In this privacy news:
On September 21, 2023 the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension) was approved. The extension creates a UK-U.S. Data Bridge, allowing UK businesses to transfer personal data to U.S. businesses certified to the UK Extension.
The term ‘data bridge’ is UK’s preferred terminology for ‘adequacy’, and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.
The new UK-U.S. Data Bridge will take effect on October 12, 2023. So it’s not valid as a transfer mechanism until this date.
What does this mean for you?
From October, it will be easier also for companies in the UK to send personal data to the U.S.
However, UK companies can’t simply transfer personal data to any company in the U.S.
For the data to flow freely, the receiving U.S. company must be certified to the UK Extension and the company must be on the Data Privacy Framework (“DPF”) List.
This means that UK companies need to:
However, the work doesn’t end there. UK organisations need to remember to update privacy policies, data processing agreements and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the U.S, e.g RoPA (the record of processing activities). Also remember to make sure that there is a data processing agreement in place, etc.
For more details, here’s a helpful factsheet for UK organizations.
What’s next?
With the UK extension being approved, it now leaves Switzerland to issue its adequacy regulations for the DPF and data can flow safely to the U.S. again. But is it true though? And for how long?
The DPF is already being challenged.
On September 6th (not even two months after its adoption and no - not by Schrems!). Philippe Latombe, a member of the French Parliament, filed 2 challenges; one to immediately suspend the agreement, and another on the content of the agreement.
But with the challenges on the horizon, continuing to have SCCs (EU’s standard contractual clauses) in place might be a good thing.
In light of the continuous challenges and the rapid development of the privacy landscape, it can be hard to stay on top.
If you want to keep up with ever changing rules, join us for a free Masterclass on International Data Transfers on October 04, 2023. We have great speakers joining who will take us through the key aspects of international data transfers. Find more details and sign up here.
Less than six months after its April 2023 fine by the UK Information Commissioner’s Office, TikTok has received yet another fine in relation to its processing of children’s personal data.
This time, the Irish Data Protection Commission has fined TikTok €345 million for failing to ensure parental approval of TikTok’s user accounts operated by children, among other reasons.
This is the largest fine to date for the platform.
What can we learn here?
It’s perhaps not surprising that large social platforms are scrutinised more closely than smaller companies. But this new fine shows the increasing focus on platforms handling data about children. And it also shows that the size of GDPR fines are increasing.
As per TikTok’s latest fine, having the default privacy settings of a child’s account set to public is a big no go. A close review of these practices would be a good exercise for any company wanting to stay on the right side of privacy law.
Sign up for a regular dose of news and updates from the legal landscape.