We have recently added two new forms of agreement to our IT & Data Protection Policies subfolder. One of them covers the transfer by a data controller of personal data to a data processor based in the UK/EEA, and the other covers transfers to a data processor based outside the EU.
Data Protection Law
All UK businesses transferring personal data to data processors need to be aware of their legal responsibilities in relation to such transfers. This is a complex area, and we urge you to take professional advice to ensure that your business meets the relevant legal requirements. The law on data protection is changing, and so we have briefly outlined the position below.
Data Transfer Within the UK/EEA
The Data Protection Act 1998 (the “Act”) prohibits such transfers within the UK/EEA area unless there is an appropriate agreement between the data controller and data processor. Our new template is suitable for this purpose.
Data Transfer Outside the EU
The Act and EU Directive 95/46/EC also prohibit such transfers to a destination outside the EU unless the destination country “adequately protects” the rights of the data subjects. There are a number of means of satisfying that requirement but it is not always easy to apply them in a way which clearly ensures compliance with that requirement.
However, the Act and the Directive give data controllers a further alternative, relatively easy, way of complying with the law where a data controller cannot demonstrate that there is “adequate protection”. A data controller and data processor may instead enter into a suitable agreement (see below) governing the transfer. The Directive empowered each EU Member State to authorise data controllers to enter into an agreement with a data processor on model terms issued by the EU Commission for the purpose of transferring data outside the EU. The UK Information Commissioner authorised UK data controllers to transfer data outside the EU under an agreement on the model terms issued by the Commission.
The correct use of such an agreement ensures that data controller’s transfer of data outside the EU is not in breach of the duty under the Act to comply with the Eighth Data Protection Principle, i.e. it provides a “safe harbour”. Our “non-EU” new template may be used for this purpose.
In May 2016, a new EU measure, the General Data Protection Regulation (“GDPR”), was passed into law. It will have direct effect in all Member States as from 25 May 2018 and it will replace the current EU Directive. A notice given by the UK (under Article 50 of the EU Treaty) to leave the EU will only take effect two years after the notice is given except in the unlikely event that a withdrawal agreement is finalised any sooner. It is assumed that the UK will still be a Member of the EU as at May 2018, and so the GDPR will apply to businesses based in the UK as from May 2018. The GDPR will strengthen individuals’ rights, tighten obligations for data controllers, impose new obligations on data processors, and give regulators very significant powers of enforcement. However, it will also preserve the “safe harbour” for data controllers outlined above, and that means that our non-EU template will remain relevant when GDPR comes into effect. In view of the expanded scope of GDPR compared to the Directive, we strongly recommend that all businesses handling personal data start planning now in earnest to ensure that they meet their obligations under the GDPR in time. Failure to do so will risk very significant fines on defaulting businesses whether they are large or small enterprises.
Relevance of the GDPR after Brexit
Most commentators believe that once the UK leaves the EU, the UK will want (and indeed need) to maintain the rules imposed by the GDPR and the Act. The predominant view is that although the UK will technically be free to abandon the rules contained in the GDPR after leaving the EU, HM Government will need to retain measures on a par with GDPR since that will best enable the UK to trade freely with the EU single market, and it will, in the interests of members of the public, also maintain high levels of protection for personal data. In short, retaining the GDPR rules would be in the interests of the UK, its citizens and UK-based data controllers. It seems very likely, therefore, that HM Government will retain the current legal requirements relating to data protection (including the rules under the GDPR model terms “safe harbour” regime) after May 2018. In that case our non-EU template will be relevant even after that date. However, if at any point it appears that HM Government may change the current law, we will aim to update you well before any change occurs.
Of necessity, this only touches very briefly on data transfer and the relevant UK and EU legislation, in particular the numerous ways in which GDPR will be more onerous than the Directive. We therefore strongly recommend that you take professional advice about the GDPR and about data transfer both within and outside the UK/EEA/EU. We also suggest that before you use either of our two new templates, you read the information pages accompanying them so that you can see whether they are appropriate for your particular requirements.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific