TECHtalk Q&A: Navigating the data protection tightrope to the USA…without falling off!

Q: What is meant by HR data under the DPF/Data Bridge?

A: For the purposes of the DPF and Data Bridge, this is defined as the following in respect of an organisation: “personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the [DPF/Data Bridge]”

Q: What if the US supplier receiving data is an individual? Can they self-certify or is an International Data Transfer Agreement (IDTA) still needed?

A: Only USA organisations that are subject to the enforcement jurisdiction of the Federal Trade Commission or Department of Transportation can register under the DPF or Data Bridge. Therefore, UK transfers to the USA for others will require an appropriate transfer mechanism, which is most likely to be the UK GDPR approved IDTA or Addendum mechanism for most organisations.

Q: Does the DPF cover special category data as well?

A: There is certain information which falls within the special category data category under the UK/EU GDPR (GDPR) which is not recognised automatically as being of a sensitive nature under the DPF or Data Bridge. This includes the following:

• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning sexual orientation
• (and nor is criminal offence data included, even though that is categorised separately to special category data under the GDPR)

Consequently, any personal data falling within the above categories which is to be processed pursuant to the DPF or Data Bridge, will need to be expressly identified as "sensitive" information/data under those mechanisms, to ensure GDPR compliance from an international personal data transfer aspect in respect of those categories.

Q: If we are in the process of signing up to the DPF for our subsidiary in the USA - are you saying we do not need the current IDTA we have in place for the USA?

A: An appropriate safeguard for UK GDPR purposes, such as an IDTA, is only required where there is not an Adequacy Regulation available. Consequently, it would be inappropriate to use an IDTA if an Adequacy Regulation, such as the Data Bridge is available. However, if an organisation is only signing up to the DPF rather than the Data Bridge as well, then it would need an IDTA (as the DPF provides an Adequacy Decision for international personal data transfers from Europe to the USA, but it is the Data Bridge which provides an Adequacy Regulation for the personal data transfers from the UK to the USA).

Q: Where there is now an Adequacy Regulation but a legacy IDTA in place, what actions are required?

A: The organisation’s documentation (contractual, records of processing, privacy notice, DPIA, etc) need to be updated to reflect the reliance on the Adequacy Regulation rather than the IDTA.

Q: How do you reconcile disparities in the USA and UK/EU data protection regimes, eg if determining if a party to a contract is a controller or processor would be different under GDPR vs FERPA in the USA?

A: It is important to consider the matter from the perspective of each jurisdiction and law, and perform the analysis under that respective law. The concept of "controller" under GDPR is defined as the party which is deciding the purposes and means of processing of the personal data. So, as long as that is what the party is doing (and as long as the GDPR is applicable to it), it is a controller from a GDPR perspective, irrespective of any foreign law such as FERPA (which is the Family Educational Rights and Privacy Act in the USA).

Q: Do you think it is currently worth a USA entity self-certifying for the DPF and Data Bridge, or should they wait to see what happens with the US elections?

A: The DPF and Data Bridge currently provide the most defensible mechanism for transfers to the USA from Europe and UK respectively, consequently, they should be used by eligible USA organisations where available.

Q: What happens where the personal data originated in the USA, comes through from a USA company to a UK company for processing (storage) and is sent back to the USA company?

A: On the assumption that the entity in the USA is not subject to the UK GDPR (as it is dealing just with the personal data of individuals in the USA), the transfer from the USA company to the UK company (which would seem to be acting as a processor in this example), and from the UK company back to the USA company, would not constitute a "restricted transfer" under the UK GDPR, and thus there is no international personal data transfer mechanism required.

Q: How often should a Transfer Risk Assessment (TRA) be refreshed - is there a minimum period or is this event based (eg following a ‘Schrems III’ ruling!)?

A: A TRA, like a Data Protection Impact Assessment (DPIA), needs to be kept as a "living document". It needs to be undertaken at the outset when relying on an appropriate safeguard under the GDPR, rather than upon an Adequacy Regulation/Decision. It then needs to be kept under review – so it’s prudent (like with DPIAs), to review it at least annually. It must also be reviewed earlier if there is an event which may impact a previous risk assessment (eg if there is a ‘Schrems III’ successful challenge), or if the nature of the personal data processing changes in a manner which may have a risk impact for data subjects.

Q: Should we still look to carrying out a TRA if we are contracting with a UK company, but they have a USA based or other overseas subprocessor not covered by an Adequacy Regulation?

A: A TRA will be required if an international personal data transfer is being undertaken, in circumstances where an organisation is relying upon the IDTA or Addendum mechanism for the transfer (due to the fact that there is no Adequacy Regulation). In this current case, it sounds like your processor is making the international personal data transfer to a subprocessor, so it will be the processor which needs to carry out the TRA. However, your organisation (as the controller) will still need to undertake reasonable checks about whether your processor’s restricted transfers are compliant with UK GDPR requirements, including the processor’s obligation to carry out the respective TRA pursuant to your instructions. 

“As I've expressed before, one of the best, if not the best, sessions out there on Data Protection matters in my opinion”

– is an example of the great delegate feedback which we received to our previous TECHtalk.

How can we can help?

We have specialist expertise in advising on UK/EU GDPR, as well as international personal data transfers. For further information, or if you would like to arrange a consultation, please feel free to contact us.