International Data Transfers: Knowing Which Rules Apply to Comply
While countries all over the globe continue to make data privacy strides, comparing similarities and differences between the EU and U.K. is important in light of Brexit. It is also crucial to know the differences as they impact transfers with the U.S. Analysts and affected organizations have been watching to see how Brexit will influence data privacy regulation in the U.K., and this year some significant changes have materialized. It is important to understand which transfer mechanisms are available to export data from the EU member states and the U.K. to other countries. Also, to monitor any privacy developments that could influence the current adequacy decision allowing data to flow freely between the U.K. and EU member states.
EU Transfer Updates
Due to the landmark Schrems II
decision that came down in 2020, the European Commission created new standard contractual clauses (SCCs) last year applying to personal data transfers from EU member states to other countries. These are inapplicable for transfers involving the U.K. because of Brexit. The new SCCs enhance accountability and transparency to ensure transfers to countries with privacy standards deemed inadequate align with General Data Protection Regulation
Recently, the EU reached an agreement in principle with the U.S. on another mechanism to effectuate cross-border
data transfers. The Schrems II
ruling invalidated the prior Privacy Shield framework, and the EU does not recognize the U.S. as having adequate data privacy laws or safeguards. In the absence of a new framework, only the new SCCs were available to effectuate these transfers. The Trans-Atlantic Data Privacy Framework would offer a streamlined option to complete such transactions and enhance protection over sensitive EU consumer data. Organizations would also be able to self-certify compliance. This is a huge asset for employers operating in multiple countries or organizations targeting consumers across borders that need to transfer data with ease. Here are some key details that have been released to the public thus far:
- U.S. intelligence agencies will only be able to access data in limited situations when needed to protect national security.
- There will be increased oversight and review over data transfers.
- There will be a review court for EU residents to turn to with non-compliance issues.
While organizations should anticipate this framework, until there is a formal agreement nothing is certain. However, there has been chatter that the framework could become official sometime this year. Interested parties should also monitor whether the EU creates a similar framework with other countries deemed inadequate under the GDPR and any transfer mechanism trends that emerge.
UK Transfer Updates
This February, the Information Commissioner’s Office (ICO) announced new SCCs available for U.K. data transfers. Prior to this, the U.K. was in limbo due to Brexit and relied on adapted versions of the old EU transfer clauses for international data transfers. The new U.K. clauses are more in line with the nation’s vision for data privacy
protections, which is starting to materialize with a pending data reform bill that would reduce compliance obligations and reform how ICO operates. If reform occurs, the EU-U.K. adequacy decision may be deemed invalid, so it is critical to monitor this bill.
The new U.K. SCCs are comprised of an international data transfer agreement (IDTA) and addendum accounting for both new agreements and those already including EU clauses.
- IDTA: Parties can insert this clause into current commercial contracts or create a separate supplementary agreement. Similar to the EU clauses, IDTA accounts for Schrems II concerns and requires data exporters to perform risk assessments. However, there are notable divergences including an option for arbitration, no regulation over audits, absence of a modular structure, and the ability to integrate terms from a prior linked agreement. With controller to processor transfers, gaps exist requiring an additional data processing agreement to remain compliant.
- Addendum: This applies when a contract already contains an EU model clause. To cover what is needed for U.K. data transfers, the parties would simply have to add the model addendum to the existing agreement.
In March, these clauses became effective but there is still time to comply. All new contracts signed after Sept. 21, 2022 must use these clauses. For existing contracts, old data transfer clauses need to be replaced by March 21, 2024. The ICO also provided guidance on preventing ransomware including several scenarios aimed at risk mitigation that organizations can use during tabletop exercises. The ICO is expected to announce further guidance on topics such as IDTA use, impact assessments, and more. Affected organizations need to review IDTA, the Addendum, and any guidance to inform necessary compliance updates and anticipate the ICO’s approach to enforcement.
It is common for organizations to have a global presence or the need to conduct activities outside their borders. To avoid delays and penalties that affect operations and industry reputation, keeping up with data transfer specifications must be a top priority. While the EU and U.K. are major players to keep informed of – especially for U.S. organizations – it is critical to know the data privacy laws for all countries involved in a transaction. This promotes better compliance habits in such a dynamic landscape and will help shine light on gaps requiring attention.
If you enjoyed this blog, consider reading Predicted Implications of the EU’s Digital Markets Act