Post-Brexit the UK retained GDPR as its main data protection framework (so-called ‘UK GDPR’ was born). But since it’s no longer a part of the EU, the UK has leeway to keep its data protection legislation under review and diverge from the GDPR regime when it feels it’s appropriate. One area that has proved tricky to navigate is the regulation of personal data transfers between countries.
Here we look at how the UK’s Information Commissioner’s Office (the ICO) approaches these international data transfers.
What must UK businesses do from a data compliance perspective when transferring data from or to the EU on the one hand and from or to international jurisdictions outside the EU on the other? In particular we’ll examine the UK documentation that is set to govern these types of data transfers.
This is a technical, sometimes complex area of law but if you are processing data and there’s a cross-border element o your work you need to ensure you comply fully with the rules to avoid punitive ICO fines and reputational damage. At Nath Solicitors in London we advise on all aspects of data protection law. If you have concerns call, 44 (0) 203 983 8278 or get in touch with the firm online. We’d be happy to have an initial, no-obligation chat about our services.
If :
then for all intents and purposes you’re carrying out a ‘restricted transfer’ of data for UK GDPR purposes.
Bear in mind that UK GDPR section 46 states if there’s no ‘adequacy decision’ (i.e. a decision that data safeguards in another jurisdiction are adequate/consistent with GDPR), you may transfer personal data to a third country or an international organisation only if you provide ‘appropriate safeguards’.
Ensuring ‘Appropriate safeguards’ were in place under Article 46 meant using the EU’s Standard Contractual Clauses. Post-Brexit there was a need to update these.
The area of international data transfers was also affected by the need to address the consequences of the EU’s decision in the case of Schrems II. That ground-breaking ruling found that US data protection laws did not – in the EU’s view at least – adequately protect personal data and contravened the basic tenets of GDPR. (The court highlighted the personal surveillance capabilities of US National security bodies when it came to examining personal data).
In some respects than international transfers of data have been stuck in an uncertain, almost limbo-like state. The ICO and the UK government have addressed this regulatory gap with the introduction of The International Data Transfer Agreement and Addendum.
In June 2021 the EU decided that the UK’s data protection regime provides adequate protection for data transferred from the EU to the UK. This means that most data can pass from the EU to the UK without the need for the additional safeguards envisaged by Article 46. This is undoubtedly good news for businesses as it effectively streamlines data flow between the EU and the UK.
Transfers from the UK to other countries, including to the EU are subject to the rules in UK GDPR. These resemble closely GDPR rules laid down by the EU, although as we said the UK has the flexibility to change these rules if it wishes.
The International Data Transfer Agreement template and are geared towards helping businesses ensure they have the right protections in place when transferring people’s data outside of the UK to countries not covered by adequacy decisions. That is where there are not the appropriate safeguards in place in the relevant country envisaged by Article 46 UK GDPR.
The IDTA and Addendum address effectively the concerns we mentioned above (the need to update the Standard Clause Contracts and the need to deal with transfers to countries (like the US) affected by the Schrems II decision.
UK GDPR continues to resent compliance issues for many of our clients. The rues apply no matter how small your transfer of data is and how irregularly you transfer data. For advice please contact Shubha Nath at Nath Solicitors on 44 (0) 203 983 8278 or get in touch with the firm online.