Data Transfer Risks

Businesses across the UK are being urged to give their data transfer procedures a health check to ensure they are fit for purpose – and lawful. Data protection specialist Boardroom Matters is warning that overseas transfers of personal identifiable data to US based tech companies could be putting millions of UK subjects at risk.

Not only that, but any UK business breaking GDPR rules is also risking fines of up to £18 million or 4% of worldwide turnover.

In the UK and EU it is a civil offence to send information about individuals. This could just include name, email address, phone number or even an IP address to countries like the US, India and Australia, without putting in place in the UK an International Data Transfer Agreement (IDTA) or for the EU, Standard Contractual Clauses (SCCs).

Even for companies that are joint entities such as a UK subsidiary of a US company wanting to share, say, HR records, binding corporate rules (BCRs) must be documented and approved by the appropriate data protection authority before any transfers can be made.

Data Processing Agreements

Although these rules have been strictly policed since GDPR became law in 2018, with substantial fines of up to £18 million or 4% of worldwide turnover, whichever is the greatest, many smaller companies are using overseas tech companies for data processing without a data processing agreement and an IDTA.

Typically, these tech companies are used by many UK firms to send out emails, for data storage,managing cloud based HR records and CMS for marketing purposes. However, the onus is on the UK data controller i.e. the company commissioning the overseas work, to put in place appropriate data protection safeguards before sending data outside the UK or EU.

Legislation Overseas

The US

In the US – apart from California – there is no legislation to uphold data subjects’ rights and more shockingly in 2018 the US Government enacted The CLOUD Act. This enables federal law enforcement to force all US technology companies to divulge the contents of any server-stored data.

Australia

Although Australia has the Office of the Australian Information Commissioner, its current legislation has been deemed by the EU as not meeting adequacy and in India there is no national regulatory authority for protecting personal data, which also doesn’t meet adequacy.

Sam Crich, a digital lawyer with  Berwins Solicitors says: “The consequences of sending data overseas without adequate protection would be a breach of data protection legislation in the UK and EU (and a few other places).

“There are certain countries like Japan that have been assessed by the relevant UK and EU bodies where personal data is deemed to be protected to the same degree as in the UK/EU. But unless you’ve sent data to a country on that list (countries not on that list are often referred to as a “third country”), this would likely be deemed to be a breach of the law whether that country actually provides adequate protection or not – unless you also have a risk assessment and a valid transfer mechanism in place.”

Our Thoughts on Data Transfers

Philip Allott, data protection specialist with Boardroom Matters, believes that the Government needs to provide greater clarity over overseas data transfers, especially to smaller companies. He explained: “Some of the bigger US tech companies have built into their T&Cs clauses like data transfer agreements and Standard Contractual Clauses and many claim to be GDPR compliant – but in reality, because of the US CLOUD Act, they are never 100% compliant.

“As an example, in a recent ruling by The European Court of Justice over Facebook, the Court reiterated that data exporters are primarily responsible for any data transfers and that,because there is no US adequacy with EU privacy standards, even the use of SCCs could still put personal data belonging to EU subjects at risk.

“I cannot reiterate strongly enough that the responsibility for meeting adequacy in order to transfer data overseas is down to the UK or EU based sender, not the overseas supplier.”

UK GDPR Advice

Companies concerned should seek independent legal guidance from a data protection specialist. Boardroom Matters offers a range of services including UK GDPR auditsbespoke Data Processing Agreements and support to determine lawful methods of data processing.

Contact Us

Get in touch with our team to start your compliance and/or legal journey today. We can assist your business with its data protection requirements and contractual needs.