How to manage data transfers from Europe and the United States

Preparing for two possible futures

What is less clear is the position for EU organisations transferring information to the UK from the EU where the sending organisation is bound by EU GDPR rules. These senders will need to ensure that they do not breach their local rules and rights of EU citizens so careful planning is required to deal with two potential scenario.

• Scenario one - (and the simplest) is that the UK, as part of the Trade Deal negotiation, is considered an “adequate” country for data transfers. This would mean that business can continue in the same way. There are currently nine territories where there is a full finding of adequacy (some countries that you might expect to see do not have the necessary status). There are partial findings of adequacy about Japan, Canada, and the USA (more later)
• Scenario two - we do not achieve adequacy by 31 December 2020 and so will be are forced to apply to the EU for adequacy at the end of a long queue of territories ahead of us. This may take a considerable period of time and businesses need to plan for this eventuality.

Contingency planning for scenario two should be in place as soon as possible to ensure that transactions may continue seamlessly. The are alternative solutions to consider will need careful discussion with clients, suppliers, and other companies within a group. Your approach will depend on a number of variables such as the role that you play in information transfers – “controller” or “processor”; the type of information that travels and the type of entity that sends you information. You may need to engage with cloud technology providers who host your data in the EEA. This first immediate step is to review your understanding of your data flows across the organisation. 

Elizabeth Denham, the UK Information Commissioner (and chair of  the Global Privacy Assembly), at a meeting on 30 September would not comment on the state of “adequacy” or the strength of standard contract clauses for international transfers. It appears that we are expected to take a risk based approach and examine each transfer / contract on its own merits. 

A word about the US – we have recently seen challenges to and the demise of both Safe Harbour and Privacy Shield. The current position with the UK regulator is that existing transfers set up to organisations under the old privacy shield scheme may continue but new ones should treat the US as a third country. Transfers to organisations not certified need alternative provisions to protect the rights of UK citizens. 

Data privacy can be complex, and given the current unknowns it would be sensible to prepare for the worst case scenario. We suggest that organisations do the following as a minimum: 

• Privacy professionals should consult with their board to ensure that business continuity is covered 
• Boards should consult with their privacy professionals / advisors to review where they are with international transfers
• Data flow mapping should be reviewed to ensure clarity on international transfers and mechanisms

If you need some help, now is the time to speak to an expert. The Buzzacott privacy team are on hand to assist should you not have internal resource or if you would like more information. Complete the form below and one of our experts will be in touch.