Rocio de la Cruz, Partner in the Technology team at BPE Solicitors, discusses what needs to be considered when transferring data to other countries.
Since the General Data Protection Regulation (“GDPR”) and supplementary domestic legislation came into force, organisations in the UK which process personal data have been working to achieve an acceptable level of compliance with the additional obligations the new data protection regime brought with it. In this journey to compliance, we have seen diversity in approaches and opinions concerning how to interpret and apply the GDPR rules. Recently, concerning what to do in the context of international transfers of data, since ensuring that data is transferred to (or accessed from), for example, the US or India, without facing risks of being issued with fines or claims for compensation has become a real challenge. To do so, a detailed Transfer Risks Assessment must be carried out. From my experience, the starting point for a Transfer Risks Assessment is going through the following steps:
Using Standard Contractual Clauses
Standard Contract Clauses (SCCs) are model clauses formally approved that can be put in place between the exporter and the importer as a valid mechanism to allow international transfers of data to “third countries”. By third countries I mean only those that have not been granted with adequacy decisions by the UK Government (or the European Commission - if under EU GDPR) such as the US, Australia, Colombia, China, or India, amongst others.
For now, we have different types of SCCs available depending on whether we apply UK GDPR or EU GDPR. In the UK, the Information Commissioner’s Office (“ICO”) approved a set of SCCs to be applied after Brexit. In the EU, the European Commission has recently approved an updated set of SCCs the content of which now differ from the UK clauses and these new EU SCCs have not been approved by the ICO as a valid mechanism for transfers of data under the UK GDPR. This could mean that a UK business subject to both UK and EU GDPR international transfers may need to implement both UK and EU SCC models with their customers or services providers.
I wish for a mutual recognition of UK/EU SCCs so UK and EU businesses could use either the UK or EU SCCs as valid mechanisms. This would help simplifying things while maintaining the level of protection required in both regimes. In other words, if this happens, businesses will not need to bother customers or contractors with repeated documentation that will need to be revised by legal advisers, discussed, negotiated, agreed and implemented, when one sole set of Clauses would achieve the same purpose. Until then the simplest approach that I have found is to incorporate both clauses by reference in a wrapping agreement and share the necessary details and supplementary measures, all of which is incorporated to both sets of clauses in the wrapping document.
What else must be considered?
For a complete Transfer Risk Assessment (“TRA” also known as Transfer Impact Assessment or “TIA”), the exporter of the data should take into account what laws affecting privacy rights are applicable in the third country and how they apply in practice. If risks are identified and cannot be mitigated, then the transfer isn’t able to take place unless the data protection authority (ICO in the UK) is notified of the transfer and does not object to it.
Considering the legislation applicable in each territory that affects data subjects’ rights (or the lack of it) is a more detailed exercise that, in high risk scenarios may require specialist advice to ensure that data is transferred correctly, using the appropriate measures and that any risks have been assessed and mitigated before a transfer is made.
For advice on transferring data internationally or any other data related matters, contact Rocio de la Cruz at Rocio.delacruz@bpe.co.uk or call 01242 248233
Twitter @BPE_Solicitors
LinkedIn: BPE Solicitors LLP
Nominations for the South Coast Tech & Innovation Awards 2024 are in full swing, and…
The opening of the University of Gloucestershire’s new City Campus in the centre of Gloucester…
Mabway, a defence sector simulation and training business based in Havant, Hampshire, has been acquired…
Warwickshire-based commercial property developer Graftongate has been granted planning consent for a new low-carbon industrial/logistics…
A new logistics and freight yard beside Southampton Container Terminal is predicted to give a…
South Hampshire College Group has been commended by Ofsted inspectors for making significant progress in…