Data Protection New Year's Resolutions 2022

Changes have happened and there is more change to come.

As the UK has adopted adequacy regulations in respect of the EEA member states and the countries which had received adequacy decisions made by the EU prior to Brexit, data transfers to those countries can continue with no additional safeguard.  The EU has recently granted South Korea an adequacy decision, but it is not yet known whether the UK will adopt a corresponding regulation.

Because the EU has adopted an adequacy decision in respect of the UK, transfers from the EEA to the UK (including transfers of data from the UK to the EEA then back to the UK) can continue with no additional safeguard.

Binding corporate rules (BCRs) can continue to provide an adequate safeguard for intra-group transfers, provided that the post-Brexit formalities are complied with.  Note that for BCRs approved by an EU supervisory authority and not the Information Commissioner's Office (ICO) as a lead regulator, the ICO should be informed of the BCRs and this should mean automatic entitlement to BCRs under the UK GDPR.  BCRs approved by the ICO had to be transferred to an EU supervisory authority before the end of the transition period to continue to be valid for EU data.

If you can't rely on an adequacy decision or BCRs, you will need to put another safeguard in place, which will usually be standard contractual clauses (SCCs).

Remember that there are now separate SCCs in place for personal data relating to individuals in the UK (UK data) and individuals in the EEA (EEA data).  If you are transferring both UK data and EEA data, you need to have both sets in place.

EEA data: the EU has adopted new SCCs for the transfer of EEA data (EU SCCs).  These must be used for all new contracts.  For existing contracts which incorporate the previous version of the EU SCCs, these contracts must be updated by 27 December 2022.

UK data: the UK Information Commissioner's Office (ICO) has not approved the new EU SCCs, so for the time being you must continue to use the old EU SCCs.  The ICO has published a version of these amended to reflect the fact that the UK has left the EU.  You can use these instead of the old EU SCCs, but this is not mandatory.

The ICO has published a draft International Data Transfer Agreement (IDTA) which is intended to replace the SCCs for transfers of UK data.  This was a consultation draft only, so has not yet been adopted for use.  The ICO also consulted on whether to approve third countries' SCCs (including the new EU SCCs).  We will publish an update once the ICO announces the outcome of this consultation.

Since the Schrems II decision, if you use BCRs or SCCs (any version), you must also conduct a transfer risk assessment (TRA) also known as a Transfer Impact Assessment (TIA) before going ahead with the proposed transfer.  Please see our article and webinar for more details.

Transfers from the UK to the US

The Schrems II decision also invalidated the EU-US Privacy Shield, which previously provided a safeguard for transfers to the USA.  Since that decision, the only option (unless you can use BCRs) is to use SCCs plus a TRA/TIA, but there are concerns about the extent to which a transfer to the USA can be lawful, due to the US government's surveillance powers.  On 8 December 2021 the UK government announced that it is working with the US government to "deepen the UK-US data partnership to realise a more peaceful and prosperous future by promoting the trustworthy use and exchange of data".  We will monitor developments closely, to see whether this makes it easier to share personal data with recipients in the USA and whether this has an impact on the UK's adequacy decision granted by the EU.

On 15 December 2021 the ICO published updated guidance on looking after your customers’ personal data when you are required to complete COVID status checks.  The guidance is aimed at nightclub businesses and organisers of large events, but the principles are relevant to all organisations who process COVID-related personal data, e.g. about their employees.  The key points of the updated guidance are:

• be clear, open and honest with people about what you are doing with their personal information, e.g. in your privacy notice and (if applicable) on posters around your venue;
• follow the government guidance for your part of the UK to determine what checks you need to conduct;
• don't use the data collected to create your own lists or records;
• ensure that your staff treat the information confidentially and are able to answer questions about what data is being collected and how it will be used and stored;
• keep up to date with government and ICO guidance.

In September 2021 DCMS published a consultation document setting out its proposals to overhaul UK data protection law following Brexit.  Click here to read our summary of the key issues.  Once the government publishes its updated proposals following the consultation, we will update you in DWF Data Protection Insights.

The transition period for complying with the ICO Children's Code (also known as the Age-Appropriate Design Code) ended on 2 September 2021. As we've reported a number of times (see our article The ICO Children's Code: focus on age assurance), the ICO is currently focusing on protecting children's privacy online.  It's important to remember that the Children's Code applies to Information Society Services (ISS) likely to be accessed by children, not just services aimed at children.  If you provide online services which are likely to be accessed by children, you must comply with the Children's Code, which can be complex, as you need to consider the requirements of different age groups.

The UK GDPR and ICO guidance set out extensive data governance requirements, including keeping records to enable an organisation to prove that it is complying with data protection law, and rules on when a DPIA (data protection impact assessment) must be conducted.  You must do a DPIA for processing that is likely to result in a high risk to individuals.  The ICO has been focusing on facial recognition and AI (artificial intelligence) as high risk areas, so these are two examples of situations where you must conduct a DPIA.