When transferring data to a restricted country, data exporters must check, amongst other considerations, whether the rights of the data subjects are sufficiently guaranteed in the recipient country. Restrictions on data subject rights in the UK must comply with the requirements of Art. 23 of the United Kingdom General Data Protection Regulation (UK GDPR). This Article examines the importance of Art. 23 UK GDPR for companies planning a restricted country transfer.
Art. 23 UK GDPR and data subject rights in the case of restricted country transfers
Art. 23 UK GDPR is an opening clause on the basis of which the Secretary of State may restrict the scope of the obligations and data subject rights provided for in Articles 12 to 22 and Article 34 UK GDPR, as well as Article 5 UK GDPR in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 UK GDPR. Any such restriction must respect the essence of the fundamental rights and freedoms and must be a necessary and proportionate measure in a democratic society to safeguard certain areas, such as public security or other important objectives of general public interest.
In view of the case law of the Court of Justice of the European Union (CJEU) from 2020, which remains part of UK law, Art. 23 UK GDPR also bears significance for the private sector.
In the often cited and much discussed Schrems II ruling from the summer of 2020, the CJEU overturned the previously legitimate practice of simply concluding standard contractual clauses (SCCs) as appropriate safeguards for restricted country transfers, when no adequacy decision was in place. The CJEU clarified that when using SCCs, a data exporter is under an obligation to assess whether the level of data protection in the recipient country is equivalent to that of the European Union – respectively the UK. If it is not, additional transfer-specific measures must be implemented, so the level can be achieved.
The Information Commissioner´s Office (ICO) provides for two options for conducting this assessment. One being the Transfer Risk Assessment, and the other being the approach taken by the European Data Protection Board (EDPB), which examines whether there is a comparable level of data protection and enforceable data subject rights in the recipient country. For this approach, it is necessary to examine whether any restrictions on data subject rights in the restricted country in question would withstand an audit in terms of Art. 23 UK GDPR.
Concept of restriction of data subject rights
Data protection law defines in Art. 12 to 22 and 34 UK GDPR various obligations of the data controller when processing personal data and rights of data subjects in respect of their personal data. In addition, there are the principles on data processing set out in Art. 5 UK GDPR.
Restrictions under Art. 23 UK GDPR are any limitation of these obligations of the data controller or of data subject rights. In assessing whether a restricted country has an adequate level of data protection, the extent of its restrictions on data protection rights should be examined. Any restriction must never lead to a complete suspension of a data subject rights.
What restrictions arise from the DPA 2018 pursuant to Art. 23 UK GDPR?
In order to determine whether a country has an equivalent level of data protection to the UK the UK specific restrictions can be compared. The DPA 2018 in Art. 15 and Art 16 provides for a series of exceptions contained in Schedules 2, 3 and 4 of the DPA 2018. Each exception is made for a purpose listed in Art. 23 UK GDPR. These include, for example:
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general public interest, in particular an important economic or financial interest of the United Kingdom, including monetary, budgetary and taxation a matters [sic!], public health and social security;
- the protection of judicial independence and judicial proceedings.
Each restriction of data subject rights contained in the DPA 2018 is held to the following requirements:
Requirements of Art. 23 (1) UK GDPR
In addition to the legitimacy of the purpose already described, Art. 23 (1) UK GDPR sets out certain conditions for the lawfulness of the restrictions and the measures implemented on this basis:
The absolute limit of the restrictions is found in the core content of the UK GDPR. None of the data subject rights laid down in the UK GDPR may be affected in their essence. This means that restrictions that are so intrusive that they deprive a fundamental right of its basic function cannot be justified.
Reservation of the right and foreseeability
Furthermore, legislative measures under Art. 23 UK GDPR cannot rely exclusively on Art. 23 UK GDPR. Rather, Art. 23 UK GDPR is an opening for further specifications, such as contained in the DPA 2018, which in turn can then serve as a basis for the restrictions. The DPA 2018 and the restrictions contained therein must be sufficiently clear to provide data subjects with a reasonable understanding of the circumstances and conditions under which controllers are authorised to have recourse to such restrictions.
Necessity and proportionality
Restrictions can also only be lawful if they are both necessary and proportionate. Restrictions are necessary if they are suitable for achieving the purpose pursued and there are no milder means which would also suffice to achieve the purpose.
A measure is proportionate within the meaning of Art. 23 UK GDPR if the specific restriction and the associated consequences for the data subject appear justified in view of the purpose pursued.
In this regard and in view of the importance of the data protection law the audit of these requirements must be carried out according to a strict standard.
Requirements of Art. 23 (2) UK GDPR
Additional requirements also apply to the law on which the restriction is based i.e. the DPA 2018. Any legislative measure containing restrictions shall contain specific provisions at least, where relevant, as to:
- the purposes of the processing or categories of processing;
- the categories of personal data;
- the scope of the restrictions introduced;
- the safeguards to prevent abuse or unlawful access or transfer;
- the specification of the controller or categories of controllers;
- the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- the risks to the rights and freedoms of data subjects; and
- the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
Significance of Art. 23 UK GDPR for restricted country transfers
In the case of data transfers within the UK or to the EEA and to other countries for which there is an adequacy decision, these criteria do not have to be examined. In the case of direct application of the UK GDPR (as in the UK) or an adequacy decision, a corresponding level of data protection is assumed.
Since the CJEU ruling, however, the criteria of Art. 23 UK GDPR have become relevant for companies when the level of data protection in a restricted country to which data is to be transferred must be assessed and the company chooses not to use the ICO´s Transfer Risk Assessment.
The problem here is not only that there are often numerous legal policies in the respective restricted country, but also that the audit does not end there. Rather, the exporter must determine the de facto level of data protection, whereby the legal policies are only part of the overall consideration. What matters is the actual level of data protection. Therefore, it is equally important what practices the laws result in, for example, whether the policies are adhered to at all. An excessive level of intervention by the security services or a lack of legal channels for those affected would therefore be just as relevant.
Even if the third-country policies were to stand up to an audit under Art. 23 of the UK GDPR, it would still have to be examined in a second stage whether the implementation in practice allows for a level of data protection that complies with the UK GDPR.
Conclusion: Third-country transfers are not getting any easier
Since the CJEU’s ruling, Art. 23 of the UK GDPR is no longer only relevant for UK legislators and data subjects, but also for data exporters. The assessment of whether a restricted country to which data is to be transferred provides a sufficient level of data protection can also be based on the requirements of Art. 23 UK GDPR.
When assessing the level of data protection by the exporter, challenging questions and decisions arise due to the scope and complexity of the situation. It is always a matter of an individual audit of the concrete circumstances in any given transfer, regardless of which method of assessment is used. The ICO has explicitly stated that companies planning a restricted country transfer may use either the Transfer Risk Assessment or assess according to the Art. 23 UK GDPR criteria following the EDPB approach.
Due to the liability risk, which should not be underestimated, in the event of errors within this assessment, it is urgently recommended to entrust the assessment to a qualified data protection expert.