This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
All Posts
| 1 minute read

International transfers under the Data (Use and Access) Bill

AI powered Global network and connectivity on Earth Digital world globe north on USA with data transfer and cyber technology information exchange and international telecommunication concept.with 3D software and Based on imagery from NASA. https://www.nasa.gov/specials/blackmarble/2016/globalmaps/BlackMarb

Get in touch

Avatar
Mac Macmillan
Of Counsel

Get in touch

Avatar
Mac Macmillan
Of Counsel

Cross-border data transfers are possibly one of the biggest administrative headaches for controllers and processors so companies may be understandably nervous that the Data (Use and Access Bill) devotes a whole schedule to the subject. However, the overall structure of the approach to data transfers remains broadly the same as under the GPDR. Some charges are largely procedural, others reflect that fact that assessments no longer have the cultural under-pinning of EU law. Some key points:

  • “transfers on the basis of an adequacy decision” are replaced by “transfers approved by regulations” made by the Secretary of State;
  • the concept of approvals is broadly similar to GDPR adequacy decisions, in that such regulations may approve transfers to a third country or international organisation, and may be limited, for example to specified types of transfer, sectors or geographic areas;
  • the Secretary of State must monitor legal developments on an ongoing basis, but there is no requirement for a formal periodic review of approvals;
  • the Act creates a “data protection test” which must be met if the Secretary of State is to issue an approval;
  • the factors to be considered for the data protection test are similar but not the same as those for the EU GDPR adequacy assessment. For example:
    • the Secretary of State must consider “the existence and powers of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data” and “respect for the rule of law and for human rights”;
    • however there is no express mention of enforceable data subject rights or a requirement that the enforcement authority is independent, or reference to considering the existence of rights of access by public authorities;
  • no changes are made to the provisions on BCRs;
  • transfers may still be made under appropriate safeguards, such as approved data protection clauses;
  • if a data exporter intends to rely on such safeguards, it is required to consider whether the transfer will meet the data protection test.  This sounds as if it essentially putting the current requirement for a transfer risk assessment on a statutory footing.

Subscribe to receive our latest insights - on the topics that matter most to you - direct to your inbox, at your preferred frequency. Subscribe here

Tags

data protection and privacy, commentary, data use and access bill

Get in touch

Avatar
Mac Macmillan
Of Counsel

Get in touch

Avatar
Mac Macmillan
Of Counsel

Latest Insights