This document provides an overview and agenda for a webinar on how to do data transfers between the EU and US in 2023. It discusses where the EU-US data transfer framework currently stands, what additional safeguards are still needed according to European regulators, and differences between UK and EU GDPR. Attendees are polled on their previous and current use of data transfer mechanisms. The speakers will cover what constitutes a data transfer, the expected new EU-US data privacy framework agreement, Standard Contractual Clauses and other tools for international data transfers, and additional safeguards organizations have implemented.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
How To Do Data Transfers Between EU-US in 2023
1. 1
1
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
4. 4
4
Agenda
• What are data transfers
• Where does the EU-U.S. Data Transfer Framework stand today?
• What adequate safeguards are currently missing from the framework in the eyes of the EDPB and
European Parliament?
• UK GDPR vs EU GDPR
• How SCCs can be used for cross-border data transfers
• Risk mitigation for international data transfers
6. 6
6
• The EDPB has identified three criteria that qualify a processing as a transfer:
1. A controller or a processor is subject to the GDPR for the given processing.
2. This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to
this processing, available to another controller, joint controller or processor (“importer”).
3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer
is subject to the GDPR in respect of the given processing in accordance with Article 3.
• A transfer requires
○ Movement from a organisation (exporter) to organisation (importer)
○ ie. C-P, P-C, P-P, C-C…
○ Need to consider onward transfers
○ Regardless of GDPR coverage due to extra territorial extent
• Direct collection NOT a transfer
• Employees taking laptops abroad NOT a transfer
• Remote support from India (example) IS a transfer
• Processor in EU subject to US authorities COULD be a transfer!
https://edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf
What Is and Isn’t a Transfer
8. 8
8
• A new EU-U.S. transatlantic data flow agreement is
expected to be finalized by the Fall of 2023
• The EU-U.S. Data Privacy Framework will enable the flow
of personal data from ‘data exporters’ in the EU to ‘data
importers’ in the U.S. who have signed up to the
agreement
• The Framework offers a flexible alternative to the
European Commission’s Standard Contractual Clauses
(SCCs) and Binding Corporate Rules (BCRs), which
multinationals with a presence inside and out of the EU
must otherwise use to share personal data (absent some
small exceptions)
Where Does The EU-U.S. Data Transfer Framework Stand Today?
9. 9
9
What adequate safeguards are currently missing from the framework in
the eyes of the EDPB and European Parliament?
• Protections against automated decision making
• Restrictions on bulk collection & retention
• Independent redress mechanism
10. 10
10
Polling Question:
Which additional safeguards have you
implemented to mitigate the risks
associated with international data
transfers between the EU and US?
11. 11
11
12th
July
1984
Data Protection Act
Only Computerised data
Based on CoE Conv 108
16th July
1998
Data Protection Act
Manual data, more rights
Based on 95/46/EC (EU DPD)
(Later the PECR in 2003, in
response to EU ePrivacy
Directive 2002)
HRA 1998 - general right
24th
May
2018
Data Protection Act
Accountability, DPOs, DPIAs,
ROPAs. Based on 679/2016 (EU
GDPR)
Sets up ICO Powers, National
Security, Law Enforcement, Legal
Basis, Exemptions etc.
New Data Protection Charges
and Regulations. Fees.
1st
January
2021
EU Exit Amendments
Jan 1st 2021 - “UK GDPR”
processing earlier subject to
“EU GDPR”
The Data Protection, Privacy
and Electronic
Communications
(Amendments etc)(EU Exit)
2019 and 2020
Amends DP and PECR
??
???
2023
Data Protection and
Digital Information Bill
announced in Queen’s Speech
June 2022
Based on DCMS Consultation
“Data: A new Direction” Sept
2021
A further layer of track
changes!
UK Data Protection History
Data Protection laws
12. 12
12
UK’s DATA PROTECTION ACT 2018…
AS AMENDED BY...
THE DATA PROTECTION, PRIVACY AND ELECTRONIC
COMMUNICATIONS (AMENDMENTS ETC)(EU EXIT)
REGULATIONS 2019 made on 29 February 2019
AS AMENDED BY…
THE DATA PROTECTION, PRIVACY AND ELECTRONIC
COMMUNICATIONS (AMENDMENTS ETC)(EU EXIT)
REGULATIONS 2020 made on 14 October 2020
KEELING SCHEDULE = A TRACK CHANGES DOCUMENT
UK GDPR versus EU GDPR
EVERYTHING AND NOTHING CHANGED!
13. 13
13
• ICO no longer an EU supervisory body, Cannot attend EDPB
• Where previously ICO was lead EU SA, have to change to new, get any “approvals” re-approved by EU SA (such
as BCRs etc)
• UK now a “Third Country”, granted six months to gain adequacy by European Commission
• UK DSIT takes on “EC role” including the power to grant UK adequacy decisions
• UK achieves Adequacy in 2021 for LED and GDPR, and promptly announces intention to… “unleash data’s
power across the economy and society for the benefit of British citizens and British businesses”
• New ICO John Edwards took up post in Jan 2021
• ICO issues IDTAs (UK alternative to EU SCCs for int data transfer) with SCC “add on” annex
Real Changes…
1st January 2020+ = UK GDPR
14. 14
14
Polling Question:
Which data protection regulations do you
think will have the greatest impact on
international data transfers between the
EU and US in 2023?
15. 15
15
How To Do Cross-Border Data Transfers
Re-evaluate at
appropriate
intervals
Take formal
procedural steps
Identify and
adopt
supplementary
measures
Assess
sufficiency of
non-EEA
protections
Verify the
transfer tool
Know your
transfers
STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 STEP 6
17. 17
17
Thank You!
See http://www.trustarc.com/insightseries for the 2023
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.