Original article by Lauren McKee, Senior Associate, LegalVision.
If your business sends personal data overseas, you must ensure that you are complying with data protection laws. A recent Irish case found that Facebook owner, Meta, breached data protection laws by unlawfully sending user data from the EU to the US. In this article, we unpack the data protection laws concerning sending personal data overseas, how Facebook breached data protection laws and how you can avoid the same mistakes.
All UK businesses that process personal data must comply with data protection laws. Examples of situations where you may transfer personal data outside of the UK include where:
Generally, transferring personal data outside the UK is prohibited unless you can rely on an exemption. This is because some countries do not have adequate data protection laws in place, and it is essential to ensure that all personal data you process is well looked after and protected.
The key exceptions you may rely on are:
Let us explore these exceptions in further detail.
You may transfer data to an approved jurisdiction, provided you comply with the standard rules of transferring personal data. The UK has currently approved the following countries as locations that provide an adequate level of data protection:
If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. The most common way to do this is to implement contractual provisions approved by the UK’s Information Commissioner’s Office (ICO) to protect the transfer.
Before relying on an appropriate safeguard to make a restricted transfer, make sure the people whose data is being transferred have an essentially equal level of protection as they would in the UK.
Facebook owner Meta is one of the world’s most valuable companies and processes the personal data of millions of users. In May 2023, Meta was fined £1 billion by Ireland’s Data Protection Commission and ordered to suspend the transfer of user data from the EU to the US.
This is because Meta was transferring personal data from the EU to the US without ensuring proper safeguards were in place. Facebook used approved terms in their contracts to cover the transfer of personal data overseas. However, these terms were insufficient to address the risks to the fundamental rights and freedoms of data subjects.
The key reason for this is that the US Government has laws based on national security allowing it to access the personal data of individuals (including overseas individuals) held by US corporations without any effective safeguards or checks.
Consequently, the judgement will seriously affect all businesses that transfer personal data to the US. Notably, the EU is in talks with the US about implementing a new framework for transatlantic data transfers for transferring personal data. It remains to be seen how this will affect the UK.
The Facebook decision is a solid reminder to all businesses that data protection authorities continue to monitor data and privacy compliance. Failure to comply with the law can incur costly fines for businesses.
To ensure your business is compliant with data protection laws, you should:
In summary, the Facebook case shows that businesses must comply with data protection laws and think twice before sending personal data to overseas countries. To avoid making the same mistakes, you should thoroughly audit your business’ privacy practices and ensure you comply with the UK General Data Protection Regulations. In addition, consider which countries you send personal data to, and make risk assessments to ensure such transfers are compliant.
If you are concerned about how data protection laws may impact your business, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.