Now that the UK has left the EU, the government wants to create a new data regime, which will build on the retained EU version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR) along with the Data Protection Act 2018. As the first step towards reforming the regime, the ‘Data: a new direction’ public consultation was launched by the Department for Digital, Culture, Media and Sport on 10 September 2021 and closed 19 November 2021.
Last time, B P Collins’ corporate and commercial team looked at Chapter 2 of the consultation – Reducing burdens on businesses and delivering better outcomes for people. In this article, we summarise Chapter 3 – Boosting trade and reducing barriers to data flows.
UK GDPR restricts transfers of personal data outside the UK, unless the rights of the individual (to whom that personal data relates to) are protected. The proposals in this chapter aim to facilitate the flow of data to and from other countries.
Adequacy
Currently, personal data can be transferred outside the UK to a third country, which is covered by UK adequacy regulation. This is where a country’s data protection laws have been assessed as providing essentially equivalent protection as the UK’s.
The government wants to reform these adequacy requirements by carrying out adequacy assessments of other countries and adding them to the list of countries already covered by adequacy regulations.
The government also wants to focus on risk-based decision-making. The Consultation document which accompanied the public consultation discussed the European Court of Justice decision known as Schrems II where the EU-US Privacy Shield (which enabled US companies to more easily receive personal data from the EU) was struck down. In the consultation document, the government suggested that where there may be a risk of certain practices, perceived to undermine data protection rights, the government would approach the adequacy assessment on whether these practices are applied and are material. Therefore, if there are certain practices carried out by other countries that may undermine data protection rights, the risk to data subjects could be assessed as low if those practices are not always applied.
The ICO highlights that any reforms to adequacy should not affect the UK’s own adequacy status with the EU. The EU’s adequacy decisions are crucial for many UK businesses and it is important that these are not withdrawn.
Alternative transfer mechanisms
There are also proposals to explore alternative mechanisms for international data transfers where the country has not been assessed as having adequate protections and to make these alternative mechanisms clear and flexible.
One of these alternative mechanisms includes the existing standard contractual clauses (SCCs). The ICO has created a UK version of the EU SCCs.
The ICO has also published the international data transfer agreement (IDTA) which will replace the UK SCCs. The ICO recently held a consultation on the draft IDTA, which ran from 11 August 2021 until 11 October 2021 and on 2 February 2022, the final version of the IDTA was laid before Parliament. If there are no objections raised, the IDTA will come into force on 21 March 2022.
Another proposal that is supported by both The Law Society and the ICO is the development of international certification schemes to allow for international data transfers and assure data protection compliance. The government is looking to work with international schemes that could be approved as meeting UK standards.
Derogations
The government has also proposed to review the derogations set out in Article 49 UK GDPR where you can make a restricted personal data transfer, which would not have been allowed otherwise. One proposal is to allow for the repetitive use of the derogations and the government has also suggested that the derogations should be clarified. The ICO has stated that as the derogations are to be used in exceptional circumstances, there may need to be additional safeguards when these are used for repetitive transfers. However, the ICO welcomes clarification of the derogations.
Next week we will be summarising Chapter 4 – Delivering better public services.
For more advice or information on data protection, contact Alex Zachary and Holly McNeil from our Corporate and Commercial team on enquiries@bpcollins.co.uk or call 01753 889995.
For more complimentary articles from B P Collins, straight to your inbox, please email enquiries@bpcollins.co.uk