Ever wondered what a Data Protection Officer’s (DPO) worst nightmare is? Well, according to the latest report from the UK Data Protection Index, it might be International Data Transfers.
The UK Data Protection Index (DP Index) is made up of a panel of over 300 data protection and privacy professionals. Every quarter, the panel are given a repeating survey to complete, the results of which are used to produce a report which documents key trends within the data protection industry. Last month, the DP Index published its latest issue, and it makes for very interesting reading. Most notably, it indicates that there is a new issue which seems to have DPOs tearing their hair out:
Findings from the March 2021 report show that 21% of respondents cited international data transfers as their organisation’s biggest challenge when trying to comply with GDPR over the next 12 months, making it the most cited concern ahead of data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. (18%) and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. / demonstrating compliance (17%).
This is the first time that data transfers have hit the top spot on the list. In both the December 2020 and August 2020 reports, accountability / demonstrating compliance was deemed the most challenging, getting 22% of the vote each time. In comparison, concern over international data transfers was initially quite low, with only 4% of respondents choosing it as their organisation’s biggest concern in August 2020. However, this percentage has grown consistently, reaching 14% in December 2020, and now 21%. This begs the question – what’s changed?
International Data Transfers
Before we try to answer this question, a word about international data transfers.
When transferring personal dataInformation which relates to an identified or identifiable natural person. from one country to another, both the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and now the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. require organisations to have an appropriate transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism in place. These mechanisms include:
Of the four options above, adequacy and SCCs are by far the most widely applicable. However, over the last year, the validity of both of these mechanisms has been called into question, which likely explains a lot about the most recent survey results.
Adequacy and Brexit
Since the DP Index was established and the first report produced back in August of 2020, Brexit has undeniably been a key area of uncertainty for individuals and businesses alike. In data protection terms, this was no different, as we wondered what would happen on the 1st of January if the UK was not granted data adequacy, and then what would happen after the six-month bridging period expired.
This uncertainty was again reflected back in the report findings, with 15% of respondents citing Brexit as their organisation’s biggest challenge back in August 2020, making it the third most common concern. Since then, however, concerns over Brexit have decreased, down to 10% in December, and now 2% in March. The UK left the EU on the 1st January 2021 and, despite many thinking it wouldn’t, the world has in fact continued to turn and data has continued to be transferred, allowing DPOs everywhere to breathe a sigh of relief.
Whilst the above is all true, and we now know the sky hasn’t fallen post-Brexit, there have still been questions around the future of UK-EU data transfers past the six-month bridging period that was set out in December. Would the EU grant the UK adequacy? Or would UK businesses have to rely (most likely) on SCCs?
The statistics from the latest DP Index suggest that whilst concerns specifically over Brexit may have waned, it is still causing issues, albeit in the context of international data transfers and the wait for an adequacy decision, a draft of which the UK received as this report was being compiled.
SCCs and Schrems II
In addition to the ongoing worry over Brexit and its impact, in July last year (shortly after the DP Index’s first survey), the Schrems II ruling was published. Not only did this ruling invalidate the EU/US Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework., which had provided a mechanism for data transfers between the EU and US, the court also questioned the validity of the EU’s SCCs, which resulted in the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. agreeing to review them and produce new ones.
This created a lot of uncertainty. First, around what methods should be used to transfer data to and from the US. Secondly, around whether the EU’s existing SCCs really did provide adequate protection for personal data being transferred internationally. Despite the court questioning their appropriateness, following Schrems II, SCCs were hailed as the solution for businesses that previously relied on the Privacy Shield, perhaps adding fuel to the fire that was concerns over international data transfers.
Conclusion
So, it seems that given all that has occurred within data protection over the last year, and specifically that relating to cross-border transfers, there are logical reasons why DPOs may be feeling particularly concerned about international data transfers in this quarter’s DP Index report. In leaving the EU, the UK’s position in the world in relation to other countries has changed significantly, and the rules around international data transfers have too. Therefore, it is unsurprising that DPOs may feel that navigating these changes is of particular immediate concern.
However, given that the EU, and perhaps the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc., will be publishing new SCCs sometime this year, and that it appears the UK will be granted adequacy, it will be interesting to see whether these developments allay DPOs’ concerns around international data transfers, and the next DP Index results published in June indicate DPOs’ nights have become a little more restful.
If you would like to download the full March report, or if you are a data protection or privacy professional and would like to become a member of the panel, and help shape the future of the data protection industry, visit the UK Data Protection Index website.
Fill in your details below and we’ll get back to you as soon as possible