2024’s Data Protection Milestones

December 2024

Each year sees significant developments across the data protection landscape. I’ve asked industry insiders for their ONE most significant data protection or ePrivacy related milestone of 2024. Interestingly, everyone offered a different take. And all of these milestones will remain significant well into 2025.

UK GENERAL ELECTION AND DATA BILLS

Chris Combemale, Chair of the Data and Marketing Association

The most significant event for me was the General Election. For three years the DMA worked hard with the former government to ensure key reforms were included in the DPDI Bill, including certainty around legitimate interest as a lawful basis for direct marketing. At the time the election was called, DPDI was in the final stages of passage in the House of Lords. The DMA campaigned throughout the election to persuade the new government to pick up the mantle, including a joint letter to all political parties from the DMA, Tech UK and other members of the Business Advisory Group which I chaired. Our efforts paid off and the Data (Use and Access) Bill is now at Committee Stage in the House of Lords. DUA brings forward the best parts of DPDI while dropping the most controversial reforms, salvaging years of work and creating a better Bill that will transform public services, contribute to growth in the economy and maintain high levels of data protection.

Simon Blanchard, Data Protection Consultant, DPN Associates

The DUA Bill includes plans for Smart Data Schemes which allow consumers and businesses to safely share personal information with regulated and authorised third parties, for example, to generate personalised market comparisons. There are plans to create a framework for trusted identity verification services which could simplify processes like starting a new job, renting a home, as well as registering births and deaths. For me it’s significant there are now no plans to dilute accountability obligations under UK GDPR (e.g. remove the Data Protection Officer role and no changes to DPIA and RoPA requirements). DUA will give a statutory footing for many commonly used practices regarding Data Subject Access Requests. Certain legitimate interests will become ‘recognised’, such as national security, safeguarding and emergency response. The Bill’s progress is definitely one to watch in 2025. Updated DPN Legitimate Interests Guidance v3

DOORS OPENED TO EU PRIVACY ‘CLASS ACTIONS’

Fedelma Good, Data Protection and ePrivacy Consultant

Top of my list was definitely going to be the news Australia had introduced a law banning social media use for under 16s, not least because of all the attendant concerns that have been expressed it will actually backfire, driving teenagers to the dark web, or making them feel more isolated. Well, at least this was top of my list right up until the announcement on 3rd December that the privacy rights group noyb had been approved in Austria and Ireland – but with validity throughout the EU – as a so-called ‘Qualified Entity’ to bring collective redress actions in courts throughout the European Union. I would really love to have a crystal ball to be able to see if a few years from now we will see Max Schrem’s, chair of nyob, comment that “So far, collective redress is not really on the radar of many – but it has the potential to be a game changer,” as the understatement of the decade.

AI & DATA PROTECTION COMPLIANCE

Steve Wood, Consultant and Researcher, Privacy X and former Deputy Commissioner, ICO

In 2024 our community has dug deeper into the key implications of AI for data protection compliance. We’ve seen a range of consultations from data protection regulators globally. Addressing issues such as whether large language models are classed as personal data, when legitimate interests can apply as a lawful basis, how data subjects’ rights apply to AI models and what safeguards to mitigate DP risks. Given the pivotal role the EU GDPR plays in global data protection governance the key event for me will come right at the end of the year, just before the 23 December (some Xmas holiday reading!) when the EDPB will release their GDPR Article 64(2) Opinion and AI models, requested by the Irish Data Protection Authority. The Opinion will provide a significant regulatory framing for the approach companies need to take to AI governance for the coming years, noting the breadth of application of the GDPR compared to the focus of the EU AI Act on high-risk systems.

GLOBAL ADOPTION OF DATA PROTECTION PRINCIPLES

Robert Bond, Senior Counsel, Privacy Partnership Law

The one most significant data protection event in 2024 for me was the number of countries around the world who were passing and updating their data protection law significantly influenced by the GDPR. From Kenya to Sri Lanka, from Australia to Saudi Arabia and from China to many States in the USA, the similarities around data protection principles, data subject rights and data transfer restrictions are considerable. Whilst these global developments may not apply to smaller organisations, in the case of multinationals, the ROI for all the hard work invested in complying with the GDPR is that complying with data protection laws in other parts of the world is getting somewhat easier.

UNLAWFUL INTERNATIONAL DATA TRANSFERS

Eduardo Ustaran, Partner Hogan Lovells International LLP

An issue which has returned as a top priority for regulators is cross-border data transfers. Due to geopolitical tensions, the resulting increase in surveillance and the populist appeal of data localisation, the legal restrictions on international data transfers have attracted implacable scrutiny and enforcement. A worrying concern in this area is that there seems to be no room for a balanced assessment of the risk in practice, as the mere possibility of access to data by law enforcement or intelligence agencies is leading regulators to conclude that such transfers are unlawful. This regulatory line of thinking poses a real test for everyone seeking to apply a pragmatic, risk-based approach to legitimising global data flows.

CASE LAW & THE DEFINITION OF ‘PROCESSING’

Claire Robson, Governance Director, Chartered Insurance Institute

An interesting development in case law came in the decision of the Court of Appeal in Farley v Paymaster (trading as Equiniti), a case about infringement of data protection rights in postal misdirection. Over 450 current and former police officers took action against their pension administrator, after statements were sent to out-of-date addresses. The High Court dismissed many of the claims, stating there was not enough evidence to show the post (pension benefits statements) had been seen by a third party, so no processing had occurred. The Court of Appeal overturned this, granting permission for claimants to appeal. It felt there was prospect of success in claiming processing had taken place through extraction of the information from the database, electronic transfer of data to the paper document, along with the mistaken address and was not necessary to rely on a third party reading the statement. An interesting one for Data Controllers to watch in how this develops and what it means for the definition of, and limits to ‘processing’.

LACK OF ICO ENFORCEMENT

Emma Butler, Data Protection Consultant, Creative Privacy

For me, sadly, the most significant event of 2024 has been the decline of data protection enforcement. Yes, we have seen fines for marketing breaches and some enforcement notices, but there has been a long list of serious compliance breaches with significant impacts on people that have only received a reprimand. This leads me to wonder how bad it has to get before there is serious enforcement action to change behaviours. I have seen a corresponding lessening of the importance of compliance among organisations in terms of increased risk appetites for non-compliance, and feeling they can ‘get away with’ practices because ‘everyone else is doing it’ and they see no consequences from the ICO. I have also noticed a decrease in DPO / senior roles and more combining of the DP role with other functions, as well as low salaries for the roles that exist. Not a vintage year.

REJECT ALL COOKIES

For my part, a significant change this year has been the ‘reject all’ button springing up on so many UK websites. Giving people a clear option to reject all non-essential cookies. (Albeit this is certainly not universal and I’m not sure clicking ‘reject all’ always works in practice). This change followed an ICO warning late in 2023 to the operators of some of the country’s most popular websites, demanding compliance with the cookie rules. Particularly focused on advertising/targeting cookies, website operators were told they had to make it as easy to reject all, as it is to accept all. We then saw some websites moving to the controversial consent or pay model; which gives users a choice 1) pay for an ad-free service 2) consent to cookies, or 3) walk away. I’ll be watching closely for the ICO’s hotly awaited views on the legitimacy of this approach. I’m also pleased it looks like the DUA Bill will pave the way for first party website analytics cookies to be permitted without consent.

As you can see, from the DUA Bill to AI, global privacy laws to data transfers and the real possibility of EU ‘class actions’, these milestones are likely to keep the industry busy well into 2025 and beyond. And we’ll continue to keep you updated of the most significant developments as they happen.

6 Steps to Manage International Data Transfers from the UK

June 2024

UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas.

Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few.

In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take.

BALANCING THE RISKS

Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk?

STEP 1: IDENTIFY PERSONAL DATA TRANSFERS

First you need to check if what you’re planning to do constitutes a restricted international data transfer.

🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with.

🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees?

The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples:

Suppliers based outside the UK

Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world.

Partner organisations based outside the UK

Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems.

Group entities based outside the UK

Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems.

Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World.

STEP 2: CHECK IF AN EXCEPTION APPLIES

There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’.

To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here.

📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.

📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.

📌 Public Interests – the transfer is necessary for important reasons of public interest.

📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims.

📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give

STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION

If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy status is awarded to certain countries who have been judged to have a similar level of data protection standards within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country.

Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards.

European Economic Area / UK 

The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states.
Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan.

See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK.

United States

The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has:

    • self-certified and meets the principles of the DPF, and
    • signed up to the UK ‘data bridge’ extension.

For a list of self-certified organisations see US Department of Commerce DPF

STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY)

If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR.

📌 UK International Data Transfer Agreement (IDTA)

This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK.

📌 EU Standard Contractual Clauses (SCCs) with UK Addendum

The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts.

📌 Binding Corporate Rules (BCRs)

BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA.

📌 Other safeguards

Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies.

STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY)

If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA. You can also use the EU alternative Transfer Impact Assessment (TIA).

STEP 6: KEEP UNDER REVIEW

The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned.

An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.

EU AI Act adopted, and UK approach

March 2024

The EU has adopted the world’s first Artificial Intelligence Act. The legal language has yet to be set in stone but once this has been finalised, and published the Act will be enforced. This is expected in May/June 2024.

It’s worth noting the law will then take effect in stages. There will be six months to ban prohibited AI systems, twelve months to enforce rules against ‘general-purpose’ AI systems, and 36 months to meet requirements for what the law has designated as ‘high risk’ AI systems.

As the EU pushes full steam ahead with AI legislation, the UK is for now sticking to a non-statutory principles-based approach. We take a look at both approaches.

UK approach to AI regulation

The UK Government says it’s keen not to rush in and legislate on AI. It fears specific rules introduced too swiftly could quickly become outdated or ineffective. The Government says it wants to take “a bold and considered approach that is strongly pro-innovation and pro-safety.”

For the time being, key regulators are being asked to take the lead. They’re being given funding to research and upskill, and have been asked to publish plans by the end of April on how they are responding to the risks and opportunities of AI, in their respective domains.

These regulators include the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA), the Competitions and Markets Authority (CMA) and the Medicines & Healthcare products Regulatory Agency (MHRA).

The Government has also set up the Digital Regulation Cooperation Forum (DRCF) to “conduct cross-sector risk assessment and monitoring to guard against existing and emerging AI risks”.

Alongside this, a pilot scheme for a new advisory service; the AI and Digital Hub has been launched. This will be run by expert regulators including OfCom, CMA, FCA and ICO.

There’s a recognition advanced General Purpose AI may require binding rules, and the need for international cooperation on AI is also emphasised.  The government’s approach is set out in its response to the consultation on last year’s AI Regulation White Paper

The EU AI Act

In March 2024 the European Union adopted the EU AI Act. Its aim is to ban unacceptable use of artificial intelligence and introduce specific rules for AI systems proportionate to the risk they pose. It will impose extensive requirements on those developing and deploying high-risk AI systems.

It’s likely the Act won’t just govern AI systems operating in the EU, with it’s scope extending to foreign entities which place AI systems on the market or put them into service in the EU.

The Act uses the definition of AI systems proposed by the OECD: An AI system is a machine-based system that infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can affect physical or virtual environments.

EU AI Act summary

1. Banned applications

There will be prohibited uses of AI which threaten democracy and people’s rights. For example this includes but is not limited to; biometric categorisation systems which use special category data, real-time and remote biometric identification systems (such as facial recognition) and emotion recognition in the workplace and educational institutions.

2. Law enforcement and national security exemptions

There will be a series of safeguards and narrow exemptions allowing for the use of biometric identification systems in publicly accessible spaces for law enforcement purposes. The legislation will not apply to systems which are exclusively used for defence or military applications.

3. Tiered risk-based approach

The requirements organisations will need to meet, will be tiered dependent on the risk. For example;

  • For AI systems classified as high-risk there will be core requirements, such as mandatory fundamental rights impact assessments, registration on a public EU database, data governance, transparency, human oversight and more.
  • General-purpose AI (GPAI) systems, and the GPAI they are based on, will need to adhere to transparency requirements, including having technical documentation, being compliant with EU copyright law and having detailed summaries about the content used for training systems.
  • For Generative AI applications, people will have to be informed when they are interacting with AI, for example a Chatbot.

4. Right to complain

People will have the right to launch complaints about AI systems and receive explanations about decisions based on high-risk AI systems which impact their rights.

5. Higher fines than GDPR

Non-compliance with the rules could lead to fines of up to 35 million Euros or 7% of global annual turnover. This is a notable hike from GPDR which sets a maximum of 4% of annual worldwide turnover.

 

The EU AI Act represents the world’s first comprehensive legislative framework for regulating AI. Could it become a global standard, like GDPR has for data protection? Or will other countries take a non-statutory approach like we’re seeing in the UK, at this stage?

What’s clear is organisations need to take steps now to raise awareness and upskill employees. For example in compliance teams, legal, data protection, security and (by no means least) product development.

Decisions should be made about who needs a greater understanding of AI, how it will be internally regulated and where responsibilities for AI governance rest within the organisation.

International Data Transfers Guide

March 2024

A top-level overview of international data transfers

There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU.

The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’.

This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world.

As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor.

Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise.

However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised.

What is an international data transfer?

An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas.

There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation.

EU GDPR

Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR.

UK GDPR

A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful.

The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country.

Examples of restricted transfers would be:

  • Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country
  • Giving a supplier based in another country access to personal data
  • Giving access to UK/EU employee data to another entity in the same corporate group, based in another country.

There are some notable exceptions:

  • Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries.
  • Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

What are the safeguards for restricted transfers?

A. Adequacy

Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures.

Transfers from the EEA
The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.

Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision.

EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website.

Transfers from the UK
There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC.

The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here.

UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge

B. EU Standard Contractual Clauses

In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’.

SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses

Two points worth noting:

  • The deadline to update contracts which use the old SCCs has passed – 27th December 2022.
  • Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum.

C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers.

  • The International Data Transfer Agreement, or
  • The Addendum to the new EU SCCs

ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context.

In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens.

It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance

The additional requirement for a risk assessment

The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries.

As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA).

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA.

D. Binding Corporate Rules (BCR)

BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs.

BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route.

E. Other safeguards

Other safeguards measures include;

  • Approved codes of conduct
  • Approved certification mechanisms
  • Legally binding and enforcement instruments between public authorities or bodies.

What are the exemptions for restricted transfers?

It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include:

  • Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.
  • Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.
  • Public interests – the transfer is necessary for important reasons of public interest.
  • Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims.
  • Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent.

The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way.

The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer.

The above is not an exhaustive list of the exemptions, further details can be found here.

There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks.

Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

International Data Transfers and UK-US Data Bridge

September 2023

What is it and what does it mean for UK businesses?

The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.

The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.

The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.

The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.

Background on data transfers to the United States

In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.

For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.

This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.

(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)

Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.

In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.

Complex, isn’t it? Are you still with me?

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.

This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.

UK-US data bridge

Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.

What steps can businesses take?

Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;

1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered

Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.

There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search.

Legal challenges

As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.

Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.

See our International Data Transfer Guide for an overview of the rules and requirements.

EU Representative and Swiss Representative for data protection

September 2023

Do you need to appoint a data protection representative?

The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.

What is an EU Representative?

If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.

This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.

The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.

But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service.  They have the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.

What about Swiss Representatives?

The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.

In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities

  • offering goods and/or services to individuals or monitor their behaviour, on a large scale,
  • are on a large scale, carried out regularly and pose a high risk to the data subject.

The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.

However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.

So, what’s the risk of not having a Representative?

This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.

However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.

International Data Transfers Q&A

July 2023

There’s no getting away from the fact, navigating the rules regarding the transfer of personal data to different countries around the world can be complicated.

Multiple different scenarios between controllers, processors and even entities within the same group of companies can throw up all kinds of questions. What’s the most appropriate transfer mechanism to use? Do we need to do a risk assessment? What should we do for Intra-Group transfers?

In this Q&A session we’ve selected some questions raised by the DPN audience which we believe will be useful for many organisations. We’re delighted to be able to draw on the expertise of Debbie Venn, Partner at DMH Stallard LLP to provide her answers.

Q: We are a controller based in the UK and we process the data of UK, EU and other citizens globally. We contract service providers based in the USA. What transfer mechanism should we use?

As the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum (Module One – controller-processor). This is so it can be covered under one agreement, rather than having a UK International Data Transfer Agreement (IDTA) and the EU SCCs, for this purpose.

You’ll also need to consider (as part of your controller responsibilities) whether there are any specific laws which need to be complied with in the jurisdictions outside of the UK and EU, such as California. This is to make sure there are no other provisions that need to be added into a relevant controller to processor agreement.

A controller to processor data processing agreement can cover all data sharing activities, with the EU SCCs and UK Addendum appended, to ensure compliance with both EU and UK GDPR.

We’d recommend this especially when special category data is being transferred, so additional wrap-around measures can be included, in addition to the EU SCCs and UK addendum. Alternatively, if the personal data being shared is minimal, you could opt for just the EU SCCs and UK Addendum.

As processors are based in the USA, a Transfer Risk Assessment would also need to be carried out for the purposes of assessing any additional security measures to put in place. However, if the U.S organisation is a signatory to the recently adopted EU-US Data Privacy Framework, this risk assessment would not be necessary.

Q. For Intra-Group Transfers should we consider basing this on EU SCCs or UK ITDA, or Binding Corporate Rules (BCRs)?

BCRs while they are useful, are complicated. They’re difficult to manage and agree internally within a group. They also need approval from a relevant Supervisory Authority – a process which can be painfully long. The UK ICO has, I believe, only 9 companies that have adopted BCRs since UK GDPRs became effective.

Many organisations are therefore opting to use EU SCCs or the UK IDTA (or EU SCCs with UK Addendum if both EU and UK personal data is being transferred). The agreement can set a detailed, granular framework for data sharing, reflecting the sharing practices, internal security compliance, and so on, in addition to the international data transfer elements. This is also useful when handling companies coming into the group and acceding the Intra-Group agreement.

Q. Do we need to perform a Transfer Risk Assessment for Intra-Group Transfers?

This depends to a degree on where group companies are located. But in principle, a TRA must be carried out to cover the proposed data flows / transfers in addition to entering into the relevant agreements / clauses.

Q. For Intra-Group Transfers should we follow the data flows, or the group company locations?

Follow the data. An Intra-Group Transfer Agreement should be set up to support the flows of the data, rather than prescribe how that data should flow.

Q. What is a Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA)?

A TRA/TIA is an assessment which should be conducted when relying on an appropriate safeguard for a data transfer, for example, EU SCCs, UK ITDA or BCRs. Risk assessments are not required where an adequacy decision is in place, or when relying on an exception (derogation).

The aim of the assessment is to make sure the level of protection offered under the UK/EU GDPR is maintained even when the data is transferred outside the UK/EEA and to identify and help mitigate any risks, where necessary. The level of protection for the importer of the data / country doesn’t need to be the same, but essentially equivalent or sufficiently similar.

UK Transfer Risk Assessment (TRA)

This is an assessment produced by the UK ICO. It’s a risk-based approach, considering the harm in terms of non-compliance. It represents a fairly pragmatic approach focused on the likelihood of risk in terms of the receiving country and who might have access to the data (e.g. law enforcement or national security agencies).

It assists an assessment of whether the protection of personal data in a third country is adequate and does this on the basis whether standards in a third country are materially lower, rather than whether protection is equivalent (as for EU assessment). Essentially, you need to consider:

    • Who is the data importer?
    • Status of the data importer (i.e. controller/processor/sub-processor)
    • Activities of the data importer
    • Details of the personal data being transferred, including the individuals it relates to and the nature of the information. Does it include special category data, what kinds of volumes and how frequent?
    • Protection mechanisms in place, including format and transfer process
    • Assign a risk level to the proposed data being transferred: low, moderate or high and adjust the data, if this is possible and can help to reduce the risk.
    • Are the human rights of individuals in the destination country of a lower standard than in UK/EEA? Is it more likely that human rights breaches will occur, or would they be more severe if they did? Extra protections might be needed based on this risk.
    • What enforcement mechanisms are in place?
    • Do any exceptions apply? For example, in an emergency situation.

For more detail see the ICO Transfer Risk Assessment Guidance and TRA Tool

EU Transfer Impact Assessment (TIA)

The approach adopted in the EU is referred to as “supplementary measures”. This is more detailed and includes the European Data Protection Board (EDPB) recommendations on measures to supplement transfer mechanisms. If you’re a global business, the more pragmatic UK ICO approach may not be sufficient to meet the TIA requirements covering EU personal data.

For more information see the EDPB supplementary measures recommendations

Q: Who should complete the TRA/TIA in a supplier relationship – the controller or the processor?

Generally the controller should be assessing whether their personal data can be transferred to a processor. This is also usually governed by a data processing agreement between the two parties.

However, it may be depend on which party is initiating the restricted transfer; i.e. who is the exporter? This could be a processor or controller in the UK/EU transferring the data overseas. If a processor is exporting the data, they would be responsible for undertaking the TRA/TIA and putting the relevant SCCs/IDTA in place with any sub-processors involved.

Controllers however have a responsibility to make sure they are using processors who take sufficient steps to protect personal data. It’s not 100% clear how far the controller’s obligations would go to verify the processor’s compliance with UK/EU GDPR when making a restricted transfer.

Q: What level of assurance should we expect from other controllers (data importers) for any onward transfers to processors? Should we ask to review their TRA/TIAs?

Reviewing of TRA/TIAs would help understand the assessments made. However, this is all about assessment of the risks. The controller will need to weigh-up the risks, broadly considering a number of factors, such as:

  • Controller’s risk profile
  • Risk profile of the data
  • Data subjects in scope
  • Nature of the processing
  • Third countries involved and risk under local laws
  • Scope of the processor’s processing activities and their assessments
  • Reputation of the processor
  • Sub-processors used
  • Nature of assurances provided – has the processor given enough reassurance around the assessments they have made when making a restricted transfer?
  • Contractual provisions between the parties

Thanks Debbie! As these questions and Debbie’s responses demonstrate, the world of international data transfer rules can be tricky to unravel – especially for the uninitiated.

For many businesses, it often comes down to taking a proportionate approach based on the size of your organisation and the sensitivity, volume and frequency of the personal data you are transferring overseas.

What’s crucial is knowing where your data flows and to whom. Only then can you make a judgement call on the potential risks, and ensure appropriate transfer measures are in place for higher-risk activities.

International Data Transfer Resources

How to tackle international data transfers

The rules on international data transfers under UK/EU data protection law can be complex to navigate. At the core is a requirement for specific safeguard measures to be in place for what are termed ‘restricted transfers’ and for companies to assess the risk posed to individuals by transferring their data overseas.

Data Transfers Q&A

Multiple different scenarios for international data transfers throw up all kinds of questions. We’ve selected some questions raised by our audience which we believe will be common to many organisations: International Data Transfers Q&A with Debbie Venn, Partner at DMH Stallard LLP.

Other useful resources

UK

ICO Guidance – International Data Transfer Agreement

ICO Guidance and Tool – UK Transfer Risk Assessments

EU

European Data Protection Board Guidance on International Data Transfers

European Data Protection Board – information sheet re US adequacy decision

European Data Protection Board supplementary measures recommendations