International Data Transfers and UK-US Data Bridge

September 2023

What is it and what does it mean for UK businesses?

The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.

The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.

The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.

The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.

Background on data transfers to the United States

In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.

For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.

This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.

(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)

Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.

In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.

Complex, isn’t it? Are you still with me?

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.

This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.

UK-US data bridge

Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.

What steps can businesses take?

Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;

1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered

Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.

There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search.

Legal challenges

As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.

Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.

See our International Data Transfer Guide for an overview of the rules and requirements.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU Representative and Swiss Representative for data protection

September 2023

Do you need to appoint a data protection representative?

The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.

What is an EU Representative?

If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.

This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.

The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.

But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service.  They have the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.

What about Swiss Representatives?

The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.

In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities

  • offering goods and/or services to individuals or monitor their behaviour, on a large scale,
  • are on a large scale, carried out regularly and pose a high risk to the data subject.

The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.

However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.

So, what’s the risk of not having a Representative?

This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.

However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Guide

September 2023

A top-level overview of international data transfers

There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU.

The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’.

This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world.

As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor.

Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise.

However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised.

What is an international data transfer?

An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas.

There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation.

EU GDPR

Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR.

UK GDPR

A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful.

The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country.

Examples of restricted transfers would be:

  • Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country
  • Giving a supplier based in another country access to personal data
  • Giving access to UK/EU employee data to another entity in the same corporate group, based in another country.

There are some notable exceptions:

  • Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries.
  • Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

What are the safeguards for restricted transfers?

A. Adequacy

Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures.

Transfers from the EEA
The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.

Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision.

EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website.

Transfers from the UK
There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC.

The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here.

UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge

B. EU Standard Contractual Clauses

In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’.

SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses

Two points worth noting:

  • The deadline to update contracts which use the old SCCs has passed – 27th December 2022.
  • Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum.

C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers.

  • The International Data Transfer Agreement, or
  • The Addendum to the new EU SCCs

ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context.

In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens.

It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance

The additional requirement for a risk assessment

The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries.

As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA).

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA.

D. Binding Corporate Rules (BCR)

BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs.

BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route.

E. Other safeguards

Other safeguards measures include;

  • Approved codes of conduct
  • Approved certification mechanisms
  • Legally binding and enforcement instruments between public authorities or bodies.

What are the exemptions for restricted transfers?

It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include:

  • Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.
  • Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.
  • Public interests – the transfer is necessary for important reasons of public interest.
  • Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims.
  • Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent.

The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way.

The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer.

The above is not an exhaustive list of the exemptions, further details can be found here.

There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks.

Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Q&A

July 2023

There’s no getting away from the fact, navigating the rules regarding the transfer of personal data to different countries around the world can be complicated.

Multiple different scenarios between controllers, processors and even entities within the same group of companies can throw up all kinds of questions. What’s the most appropriate transfer mechanism to use? Do we need to do a risk assessment? What should we do for Intra-Group transfers?

In this Q&A session we’ve selected some questions raised by the DPN audience which we believe will be useful for many organisations. We’re delighted to be able to draw on the expertise of Debbie Venn, Partner at DMH Stallard LLP to provide her answers.

Q: We are a controller based in the UK and we process the data of UK, EU and other citizens globally. We contract service providers based in the USA. What transfer mechanism should we use?

As the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum (Module One – controller-processor). This is so it can be covered under one agreement, rather than having a UK International Data Transfer Agreement (IDTA) and the EU SCCs, for this purpose.

You’ll also need to consider (as part of your controller responsibilities) whether there are any specific laws which need to be complied with in the jurisdictions outside of the UK and EU, such as California. This is to make sure there are no other provisions that need to be added into a relevant controller to processor agreement.

A controller to processor data processing agreement can cover all data sharing activities, with the EU SCCs and UK Addendum appended, to ensure compliance with both EU and UK GDPR.

We’d recommend this especially when special category data is being transferred, so additional wrap-around measures can be included, in addition to the EU SCCs and UK addendum. Alternatively, if the personal data being shared is minimal, you could opt for just the EU SCCs and UK Addendum.

As processors are based in the USA, a Transfer Risk Assessment would also need to be carried out for the purposes of assessing any additional security measures to put in place. However, if the U.S organisation is a signatory to the recently adopted EU-US Data Privacy Framework, this risk assessment would not be necessary.

Q. For Intra-Group Transfers should we consider basing this on EU SCCs or UK ITDA, or Binding Corporate Rules (BCRs)?

BCRs while they are useful, are complicated. They’re difficult to manage and agree internally within a group. They also need approval from a relevant Supervisory Authority – a process which can be painfully long. The UK ICO has, I believe, only 9 companies that have adopted BCRs since UK GDPRs became effective.

Many organisations are therefore opting to use EU SCCs or the UK IDTA (or EU SCCs with UK Addendum if both EU and UK personal data is being transferred). The agreement can set a detailed, granular framework for data sharing, reflecting the sharing practices, internal security compliance, and so on, in addition to the international data transfer elements. This is also useful when handling companies coming into the group and acceding the Intra-Group agreement.

Q. Do we need to perform a Transfer Risk Assessment for Intra-Group Transfers?

This depends to a degree on where group companies are located. But in principle, a TRA must be carried out to cover the proposed data flows / transfers in addition to entering into the relevant agreements / clauses.

Q. For Intra-Group Transfers should we follow the data flows, or the group company locations?

Follow the data. An Intra-Group Transfer Agreement should be set up to support the flows of the data, rather than prescribe how that data should flow.

Q. What is a Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA)?

A TRA/TIA is an assessment which should be conducted when relying on an appropriate safeguard for a data transfer, for example, EU SCCs, UK ITDA or BCRs. Risk assessments are not required where an adequacy decision is in place, or when relying on an exception (derogation).

The aim of the assessment is to make sure the level of protection offered under the UK/EU GDPR is maintained even when the data is transferred outside the UK/EEA and to identify and help mitigate any risks, where necessary. The level of protection for the importer of the data / country doesn’t need to be the same, but essentially equivalent or sufficiently similar.

UK Transfer Risk Assessment (TRA)

This is an assessment produced by the UK ICO. It’s a risk-based approach, considering the harm in terms of non-compliance. It represents a fairly pragmatic approach focused on the likelihood of risk in terms of the receiving country and who might have access to the data (e.g. law enforcement or national security agencies).

It assists an assessment of whether the protection of personal data in a third country is adequate and does this on the basis whether standards in a third country are materially lower, rather than whether protection is equivalent (as for EU assessment). Essentially, you need to consider:

    • Who is the data importer?
    • Status of the data importer (i.e. controller/processor/sub-processor)
    • Activities of the data importer
    • Details of the personal data being transferred, including the individuals it relates to and the nature of the information. Does it include special category data, what kinds of volumes and how frequent?
    • Protection mechanisms in place, including format and transfer process
    • Assign a risk level to the proposed data being transferred: low, moderate or high and adjust the data, if this is possible and can help to reduce the risk.
    • Are the human rights of individuals in the destination country of a lower standard than in UK/EEA? Is it more likely that human rights breaches will occur, or would they be more severe if they did? Extra protections might be needed based on this risk.
    • What enforcement mechanisms are in place?
    • Do any exceptions apply? For example, in an emergency situation.

For more detail see the ICO Transfer Risk Assessment Guidance and TRA Tool

EU Transfer Impact Assessment (TIA)

The approach adopted in the EU is referred to as “supplementary measures”. This is more detailed and includes the European Data Protection Board (EDPB) recommendations on measures to supplement transfer mechanisms. If you’re a global business, the more pragmatic UK ICO approach may not be sufficient to meet the TIA requirements covering EU personal data.

For more information see the EDPB supplementary measures recommendations

Q: Who should complete the TRA/TIA in a supplier relationship – the controller or the processor?

Generally the controller should be assessing whether their personal data can be transferred to a processor. This is also usually governed by a data processing agreement between the two parties.

However, it may be depend on which party is initiating the restricted transfer; i.e. who is the exporter? This could be a processor or controller in the UK/EU transferring the data overseas. If a processor is exporting the data, they would be responsible for undertaking the TRA/TIA and putting the relevant SCCs/IDTA in place with any sub-processors involved.

Controllers however have a responsibility to make sure they are using processors who take sufficient steps to protect personal data. It’s not 100% clear how far the controller’s obligations would go to verify the processor’s compliance with UK/EU GDPR when making a restricted transfer.

Q: What level of assurance should we expect from other controllers (data importers) for any onward transfers to processors? Should we ask to review their TRA/TIAs?

Reviewing of TRA/TIAs would help understand the assessments made. However, this is all about assessment of the risks. The controller will need to weigh-up the risks, broadly considering a number of factors, such as:

  • Controller’s risk profile
  • Risk profile of the data
  • Data subjects in scope
  • Nature of the processing
  • Third countries involved and risk under local laws
  • Scope of the processor’s processing activities and their assessments
  • Reputation of the processor
  • Sub-processors used
  • Nature of assurances provided – has the processor given enough reassurance around the assessments they have made when making a restricted transfer?
  • Contractual provisions between the parties

Thanks Debbie! As these questions and Debbie’s responses demonstrate, the world of international data transfer rules can be tricky to unravel – especially for the uninitiated.

For many businesses, it often comes down to taking a proportionate approach based on the size of your organisation and the sensitivity, volume and frequency of the personal data you are transferring overseas.

What’s crucial is knowing where your data flows and to whom. Only then can you make a judgement call on the potential risks, and ensure appropriate transfer measures are in place for higher-risk activities.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfer Resources

How to tackle international data transfers

The rules on international data transfers under UK/EU data protection law can be complex to navigate. At the core is a requirement for specific safeguard measures to be in place for what are termed ‘restricted transfers’ and for companies to assess the risk posed to individuals by transferring their data overseas.

Data Transfers Q&A

Multiple different scenarios for international data transfers throw up all kinds of questions. We’ve selected some questions raised by our audience which we believe will be common to many organisations: International Data Transfers Q&A with Debbie Venn, Partner at DMH Stallard LLP.

Other useful resources

UK

ICO Guidance – International Data Transfer Agreement

ICO Guidance and Tool – UK Transfer Risk Assessments

EU

European Data Protection Board Guidance on International Data Transfers

European Data Protection Board – information sheet re US adequacy decision

European Data Protection Board supplementary measures recommendations

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU-U.S. Data Privacy Framework – how long will it last?

July 2023

What does this mean and are legal challenges expected?

The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The EC confirmed the DPF gives protection to personal data transferred which is comparable to that provided within the EU.

The new framework enters into force immediately, as of 11th July 2023. This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S.

It works in a similar way to the previous Privacy Shield, and will only apply where US organisations certify compliance with the DPF’s principles.

It’s proposed the UK-US ‘Data Bridge’ will shortly piggyback off this EU-US agreement.

U.S. says commitments have been met

For the EC to grant this adequacy decision, it’s taken significant changes to U.S. intelligence gathering activities. The EC’s decision was made a few days after the U.S. announced it had completed the key commitments under President Biden’s executive order regarding the DPF. A press release published by the European Commission confirmed:

“The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court.”

Robert Bond, Senior Counsel at Privacy Partnerships and Chair of the DPN Advisory Group commented:

“The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they apply when data is transferred by using other tools, such as SCCs and BCRs and as the DPF is an adequacy decision by the EU in respect of the data privacy regime in the US, this may simplify the EU transfer impact assessment requirements.”

Self-certification

Crucially, US based data importers must certify their compliance with the DPF principles. These are an updated version of the previous Privacy Shield principles. Organisations which were certified under the Privacy Shield are likely to be in a good position to self-certify under the DPF.

To join the DPF, an eligible organisation must develop a privacy policy which conforms to expected standards, identify an independent recourse mechanism and self-certify through the U.S. Department of Commerce’s DPF website.

EU-based data exporters will be able to check a list on the DPF website to see if a US organisation is certified or not.

Legal challenge is on its way

Both of the past EU-U.S. data transfer frameworks, Safe Harbor and Privacy Shield, were ruled invalid by the Court of Justice of the European Union (CJEU). Concerns are therefore likely to remain about the longevity of the DPF.

noyb, headed up by the infamous Austrian Max Schrems, has already stated it’s view the ‘New Trans-Atlantic Data Privacy Framework is largely a copy of Privacy Shield’ and confirmed it plans to challenge the EC’s decision. So watch this space!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Google Analytics: GA4 vs Universal Analytics – What will change?

July 2022

Will GA4 improve compliance?

For any users of Google Analytics, you will have started to see some messaging warning that the Universal Analytics tools will be retired in 2023 and that now is the time to migrate across to Google Analytics 4.

 What is Google Analytics 4 (GA4)? 

GA4 is a new property that helps analyse the performance of your website and app traffic and will replace Universal Google Analytics. It was first released in October 2020 although it’s only now that the campaign to migrate across has started in earnest. 

 Key components include: 

  • Event-based tracking: Universal Analytics is session-based, while GA4 is event–based. In other words, the ability to track events like button clicks, video plays, and more is built in with GA4, while this requires advanced setups in UA. This comes from the premise that page views aren’t the sole important metric.
  • Cross-device tracking: UA was built around desktop web traffic, while GA4 gives businesses visibility into the customer journeys across all of their website and apps.
  • Machine learning: GA4 uses machine learning technology to share insights and make predictions.
  • Privacy-friendly: UA data relies heavily on cookies, GA 4 does not.

Crucially, on July 1, 2023, standard Universal Analytics properties (the previous version of Google analytics) will no longer process data. You’ll be able to see your Universal Analytics reports for a period of time after July 1, 2023. This means that to have a continuous history of activity, it makes sense to move across to the new GA4 platform sooner rather than later. 

What privacy improvements have been made?

GA4 came with a set of new privacy-focused features for ticking GDPR boxes including: 

  • Data deletion mechanism. Users can now request to surgically extract certain data from the Analytics servers via a new interface. 
  • Shorter data retention period. You can now shorten the default retention period to 2 months (instead of 14 months) or add a custom limit.  
  • IP Anonymisation. GA4 doesn’t log or store IP addresses by default. They allocate an anonymous and unique user id to each record
  • First-party data cookies. Google uses first-party cookies which means they’ll still be supported by browsers
  • More data sampling. Google is doing more data sampling using AI to gain more granular analytics insights – this is more privacy friendly and uses models to investigate deeper insights
  • Consent mode. The behaviour of Google tags is managed based on user consent choices. 
  • Collecting PII. Google does not allow the collection of PII in GA4 –  this is considered a violation of Googles terms of service
  • Data sharing with other Google Products. Any linking to Google advertising products requires explicit opt-in consent and a prominent section on the privacy notice 

Is Google now compliant?

Possibly in limited circumstances. If Google anonymises the data by allocating a user id that is never referenced with any other data then we can argue the data is anonymous and therefore not subject to GDPR regulation.

In some instances, this may be the case if you are doing simple tracking and effectively treat your digital platforms as an ivory tower. In most instances, it is not!

If you are advertising and can then link the id to other data, there is the potential to identify individuals and therefore the information becomes personal data and subject to GDPR.

This means that all the usual user consent rules apply and opt-in consent is required to analyse activity.

The major difficulty for Google is that data is exported to the US where it is deemed, by the EU, that Google does not adequately protect EU personal data from US surveillance rules. 

Previously, Google relied on the Privacy Shield framework to ensure that it remained compliant. Since that has been invalidated in 2020, Google has struggled to achieve compliance and has faced a number of fines.          

In particular, Google Analytics does not have a way for:

·       Ensuring data storage within the EU

·       Choosing a preferred regional storage site

·       Notifying users of the location of their data storage and any data transfers outside of the EU

What next?

Ideally, Privacy Shield 2.0 will be introduced soon! Talks have started but they’re unlikely to be swift! The US government has been talking about making its surveillance standards “proportional” to those in place in the EU. This may not be good enough for CJEU. 

In the meantime, implement GA4 as it is more privacy-focused than Google Universal Analytics and hope that US and EU come to an agreement soon. There is a risk in using GA4 and you might want to consider using other solutions.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Join 7,600+ others with DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.