Chapter 5 of the UK GDPR mirrors the international transfer arrangements of the EU GDPR. There is a general prohibition on organisations transferring personal data to a country outside the UK, unless they ensure that data subjects’ rights are protected. This means that, if there is no adequacy decision in respect of the receiving country, one of the safeguards set out in Article 46 must be built into the arrangement. These include standard contractual clauses and binding corporate rules.
In May last year the largest ever GDPR fine of €1.2bn was issued by Ireland’s Data Protection Commission to Facebook’s owner, Meta Ireland. The DPC ruled that Meta infringed Article 46 of the EU GDPR in the way it transferred personal data of its users from Europe to the USA.
In the absence of an adequacy decision or appropriate safeguards pursuant to Article 46, a transfer of personal data to a third country or an international organisation can still take place if one of the conditions in Article 49 are satisfied. These conditions include, amongst others, where the data subject has explicitly consented to the proposed transfer and where the transfer is necessary for the establishment, exercise or defence of legal claims.
A recent judgment by the English High Court judgement addressed a case involving JSC Commercial Bank Privatbank (JSC), which sought the court’s permission to disclose two schedules from its particulars of claim in English legal proceedings to the Ukrainian Bureau of Economic Security (BES). These schedules contained personal data about a co-founder of JSC, who was a defendant in the English proceedings and was accused of embezzlement. A Ukrainian court had ordered the disclosure of these schedules to BES as part of its investigation into potential fraud committed against JSC by another co-founder and defendant in the same English proceedings.
JSC applied for approval from the English High Court to disclose the two schedules. This application was necessary because the defendants in the English proceedings opposed the disclosure. Among other considerations, the court had to determine whether one of the derogations under Article 49 of the GDPR applied.
The relevant derogations in this case were Article 49(1)(d) (“the transfer is necessary for important reasons of public interest”) and Article 49(1)(e) (“the transfer is necessary for the establishment, exercise, or defence of legal claims”). The defendants argued that neither derogation was applicable.
The Judge ruled that the Article 49(1)(e) derogation was applicable, as the Ukrainian proceedings constituted a relevant “legal claim,” and the transfer of data was a necessary, targeted, and proportionate means of establishing or exercising that claim.
In reaching his conclusion, it is notable that the judge gave significant weight to the ICO’s guidance on international transfers. The guidance states that Article 49(1)(e) applies if (1) “you or another person involved in the legal claim have received a request for information from an overseas regulator with a view to it potentially taking formal action,” and (2) even if the transfer is not “absolutely essential,” it is a “targeted and proportionate way of achieving a specific purpose” that could not reasonably be achieved by other means.
Given the conclusion on Article 49(1)(e) and the urgency with which the case was argued and decided, the Judge did not make a determination on the applicability of the Article 49(1)(d) derogation.
Robert Bateman will be discussing this and related developments in his forthcoming International Transfers workshop.
Please subscribe to this blog and help us to get to 10,000 subscribers.
