UK-GDPR vs EU-GDPR what is changing?
After the Trade and Co-operation Agreement was signed between the UK and EU in December 2021, privacy professionals were left on the edge of their seats for a further six months until the adequacy ruling was reached by the EU in June 2021.
UK-based companies can now process the data of EU citizens in line with GDPR, provided they adhere to a couple of new extra measures such as having a representative in the EU for EU data subjects to interact with in the event of a privacy concern or data subject access request.
For now, the UK has been deemed to have an ‘adequate’ level of data protection meaning that businesses can transfer data between the UK and the EU without needing to put any extra safeguards. However, now that the UK is looking to find opportunities to diverge from EU approaches to the GDPR to improve growth and liberalise international trade. This is happening in two key areas:
- International Data Transfer Agreements (IDTAs)
- Adequacy Regulations
The Department for Culture Media and Sport (DCMS) has expanded the scope of the ICO as a regulator and has set up a new International Data Transfers Expert Council to advise the government on how to expand the number of countries the UK grants data adequacy to and how to implement safeguards to transfer personal data countries outside any adequacy rulings. Let's look at these new measures in depth.
International Data Transfer Agreements (IDTAS)
When organisations in the EU transfer personal data outside the EEA, Switzerland or any country with EU adequacy, it is mandatory to implement extra safeguards to ensure the privacy rights of EU citizens are protected. A key mechanism used is the Standard Contractual Clauses (SCCs) which is a contract and form with fixed clauses supplied by the European Union Data Protection Board (EPDB). Following Brexit, the UK has now implemented its own version of the SCCs called IDTAs which UK organisations use when transferring data to a country outside the UK, EEA, and Switzerland. Companies must have these in place by 21st September 2022 at the latest.
The structure of SCCs and IDTAs are structurally identical and are split into 4 parts: The tables for all the key information around data processing, the optional extra protection clauses, commercial clauses, and the mandatory clauses set by the respective data protection authority.
Here are some key differences:
- There is no differentiation between transfer relationships in the IDTA - the EU has differing versions of the SCCs for Controller to Controller, Controller to Processor, or Processor to Processor transfer relationships.
- The IDTA makes provisions for "linked agreements" where the SCCs do not. This means that if you are a software development company in the UK and you are using developers in South Africa to help deliver client projects, the IDTA can use and maintain consistency in the definitions across both your service agreement, data protection schedule, and the IDTA.
- IDTAs provide a little freedom. You can add extra information required by the clauses in the forms, remove clauses that are not applicable, may amend the IDTA for use in multi-party arrangements and the clauses do not need to be signed to become binding. This makes the IDTA more flexible and can accommodate a wide and varied range of data transfer relationships whether its your suppliers within your group of companies or with your customers.
The UK has been deemed ‘adequate’ by the EU which means that businesses can transfer data between the UK and the EU without needing to put any extra safeguards in place. At present, the EU recognises Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, and Uruguay.
The UK's version of Adequacy Decisions is the Adequacy Regulations and at present, the UK government is looking to bring the following countries in the scope of the UK's adequacy regulations:
Australia, Brazil, Colombia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore, United States of America.
The UK government has been making efforts to improve innovation and digital trade liberalisation through the introduction of new International Data Transfer Agreements (IDTAs). These agreements are a noticeable divergence from the EU’s Standard Contractual Clauses (SCCs) and it is clear that the aim is to improve both the quality and efficiency of exporting personal data to countries without adequacy status. While it remains to be seen whether these changes will have the desired effect, businesses should start preparing for IDTAs now by getting in touch!