EU AI Act adopted, and UK approach

March 2024

The EU has adopted the world’s first Artificial Intelligence Act. The legal language has yet to be set in stone but once this has been finalised, and published the Act will be enforced. This is expected in May/June 2024.

It’s worth noting the law will then take effect in stages. There will be six months to ban prohibited AI systems, twelve months to enforce rules against ‘general-purpose’ AI systems, and 36 months to meet requirements for what the law has designated as ‘high risk’ AI systems.

As the EU pushes full steam ahead with AI legislation, the UK is for now sticking to a non-statutory principles-based approach. We take a look at both approaches.

UK approach to AI regulation

The UK Government says it’s keen not to rush in and legislate on AI. It fears specific rules introduced too swiftly could quickly become outdated or ineffective. The Government says it wants to take “a bold and considered approach that is strongly pro-innovation and pro-safety.”

For the time being, key regulators are being asked to take the lead. They’re being given funding to research and upskill, and have been asked to publish plans by the end of April on how they are responding to the risks and opportunities of AI, in their respective domains.

These regulators include the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA), the Competitions and Markets Authority (CMA) and the Medicines & Healthcare products Regulatory Agency (MHRA).

The Government has also set up the Digital Regulation Cooperation Forum (DRCF) to “conduct cross-sector risk assessment and monitoring to guard against existing and emerging AI risks”.

Alongside this, a pilot scheme for a new advisory service; the AI and Digital Hub has been launched. This will be run by expert regulators including OfCom, CMA, FCA and ICO.

There’s a recognition advanced General Purpose AI may require binding rules, and the need for international cooperation on AI is also emphasised.  The government’s approach is set out in its response to the consultation on last year’s AI Regulation White Paper

The EU AI Act

In March 2024 the European Union adopted the EU AI Act. Its aim is to ban unacceptable use of artificial intelligence and introduce specific rules for AI systems proportionate to the risk they pose. It will impose extensive requirements on those developing and deploying high-risk AI systems.

It’s likely the Act won’t just govern AI systems operating in the EU, with it’s scope extending to foreign entities which place AI systems on the market or put them into service in the EU.

The Act uses the definition of AI systems proposed by the OECD: An AI system is a machine-based system that infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can affect physical or virtual environments.

EU AI Act summary

1. Banned applications

There will be prohibited uses of AI which threaten democracy and people’s rights. For example this includes but is not limited to; biometric categorisation systems which use special category data, real-time and remote biometric identification systems (such as facial recognition) and emotion recognition in the workplace and educational institutions.

2. Law enforcement and national security exemptions

There will be a series of safeguards and narrow exemptions allowing for the use of biometric identification systems in publicly accessible spaces for law enforcement purposes. The legislation will not apply to systems which are exclusively used for defence or military applications.

3. Tiered risk-based approach

The requirements organisations will need to meet, will be tiered dependent on the risk. For example;

  • For AI systems classified as high-risk there will be core requirements, such as mandatory fundamental rights impact assessments, registration on a public EU database, data governance, transparency, human oversight and more.
  • General-purpose AI (GPAI) systems, and the GPAI they are based on, will need to adhere to transparency requirements, including having technical documentation, being compliant with EU copyright law and having detailed summaries about the content used for training systems.
  • For Generative AI applications, people will have to be informed when they are interacting with AI, for example a Chatbot.

4. Right to complain

People will have the right to launch complaints about AI systems and receive explanations about decisions based on high-risk AI systems which impact their rights.

5. Higher fines than GDPR

Non-compliance with the rules could lead to fines of up to 35 million Euros or 7% of global annual turnover. This is a notable hike from GPDR which sets a maximum of 4% of annual worldwide turnover.

 

The EU AI Act represents the world’s first comprehensive legislative framework for regulating AI. Could it become a global standard, like GDPR has for data protection? Or will other countries take a non-statutory approach like we’re seeing in the UK, at this stage?

What’s clear is organisations need to take steps now to raise awareness and upskill employees. For example in compliance teams, legal, data protection, security and (by no means least) product development.

Decisions should be made about who needs a greater understanding of AI, how it will be internally regulated and where responsibilities for AI governance rest within the organisation.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Guide

March 2024

A top-level overview of international data transfers

There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU.

The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’.

This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world.

As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor.

Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise.

However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised.

What is an international data transfer?

An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas.

There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation.

EU GDPR

Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR.

UK GDPR

A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful.

The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country.

Examples of restricted transfers would be:

  • Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country
  • Giving a supplier based in another country access to personal data
  • Giving access to UK/EU employee data to another entity in the same corporate group, based in another country.

There are some notable exceptions:

  • Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries.
  • Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

What are the safeguards for restricted transfers?

A. Adequacy

Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures.

Transfers from the EEA
The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.

Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision.

EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website.

Transfers from the UK
There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC.

The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here.

UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge

B. EU Standard Contractual Clauses

In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’.

SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses

Two points worth noting:

  • The deadline to update contracts which use the old SCCs has passed – 27th December 2022.
  • Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum.

C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers.

  • The International Data Transfer Agreement, or
  • The Addendum to the new EU SCCs

ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context.

In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens.

It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance

The additional requirement for a risk assessment

The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries.

As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA).

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA.

D. Binding Corporate Rules (BCR)

BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs.

BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route.

E. Other safeguards

Other safeguards measures include;

  • Approved codes of conduct
  • Approved certification mechanisms
  • Legally binding and enforcement instruments between public authorities or bodies.

What are the exemptions for restricted transfers?

It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include:

  • Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.
  • Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.
  • Public interests – the transfer is necessary for important reasons of public interest.
  • Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims.
  • Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent.

The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way.

The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer.

The above is not an exhaustive list of the exemptions, further details can be found here.

There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks.

Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data protection reflections and predictions

2023 highlights and what’s in store for 2024?

December 2023

What’s been most significant in the world of data protection in past year? And what do we think will be taxing our minds in the year to come? We’ve asked some friends to share their thoughts. Grab a cuppa, sit back and enjoy our musings.

Christopher Whitewood, Privacy and Data Protection Officer, Direct Line Group

2023 was the year that AI got real! AI moved from a debate among subject matter experts to becoming boardroom concern. The risks of AI have been widely publicised from your Terminator/Matrix doomsday scenarios, but many businesses have successfully deployed AI to streamline burdensome processes and generate efficiencies.

AI will remain a hot topic throughout 2024 and beyond. Organisations will need to consider how they can build privacy and security into model designs; explain any model deployments and ensure customer outcomes remain fair. Privacy professionals will need to develop their knowledge of AI to have meaningful conversations with interested business areas and aim to enhance their Data Literacy skills. Privacy support will be crucial to help design processes and governance that permit effective, but controlled innovation.

Businesses will need to keep a watchful eye on regulatory developments, following agreement of the EU AI Act and progress of the UK Government’s approach to AI regulation. 2024 will certainly not be dull!

Dominic Batchelor, Head of IP and Privacy, Royal Mail Group

Whilst the implications of AI will continue to feature prominently during 2024, the new year is also likely to bring first proper post-Brexit divergence of UK data protection laws from the EU. This is both in terms of the substantive changes proposed by the Data Protection and Digital Information (No.2) Bill – notably, the loosening of accountability requirements – and the UK’s potential establishment of ‘data bridges’ to countries the EU does not consider adequate.

How this impacts the UK’s adequacy from an EU perspective remains to be seen, but concerns are bound to be raised, with questions resurfacing about the need to bolster EU-UK data transfers. We should also expect the ICO to use any increased scope for issuing fines for PECR breaches and consequently for organisations to focus more on PECR compliance.

Redouane Serroukh, Head of Information Governance & Risk, NHS Integrated Care Board of Herts and West Essex

2023 has been a record-breaking year for GDPR fines with Ireland’s Data Protection Commission (DPC) leading the way with a whopping €1.2 billion fine after it found Meta to be in violation of GDPR when transferring personal data from the EU to the US. The DPC also found time to fine Meta €390 million earlier in the year, for falling foul of the requirements of consent for advertising. Meta was not the only company on the DPC’s radar, with TikTok also receiving a €345 million euros fine for its handling of underage users’ data.

Here in the UK, the ICO’s highest fine in 2023 was also handed to TikTok to the tune of £12.7 million for illegally processing the data of children under the age of 13.

The ten highest fines issued under the UK or EU GDPR have been focused on many of the tech companies with WhatsApp, Spotify and Clearview AI also making it on to the list. It would appear the regulators are not afraid to go for the big companies with equally big fines and are hoping that these will serve as reminders to other companies, big or small, that GDPR compliance is just as important as it has ever been.

Robert Bond, Senior Counsel, Privacy Partnership

For UK/EU to US transfers, we have had Safe Harbour, then Privacy Shield, and in 2023 we got the Data Privacy Framework and the UK Data Bridge. The EU and UK seemed to judge US as an adequate jurisdiction…. but Max Schrems and NOYB have other ideas.

Max Schrems, has said “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests.”

Personal data constantly moves internationally, and businesses need solutions. The EU Standard Contractual Clauses are influencing other jurisdictions such as the Middle East, South America, Africa and the Far East. In due course, we may get international data transfer conventions such as the OECD initiative, Data Free Flow with Trust (DFFT).

In my view the DFFT will be a major influence on a global solution, but I think we will see more bilateral agreements in the meantime. Also the EU is likely to speed up the “adequacy” approach, particularly as more and more countries are implementing GDPR-influenced privacy laws.

Sara Howers, Data Protection Officer UK, CGI

2023 has been a frustrating year, waiting to see what/when/if the UK Data Protection and Digital Information Bill (DPDI) will ever see the light of day. Now it’s going through yet another round, with some hat tipping to PECR changes and some AI musings. Until it’s finalised, who knows where it will really land with adequacy rulings, especially now there’s some discussion around revising Human Rights and Equality Bills.

Although, I’m sure most of us have briefed our Senior Management Team about the need for a SRI (Senior Responsible Individual) and how this might change the DPO’s numerous reporting lines (if we still have a DPO?).

The new ICO public listing of the cases their workers are dealing with is also somewhat frustrating. There appears to be no right to query their outcomes which are public entries, especially when you have evidence their conclusions may not be correctly attributed.

I’m sure I won’t be alone when I expect 2024 to be “all about AI”, and I also expect an uptick in Data Subject Access Requests. With many more questions around ADM (automated decision making) and what algorithms are making what decisions, means time for everyone to give their Privacy Notices an overhaul.

Michael Bond, Group Data Protection Officer – News UK

Back in the summer, I wrote personally to the Public Bills Committee about the DPDI No2 Bill (as it was then). I asked Government to really grasp the opportunity to innovate in the data protection space, rather than tinker about. I am now concerned, as I am sure others are, that government has not only failed to take the opportunity to show global leadership on data protection issues, but has in fact put information rights on the backburner in the UK. An opportunity lost.

Andrew Bridges, Data Governance Manager, Sagacity

I can’t believe we celebrated five years of the GDPR in 2023. I strongly believe the GDPR was needed at the time it became a regulation but, what still amazes me is how many organisations still grapple with their core understanding of regulation …yes, five years on!

As we enter 2024, we’ll now have supplementary amends created by the Data Protection & Digital Information Bill to contend with, so it looks like another year of grappling with regulations.

Oh, did I mention AI…. we will see rapid experimentation and initiatives in the AI space in 2024. Whilst AI has the potential to be a force for good, we must remember it does come with a warning to ensure it’s used in an ethical way so we don’t see a rise in risk to privacy and potential misuse of personal data.

Charles Ping, Managing Director Europe, Winterberry Group

2024 really looks like it’ll be the year when all the posturing stops, and privacy takes a leap forward with the deprecation of cookies on Chrome. My prediction is that the sky won’t fall in and the disciples of Chicken Licken will wake up to a world that still has blue above our heads, where digital media is still planned, activated, consumed and measured for brands wanting to reach customers.

However, when we reflect on the sometimes partisan arguments of the past 3+ years and the endless posturing to be the next “universal ID”, we will note that this discussion has been hugely important. The whole process of deprecation has fuelled a much wider understanding of the features that define privacy-enabled marketing and measurement. Three years ago, differential privacy, salting and confidential computing weren’t on many marketers’ agenda. They are now.

Importantly, we now have an evolution in the landscape where policy and regulation understands how data protection rules can be used to enhance and fuel market power and sets us on a future path, where privacy and competitive markets are regulated in tandem. That is progress.

Philippa Donn, Partner, DPN Associates

In 2023, I was struck by the ICO’s decision to make it UK ‘Year of the Reprimand.’ The ICO announced, controversially, public sector organisations will routinely receive reprimands rather than fines. Around thirty five reprimands were issued; mostly to organisations in the public sector, but some in the private sector too.

I appreciate fines are the ultimate sanction and act as a deterrent. Conversely, I understand how fining publicly funded organisations only serves to hit the public purse (in effect, taxpayers shelling out for mistakes made by civil servants).

What’s interesting is these reprimands are now published. Offenders are named, with details of errors made and remedies implemented. Rich learnings for us all. Some cases involved companies which suffered sophisticated cyber-attacks. Considering how devastating these can be, and the expense involved in fixing them and implementing changes, I see why a fine might not be the ‘answer.’ In the current economic climate, a financial penalty could lead to job losses or even push a company under.

As for 2024, I’ll be watching closely the fallout from the cookie warning letters the ICO recently issued to some of the UK’s most visited websites. Much of the free content we read online is dependent on advertising. Consent for tracking isn’t going to work; I predict either a stand-off with the ICO or more content being placed behind pay walls. Can trade-offs be made between advertising standards, the law and the risk of excluding those on low incomes from accessing quality online content, particularly journalism?

Simon Blanchard, Partner DPN Associates

There have been some dreadful data breaches in 2023, not least the breach by Police Service of Northern Ireland. It’s undeniable that breaches occur far too frequently. Yet even in these uncertain times of increased global cyber threat, ransomware, social engineering and so on…. the lion’s share of data breaches reported to the ICO still arise from human error; not bad actors! And most are preventable.

In 2024, let’s provide practical information security training to our teams and get to grips with minimising the personal identifiers our teams process outside the core systems (e.g. in Excel or Sheets), where our powers to protect the data may be weaker.

We’ll be sure to keep you updated throughout 2024 on the progress of the UK DPDI Bill, AI developments, international data transfers, the future of cookies and any other surprises along the way!

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers and UK-US Data Bridge

September 2023

What is it and what does it mean for UK businesses?

The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.

The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.

The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.

The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.

Background on data transfers to the United States

In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.

For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.

This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.

(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)

Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.

In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.

Complex, isn’t it? Are you still with me?

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.

This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.

UK-US data bridge

Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.

What steps can businesses take?

Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;

1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered

Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.

There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search.

Legal challenges

As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.

Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.

See our International Data Transfer Guide for an overview of the rules and requirements.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU Representative and Swiss Representative for data protection

September 2023

Do you need to appoint a data protection representative?

The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.

What is an EU Representative?

If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.

This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.

The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.

But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service.  They have the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.

What about Swiss Representatives?

The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.

In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities

  • offering goods and/or services to individuals or monitor their behaviour, on a large scale,
  • are on a large scale, carried out regularly and pose a high risk to the data subject.

The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.

However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.

So, what’s the risk of not having a Representative?

This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.

However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Q&A

July 2023

There’s no getting away from the fact, navigating the rules regarding the transfer of personal data to different countries around the world can be complicated.

Multiple different scenarios between controllers, processors and even entities within the same group of companies can throw up all kinds of questions. What’s the most appropriate transfer mechanism to use? Do we need to do a risk assessment? What should we do for Intra-Group transfers?

In this Q&A session we’ve selected some questions raised by the DPN audience which we believe will be useful for many organisations. We’re delighted to be able to draw on the expertise of Debbie Venn, Partner at DMH Stallard LLP to provide her answers.

Q: We are a controller based in the UK and we process the data of UK, EU and other citizens globally. We contract service providers based in the USA. What transfer mechanism should we use?

As the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum (Module One – controller-processor). This is so it can be covered under one agreement, rather than having a UK International Data Transfer Agreement (IDTA) and the EU SCCs, for this purpose.

You’ll also need to consider (as part of your controller responsibilities) whether there are any specific laws which need to be complied with in the jurisdictions outside of the UK and EU, such as California. This is to make sure there are no other provisions that need to be added into a relevant controller to processor agreement.

A controller to processor data processing agreement can cover all data sharing activities, with the EU SCCs and UK Addendum appended, to ensure compliance with both EU and UK GDPR.

We’d recommend this especially when special category data is being transferred, so additional wrap-around measures can be included, in addition to the EU SCCs and UK addendum. Alternatively, if the personal data being shared is minimal, you could opt for just the EU SCCs and UK Addendum.

As processors are based in the USA, a Transfer Risk Assessment would also need to be carried out for the purposes of assessing any additional security measures to put in place. However, if the U.S organisation is a signatory to the recently adopted EU-US Data Privacy Framework, this risk assessment would not be necessary.

Q. For Intra-Group Transfers should we consider basing this on EU SCCs or UK ITDA, or Binding Corporate Rules (BCRs)?

BCRs while they are useful, are complicated. They’re difficult to manage and agree internally within a group. They also need approval from a relevant Supervisory Authority – a process which can be painfully long. The UK ICO has, I believe, only 9 companies that have adopted BCRs since UK GDPRs became effective.

Many organisations are therefore opting to use EU SCCs or the UK IDTA (or EU SCCs with UK Addendum if both EU and UK personal data is being transferred). The agreement can set a detailed, granular framework for data sharing, reflecting the sharing practices, internal security compliance, and so on, in addition to the international data transfer elements. This is also useful when handling companies coming into the group and acceding the Intra-Group agreement.

Q. Do we need to perform a Transfer Risk Assessment for Intra-Group Transfers?

This depends to a degree on where group companies are located. But in principle, a TRA must be carried out to cover the proposed data flows / transfers in addition to entering into the relevant agreements / clauses.

Q. For Intra-Group Transfers should we follow the data flows, or the group company locations?

Follow the data. An Intra-Group Transfer Agreement should be set up to support the flows of the data, rather than prescribe how that data should flow.

Q. What is a Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA)?

A TRA/TIA is an assessment which should be conducted when relying on an appropriate safeguard for a data transfer, for example, EU SCCs, UK ITDA or BCRs. Risk assessments are not required where an adequacy decision is in place, or when relying on an exception (derogation).

The aim of the assessment is to make sure the level of protection offered under the UK/EU GDPR is maintained even when the data is transferred outside the UK/EEA and to identify and help mitigate any risks, where necessary. The level of protection for the importer of the data / country doesn’t need to be the same, but essentially equivalent or sufficiently similar.

UK Transfer Risk Assessment (TRA)

This is an assessment produced by the UK ICO. It’s a risk-based approach, considering the harm in terms of non-compliance. It represents a fairly pragmatic approach focused on the likelihood of risk in terms of the receiving country and who might have access to the data (e.g. law enforcement or national security agencies).

It assists an assessment of whether the protection of personal data in a third country is adequate and does this on the basis whether standards in a third country are materially lower, rather than whether protection is equivalent (as for EU assessment). Essentially, you need to consider:

    • Who is the data importer?
    • Status of the data importer (i.e. controller/processor/sub-processor)
    • Activities of the data importer
    • Details of the personal data being transferred, including the individuals it relates to and the nature of the information. Does it include special category data, what kinds of volumes and how frequent?
    • Protection mechanisms in place, including format and transfer process
    • Assign a risk level to the proposed data being transferred: low, moderate or high and adjust the data, if this is possible and can help to reduce the risk.
    • Are the human rights of individuals in the destination country of a lower standard than in UK/EEA? Is it more likely that human rights breaches will occur, or would they be more severe if they did? Extra protections might be needed based on this risk.
    • What enforcement mechanisms are in place?
    • Do any exceptions apply? For example, in an emergency situation.

For more detail see the ICO Transfer Risk Assessment Guidance and TRA Tool

EU Transfer Impact Assessment (TIA)

The approach adopted in the EU is referred to as “supplementary measures”. This is more detailed and includes the European Data Protection Board (EDPB) recommendations on measures to supplement transfer mechanisms. If you’re a global business, the more pragmatic UK ICO approach may not be sufficient to meet the TIA requirements covering EU personal data.

For more information see the EDPB supplementary measures recommendations

Q: Who should complete the TRA/TIA in a supplier relationship – the controller or the processor?

Generally the controller should be assessing whether their personal data can be transferred to a processor. This is also usually governed by a data processing agreement between the two parties.

However, it may be depend on which party is initiating the restricted transfer; i.e. who is the exporter? This could be a processor or controller in the UK/EU transferring the data overseas. If a processor is exporting the data, they would be responsible for undertaking the TRA/TIA and putting the relevant SCCs/IDTA in place with any sub-processors involved.

Controllers however have a responsibility to make sure they are using processors who take sufficient steps to protect personal data. It’s not 100% clear how far the controller’s obligations would go to verify the processor’s compliance with UK/EU GDPR when making a restricted transfer.

Q: What level of assurance should we expect from other controllers (data importers) for any onward transfers to processors? Should we ask to review their TRA/TIAs?

Reviewing of TRA/TIAs would help understand the assessments made. However, this is all about assessment of the risks. The controller will need to weigh-up the risks, broadly considering a number of factors, such as:

  • Controller’s risk profile
  • Risk profile of the data
  • Data subjects in scope
  • Nature of the processing
  • Third countries involved and risk under local laws
  • Scope of the processor’s processing activities and their assessments
  • Reputation of the processor
  • Sub-processors used
  • Nature of assurances provided – has the processor given enough reassurance around the assessments they have made when making a restricted transfer?
  • Contractual provisions between the parties

Thanks Debbie! As these questions and Debbie’s responses demonstrate, the world of international data transfer rules can be tricky to unravel – especially for the uninitiated.

For many businesses, it often comes down to taking a proportionate approach based on the size of your organisation and the sensitivity, volume and frequency of the personal data you are transferring overseas.

What’s crucial is knowing where your data flows and to whom. Only then can you make a judgement call on the potential risks, and ensure appropriate transfer measures are in place for higher-risk activities.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfer Resources

How to tackle international data transfers

The rules on international data transfers under UK/EU data protection law can be complex to navigate. At the core is a requirement for specific safeguard measures to be in place for what are termed ‘restricted transfers’ and for companies to assess the risk posed to individuals by transferring their data overseas.

Data Transfers Q&A

Multiple different scenarios for international data transfers throw up all kinds of questions. We’ve selected some questions raised by our audience which we believe will be common to many organisations: International Data Transfers Q&A with Debbie Venn, Partner at DMH Stallard LLP.

Other useful resources

UK

ICO Guidance – International Data Transfer Agreement

ICO Guidance and Tool – UK Transfer Risk Assessments

EU

European Data Protection Board Guidance on International Data Transfers

European Data Protection Board – information sheet re US adequacy decision

European Data Protection Board supplementary measures recommendations

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU-U.S. Data Privacy Framework – how long will it last?

July 2023

What does this mean and are legal challenges expected?

The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The EC confirmed the DPF gives protection to personal data transferred which is comparable to that provided within the EU.

The new framework enters into force immediately, as of 11th July 2023. This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S.

It works in a similar way to the previous Privacy Shield, and will only apply where US organisations certify compliance with the DPF’s principles.

It’s proposed the UK-US ‘Data Bridge’ will shortly piggyback off this EU-US agreement.

U.S. says commitments have been met

For the EC to grant this adequacy decision, it’s taken significant changes to U.S. intelligence gathering activities. The EC’s decision was made a few days after the U.S. announced it had completed the key commitments under President Biden’s executive order regarding the DPF. A press release published by the European Commission confirmed:

“The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court.”

Robert Bond, Senior Counsel at Privacy Partnerships and Chair of the DPN Advisory Group commented:

“The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they apply when data is transferred by using other tools, such as SCCs and BCRs and as the DPF is an adequacy decision by the EU in respect of the data privacy regime in the US, this may simplify the EU transfer impact assessment requirements.”

Self-certification

Crucially, US based data importers must certify their compliance with the DPF principles. These are an updated version of the previous Privacy Shield principles. Organisations which were certified under the Privacy Shield are likely to be in a good position to self-certify under the DPF.

To join the DPF, an eligible organisation must develop a privacy policy which conforms to expected standards, identify an independent recourse mechanism and self-certify through the U.S. Department of Commerce’s DPF website.

EU-based data exporters will be able to check a list on the DPF website to see if a US organisation is certified or not.

Legal challenge is on its way

Both of the past EU-U.S. data transfer frameworks, Safe Harbor and Privacy Shield, were ruled invalid by the Court of Justice of the European Union (CJEU). Concerns are therefore likely to remain about the longevity of the DPF.

noyb, headed up by the infamous Austrian Max Schrems, has already stated it’s view the ‘New Trans-Atlantic Data Privacy Framework is largely a copy of Privacy Shield’ and confirmed it plans to challenge the EC’s decision. So watch this space!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.