Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
article

Managing the Complexities of International Data Transfers and Onward Transfers

Noël Luke Chief Assurance Officer, TrustArc

Privacy PowerUp Series #7

In today’s interconnected world, data knows no borders. Understanding the intricacies of international data transfers is crucial for businesses and privacy professionals alike to ensure compliance and safeguard personal information.

This comprehensive guide will walk you through the regulatory landscape, key concepts, and practical steps to manage international data transfers effectively.

Understanding data transfers

What constitutes a data transfer?

Before we can discuss the regulations and restrictions, it’s essential to understand what qualifies as a data transfer. While the General Data Protection Regulation (GDPR) doesn’t explicitly define data transfer, the European Data Protection Board (EDPB) offers some guidance:

“Some examples of how personal data could be ‘made available’ are by creating an account, granting access rights to an existing account, ‘confirming’/’accepting’ an effective request for remote access, embedding a hard drive or submitting a password to a file. It should be kept in mind that remote access from a third country (even if it takes place only by means of displaying personal data on a screen, for example in support situations, troubleshooting or for administration purposes) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer.”

To determine if a data movement is a transfer, consider the following:

  • Map out the data flow—where did it originate?
  • Identify the storage location.
  • Determine who accesses the data and where they are located.
  • Assess any external sharing of data.

Using this approach, you can better understand whether your data movements qualify as a transfer, and align with EDPB guidelines.

Restrictions on data transfers

Global regulatory landscape

The regulatory landscape for data transfers varies significantly across the globe. Some countries have no restrictions, while others enforce strict data localization laws.

  • No Restrictions: Countries without privacy laws or national-level regulations may not impose data transfer restrictions. For example, until recently, the US had no such limitations.
  • Data Localization Laws: Some nations require data generated within their borders to be stored domestically or restrict transfer of specific data types altogether. Examples include China, Russia, and Vietnam.

In-between approaches

Most countries fall somewhere between no restrictions and complete prohibition. Here are some common mechanisms:

Adequacy decisions

An adequacy decision occurs when one country recognizes another country’s privacy protections as sufficient, allowing data transfers between them.

Examples include:

  • EU to Canada: Canada’s privacy regulations are deemed adequate by the EU.
  • EU-US Data Privacy Framework: Companies certified to the DPF can transfer data from the EU to the US.
  • Japan and the EU: Japan recognizes the EU’s data protection as adequate.
  • Dubai International Financial Centre: Recognizes the APEC CBPR system as adequate.

Transfer contracts

Standard contractual clauses (SCCs), also known as model contractual clauses, are predefined templates that outline the responsibilities and protections for data transfers. Different regions may have their versions, such as the UK’s International Data Transfer Agreements (IDTAs).

To use SCCs:

  1. Identify the data exporter and importer.
  2. Determine your role (data controller or data processor).
  3. Complete the necessary sections with transfer-specific details.
  4. Ensure both parties execute the contract.

Regions with SCCs include the EU, UK, China, Hong Kong, and Brazil. While convenient, SCCs can be burdensome for transfer-by-transfer implementation.

Consent

Transferring data based on consent requires explicit permission from the individual whose data is being transferred. Note that consent for data collection or processing does not automatically imply consent for transfer. Requirements for obtaining consent vary by region.

Other methods

  • Binding Corporate Rules (BCRs): Allow large multinational companies to transfer data within their organization across borders.
  • APEC CBPR System: An international framework enabling certified companies to transfer data between participating jurisdictions.

Practical steps to manage data transfers

To effectively manage international data transfers, follow these steps:

  1. Map Your Data: Understand where your data is stored, who accesses it, and where it is shared. Use a tool like TrustArc’s Data Mapping & Risk Manager to automatically map your data flows and identify transfer risks against current international data transfer laws.
  2. Identify Transfer Types: Determine if your data movements qualify as transfers using regulatory guidelines.
  3. Choose a Transfer Mechanism: Select the appropriate mechanism (adequacy decision, SCCs, consent, etc.) based on your transfer scenario.
  4. Implement Compliance Measures: Execute necessary contracts, obtain consent, and document your processes.
  5. Monitor and Update: Regularly review and update your data transfer practices to ensure ongoing compliance.

Ensure compliance and protect personal information across borders

International data transfers are a complex but essential aspect of modern business operations. By understanding the regulatory landscape and implementing the right mechanisms, you can ensure compliance and protect the personal information of individuals across borders.

Are you managing international data transfer risks?

Explore how TrustArc can help you streamline your privacy compliance efforts and manage international data transfers with confidence.

Assessment Manager allows you to easily mitigate high risks with transfer impact assessments (TIAs).

TRUSTe Assurance and Certification Services enable you to demonstrate compliance with cross-border transfers through DPF verification, APEC CBPR & PRP Certification, and more.

Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

International Data Transfers and Onward Transfers Infographic

Understand data transfer methods and the five steps to effectively manage international data transfers.

Download now

PowerUp Your Privacy

Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.

Watch now

Read the next article in this series: #8 Emerging Technologies in Privacy: AI and Machine Learning for Privacy Professionals.

Read more from the Privacy PowerUp Series:

  1. Getting Started in Privacy
  2. Data Collection, Minimization, Retention, Deletion, and Necessity
  3. Data Inventories, Mapping, and Records of Process
  4. Understanding Data Subject Rights (Individual Rights) and Their Importance)
  5. The Foundation of Privacy Contracting
  6. Choice and Consent: Key Strategies for Data Privacy
  7. Managing the Complexities of International Data Transfers and Onward Transfers
  8. Emerging Technologies in Privacy: AI and Machine Learning for Privacy Professionals
  9. Privacy Program Management: Buy-in, Governance, and Hierarchy
  10. Managing Privacy Across the Organization
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top