I have always been sceptical about consent-based arrangements for international data transfers. Sadly, the reality is that there is no quick fix for the problems around them.
Although I am quite pleased that people were curious enough to click on the link to this piece, originally posted (before midday!) on April 1st 2022, the real position in relation to international data transfers is no joke, It is immensely challenging, terribly burdensome and, based on the comments that I have been hearing again and again as I have been out networking face-to-face again, it is one of the biggest headaches besetting an awful lot of business leaders and DPOs.
Businesses are still trying to work through all of the implications of the Schrems II decision, while simultaneously grappling with the bifurcation of transfer arrangements between the EU and its recently adopted new form standard contractual clauses, and the UK's freshly minted International Data Transfer Arrangement. Binding Corporate Rules continue to be regarded as too costly and time-consuming to implement (although there is nothing in the legislation itself that says that they need to be), and there is still no prospect of the sector-based codes of conduct which the GDPR opens the door to.
Meanwhile, globalisation is driving an ever-increasing requirement to be able to move data around between jurisdictions, for everything from centralised payroll and HR admin, to rolling 24 hour off-site support calls, to cloud hosting. Small wonder then, that many businesses are simply closing their eyes to the challenge and continuing to transfer just as they have always done, using the fig leaf of some poorly understood standard contractual clauses, or the latest EU-US data sharing framework that is now being heralded, as a salve to their conscience.
Does it need to be like this? No, it doesn't. It is possible to get to a workable yet compliant position around data transfers with a bit of hard work, some risk-appropriate due diligence, and the co-operation of sensible advisers in the relevant jurisdictions. But there is no quick fix, and no one size fits all tool that is going to do the job for you.
For anyone grappling with this topic who would like a 30 minute no obligation discussion around the options, or simply just to ask that burning question you have always wanted to know the answer to - please get in touch. I can't promise you an NFT-backed, AI-designed solution, but you will get common sense, clear answers and, hopefully, the reassurance that there is a solution that doesn't involve burying your head in the sand and hoping!
The UK GDPR primarily applies to controllers and processors located in the United Kingdom, with some exceptions. Individuals risk losing the protection of the UK data protection laws if their personal data is transferred outside of the UK. On that basis, the UK GDPR restricts transfers of personal data to a separate organisation located outside of the UK, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. We refer to a transfer of personal data to a separate organisation located outside of the UK as a “restricted transfer”.