SENDING PERSONAL IDENTIFIABLE DATA TO THE US PUTS UK SUBJECTS AT RISK

Overseas transfers of personal identifiable data to US based tech companies could be putting millions of UK subjects at risk due a lack of knowledge concerning lawful data transmission, according to Boardroom Matters.

In the UK and EU it is a civil offence to send information about individuals. This could just include, for example, their name, email address, phone number or even an IP address to countries like the US, India and Australia, without putting in place in the UK an International Data Transfer Agreement (IDTA) or for the EU, Standard Contractual Clauses (SCCs).

Even for companies that are joint entities such as a UK subsidiary of a US company wanting to share, say, HR records, binding corporate rules (BCRs) must be documented and approved by the appropriate data protection authority before any transfers can be made.

Although these rules have been strictly policed since GDPR became law in 2018, with substantial fines of up to £18 million or 4% of worldwide turnover, whichever is the greatest, many smaller companies are using overseas tech companies for data processing without a data processing agreement and an IDTA.

Typically, these tech companies are used by many UK firms to send out emails, for data storage, managing cloud based HR records and CMS for marketing purposes. However, the onus is on the UK data controller i.e. the company commissioning the overseas work, to put in place appropriate data protection safeguards before sending data outside the UK or EU.

In the US - apart from California - there is no legislation to uphold data subjects' rights and more shockingly in 2018 the US Government enacted The CLOUD Act. This enables federal law enforcement to force all US technology companies to divulge the contents of any server-stored data. Although Australia has the Office of the Australian Information Commissioner, its current legislation has been deemed by the EU as not meeting adequacy and in India there is no national regulatory authority for protecting personal data, which also doesn't meet adequacy.

Sam Crich, a digital lawyer with Berwins Solicitors says: "The consequences of sending data overseas without adequate protection would be a breach of data protection legislation in the UK and EU (and a few other places).

"There are certain countries like Japan that have been assessed by the relevant UK and EU bodies where personal data is deemed to be protected to the same degree as in the UK/EU. But unless you've sent data to a country on that list (countries not on that list are often referred to as a "third country"), this would likely be deemed to be a breach of the law whether that country actually provides adequate protection or not - unless you also have a risk assessment and a valid transfer mechanism in place."

Philip Allott, a data protection specialist with Boardroom Matters, believes that the Government needs to provide greater clarity over overseas data transfers, especially to smaller companies. He explained: "Some of the bigger US tech companies have built into their T&Cs clauses like data transfer agreements and Standard Contractual Clauses and many claim to be GDPR compliant - but in reality, because of the US CLOUD Act, they are never 100% compliant. As an example, in a recent ruling by The European Court of Justice over Facebook, the Court reiterated that data exporters are primarily responsible for any data transfers and that, because there is no US adequacy with EU privacy standards, even the use of SCCs could still put personal data belonging to EU subjects at risk.

"I cannot reiterate strongly enough that the responsibility for meeting adequacy in order to transfer data overseas is down to the UK or EU based sender, not the overseas supplier."

Companies concerned should seek independent legal guidance from a data protection specialist. During October Boardroom Matters is offering up to 30 minutes' free advice and also offers a range of services including UK GDPR audits, bespoke Data Processing Agreements and support to determine lawful methods of data processing.

For further information visit http://www.boardroommatters.co.uk

Allott and Associates
Claro Chambers
42 High Street
Knaresborough
HG5 0EQ

For media enquiries please contact:
Emily Evans
Account Manager
Allott and Associates Ltd
Telephone: +44 (0)1423 867264
Email: emily@allottandassociates.co.uk
www.allottandassociates.co.uk
Twitter @AllottsPR

Or

For sales enquiries please contact:
Philip Allott
Legal Services Director
Boardroom Matters Ltd
71 - 75 Shelton Street, London, WC2H 9JQ
Telephone 0203 733 6443
www.boardroommatters.co.uk

GDPR (which stands for the General Data Protection Regulation) came into force in May 2018 and was renamed in January 2021 UK GDPR. UK GDPR affects all businesses, including the public sector, and charities.

Any organisation handling personal identifiable data such as customer records, staff details, payroll, marketing databases and even CCTV cameras must ensure that these processes comply with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

UK GDPR has had a profound impact on different organisations and if you have any concerns about your current activities or are planning any changes, you should strongly consider seeking external professional guidance from Boardroom Matters. The consultancy works with a cross-section of clients including businesses, charities and trade associations to identify their new legal obligations through onsite audits, training courses, documentation and providing guidance where in-house policies require changing.

This release was published on openPR.