If your business sends personal data overseas, you must ensure that you are complying with data protection laws. A recent Irish case found that Facebook owner, Meta, breached data protection laws by unlawfully sending user data from the EU to the US. In this article, we unpack the data protection laws concerning sending personal data overseas, how Facebook breached data protection laws and how you can avoid the same mistakes.

Transferring Personal Data Outside of the United Kingdom

All UK businesses that process personal data must comply with data protection laws. Examples of situations where you may transfer personal data outside of the UK include where:

  • you input personal data into software, such as your CRM, that is operated out of another country;
  • your IT support or customer service centre operates out of another country; and
  • you have a related entity based in another country.

Generally, transferring personal data outside the UK is prohibited unless you can rely on an exemption. This is because some countries do not have adequate data protection laws in place, and it is essential to ensure that all personal data you process is well looked after and protected.

The key exceptions you may rely on are:

  • where you are transferring personal data to an approved jurisdiction;
  • where appropriate safeguards have been put in place to protect the transfer (most commonly through approved contractual clauses); or
  • where you have consent.

Let us explore these exceptions in further detail.

Transferring Personal Data to an Approved Jurisdiction

You may transfer data to an approved jurisdiction, provided you comply with the standard rules of transferring personal data. The UK has currently approved the following countries as locations that provide an adequate level of data protection:

  • Andorra;
  • Argentina;
  • Canada (commercial organisations);
  • the EU member states and European Economic Area Members;
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey;
  • New Zealand;
  • Gibraltar;
  • Switzerland; and
  • Uruguay.

Appropriate Safeguards

If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. The most common way to do this is to implement contractual provisions approved by the UK's Information Commissioner's Office (ICO) to protect the transfer.

Before relying on an appropriate safeguard to make a restricted transfer, make sure the people whose data is being transferred have an essentially equal level of protection as they would in the UK.

Consent

You can obtain explicit consent from individuals to transfer their personal data outside of the UK after informing them of the possible risks of such transfers. A general consent to transfer data to third parties or general notification of the third parties you disclose to in your privacy policy is not sufficient consent. The consent has to be very specific and voluntary. However, this is usually impractical for most situations.

Facebook's Breach of Data Protection Laws

Facebook owner Meta is one of the world's most valuable companies and processes the personal data of millions of users. In May 2023, Meta was fined £1 billion by Ireland's Data Protection Commission and ordered to suspend the transfer of user data from the EU to the US.

This is because Meta was transferring personal data from the EU to the US without ensuring proper safeguards were in place. Facebook used approved terms in their contracts to cover the transfer of personal data overseas. However, these terms were insufficient to address the risks to the fundamental rights and freedoms of data subjects.

The key reason for this is that the US Government has laws based on national security allowing it to access the personal data of individuals (including overseas individuals) held by US corporations without any effective safeguards or checks.

Consequently, the judgement will seriously affect all businesses that transfer personal data to the US. Notably, the EU is in talks with the US about implementing a new framework for transatlantic data transfers for transferring personal data. It remains to be seen how this will affect the UK.

What We Can Learn from Facebook

The Facebook decision is a solid reminder to all businesses that data protection authorities continue to monitor data and privacy compliance. Failure to comply with the law can incur costly fines for businesses.

To ensure your business is compliant with data protection laws, you should:

  1. Consider whether you can achieve your aims without sending personal data overseas. For example, determine whether you can anonymise the data.
  2. Assess whether the 'adequacy regulations' cover the transfer, that is, whether the transfer is to an approved country.
  3. If the transfer is not to an approved country, ensure you have an alternative mechanism to transfer personal data overseas, such as having 'appropriate safeguards' in place, including the approved contractual clauses.
  4. Before relying on 'appropriate safeguards', ensure you are satisfied that the relevant protections under UK data protection laws are not undermined for people whose data is transferred.
  5. Where you have a contract with the recipient of personal data, contact a privacy lawyer to help ensure it is compliant.

Key Takeaways

In summary, the Facebook case shows that businesses must comply with data protection laws and think twice before sending personal data to overseas countries. To avoid making the same mistakes, you should thoroughly audit your business' privacy practices and ensure you comply with the UK General Data Protection Regulations. In addition, consider which countries you send personal data to, and make risk assessments to ensure such transfers are compliant.