Table of Contents
In Short
- UK businesses transferring personal data overseas must comply with data protection laws or face significant fines.
- The EU and select others are approved countries for data transfers; proper safeguards are required for non-approved countries.
- Uber and Facebook were fined for failing to ensure compliance with data protection laws when transferring data overseas.
Tips for Businesses
When transferring data abroad, ensure your destination is an approved jurisdiction or put safeguards in place. Always review contracts and data policies with legal advice to prevent non-compliance, which can lead to costly penalties.
If your business sends personal data overseas, you must ensure that you are complying with data protection laws. Recent cases found that Uber and Facebook owner, Meta, have breached data protection laws by unlawfully sending user data overseas from the EU to the US. In this article, we unpack the data protection laws concerning sending personal data overseas, how Uber and Facebook have breached data protection laws and how you can avoid the same mistakes.
Transferring Personal Data Outside of the United Kingdom
All UK businesses that process personal data must comply with data protection laws. Examples of situations where you may transfer personal data outside of the UK include where:
- you input personal data into software, such as your CRM, that is operated out of another country;
- your IT support or customer service centre operates out of another country; and
- you have a related entity based in another country.
The key exceptions you may rely on are:
- where you are transferring personal data to an approved jurisdiction;
- where appropriate safeguards have been put in place to protect the transfer (most commonly through approved contractual clauses); or
- where you have consent.
Let us explore these exceptions in further detail.
Transferring Personal Data to an Approved Jurisdiction
You may transfer data to an approved jurisdiction, provided you comply with the standard rules of transferring personal data. The UK has currently approved the following countries as locations that provide an adequate level of data protection:
- Andorra;
- Argentina;
- Canada (commercial organisations);
- the EU member states and European Economic Area Members;
- Faroe Islands;
- Guernsey;
- Israel;
- Isle of Man;
- Japan;
- Jersey;
- New Zealand;
- Gibraltar;
- Switzerland; and
- Uruguay.
You may also be able to transfer personal data to some organisations in the US that meet certain certification requirements under the UK-US Data Bridge. Under this framework, certified US companies must follow specific privacy principles. If you transfer personal data to such companies, UK individuals can access a redress mechanism if they believe their data has been misused.
Appropriate Safeguards
If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. The most common way to do this is to implement contractual provisions approved by the UK’s Information Commissioner’s Office (ICO) to protect the transfer.
Consent
You can obtain explicit consent from individuals to transfer their personal data outside of the UK after informing them of the possible risks of such transfers. A general consent to transfer data to third parties or general notification of the third parties you disclose to in your privacy policy is not sufficient consent. The consent has to be very specific and voluntary. However, this is usually impractical for most situations.
Uber and Facebook’s Breach of Data Protection Laws
What Uber Did Wrong
The Dutch Data Protection Authority (DPA) recently fined Uber, the world’s largest rideshare company, €290 million for transferring European Uber drivers’ personal data to the US without adequate safeguards. This violated the European data protection laws, which are very similar to UK data protection laws.
The personal data shared by Uber included sensitive information such as:
- account details;
- taxi licences;
- location data; and
- criminal and medical records.
For over two years, Uber transferred this data without proper transfer tools, compromising the privacy rights of many individuals. Much like in the UK, the fine was calculated based on Uber’s worldwide annual turnover, with a maximum limit of 4%. Although the fine was issued in the EU, the UK’s data protection regime is very similar to that of the EU, and this case serves as a stark reminder that regulatory authorities are actively overseeing transfer practices to ensure compliance.
What Facebook Did Wrong
Facebook owner Meta is one of the world’s most valuable companies and processes the personal data of millions of users. In May 2023, Meta was fined £1 billion by Ireland’s Data Protection Commission and ordered to suspend the transfer of user data from the EU to the US.
This is because Meta was transferring personal data from the EU to the US without ensuring proper safeguards were in place. Facebook used approved terms in their contracts to cover the transfer of personal data overseas. However, these terms were insufficient to address the risks to the fundamental rights and freedoms of data subjects.
Consequently, the judgement will seriously affect all businesses that transfer personal data to the US. It is worth noting that since this case took place, the UK has now implemented the UK-US Data Bridge, which gives businesses another avenue to safely share personal data with the US.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What We Can Learn from Uber and Facebook
The Uber and Facebook decisions are a solid reminder to all businesses that data protection authorities continue to monitor data and privacy compliance. Failure to comply with the law can incur costly fines for businesses.
To ensure your business is compliant with data protection laws, you should:
- Consider whether you can achieve your aims without sending personal data overseas. For example, determine whether you can anonymise the data.
- Assess whether the ‘adequacy regulations’ cover the transfer, that is, whether the transfer is to an approved country.
- If the transfer is not to an approved country, ensure you have an alternative mechanism to transfer personal data overseas, such as having ‘appropriate safeguards’ in place, including the approved contractual clauses.
- Before relying on ‘appropriate safeguards’, ensure you are satisfied that the relevant protections under UK data protection laws are not undermined for people whose data is transferred.
- Where you have a contract with the recipient of personal data, contact a privacy lawyer to help ensure it is compliant.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Key Takeaways
In summary, the Uber and Facebook cases show that businesses must comply with data protection laws and think twice before sending personal data to overseas countries. To avoid making the same mistakes, thoroughly audit your business’ privacy practices and comply with the UK General Data Protection Regulations. In addition, consider which countries you send personal data to, and make risk assessments to ensure such transfers are compliant.
If you are concerned about how data protection laws may impact your business, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Personal data is information about a specific identifiable individual that relates to them. For example, this may include a person’s name, an identification number like a National Insurance number, location information or a person’s IP address.
If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. You may also obtain the consent of the data subject.
We appreciate your feedback – your submission has been successfully received.