
Of the safeguards mentioned, standard data protection clauses appears to be the most common safeguard adopted / implemented by controllers when carrying out an international data transfer.
What are standard data protection clauses?
Standard data protection clauses, also known as standard contractual clauses ("SCCs") or model clauses, contain contractual obligations on the data exporter (based in Guernsey) and the data importer (based in an Unauthorised Jurisdiction) and give rights to the individuals whose personal data is to be transferred. These clauses are approved by the EC, available on their website, and recognised by the ODPA for transfer purposes.
Using standard data protection clauses
In June 2021, the EC published a new set of SCCs for international data transfers. The first set of SCCs governs international data transfers (standard contractual clauses for international transfers). The second set of SCCs governs data processing agreements between controllers and processors (standard contractual clauses for controllers and processors in the EU/EEA).
Any Guernsey business engaging in new transfers will need to utilise the new EC SCCs. The ODPA recognises the new SCCs as an appropriate transfer mechanism for transfers from Guernsey to Unauthorised Jurisdictions.
In November 2022, the ODPA published the "Bailiwick of Guernsey Addendum for the EU Commission's Standard Contractual Clauses (SCCs)" (the "Guernsey Addendum"). The Guernsey Addendum is a legal document controllers can make restricted amendments to in order to protect people's data by using it in conjunction with the EC SCCs. In the event of a conflict or inconsistency between the Guernsey Addendum and the provisions of the EC SCCs it is intended that the provisions which provide the most protection to data subjects shall prevail.
Transfer impact assessments
When a controller is seeking to rely on an available safeguard the DPL (and the ODPA) requires that the controller carry out a "transfer impact assessment" ("TIA"). A TIA assists a controller in making sure that the actual protection provided by the available safeguard is sufficiently similar to the principles of the DPL to provide data subjects of the transferred data with a level of protection essentially equivalent to that under the DPL. The ODPA expects controller to carry out a TIP by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data).
About Walkers' Guernsey regulatory team
Walkers' Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.
We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.