Denying SARs, Distinguishing Case Law, and The UK-US Data Bridge

In this week’s episode, we’re diving into the world of Subject Access Requests (SARs). Join Jasmine Harrison and Phil Brining, along with special guest Joe Kirk, as they explore the challenges and solutions surrounding SARs.

Key Topics:
What counts as a vexatious SAR?
The latest case law on SARs.
Insights from our audience member, Carl Rose, on a recent SAR challenge in his organisation.
Expert analysis and practical solutions.

News story of the week

Written by Philip Brining 

The big news this week has to be about the UK US Data Bridge: a mechanism facilitating flows of personal data to the U.S.

Why it’s such big news is that it will have a huge impact on the compliance operations of thousands of organisations.

On Tuesday this week I was working with the UK subsidiary of a US company and so the UK US Data Bridge was a hot topic of discussion.  The conversation went something like this.

ABC Inc. owns ABC (UK) Ltd as well as ABC (India) Pvt Ltd and ABC (Singapore) LLC.  The subsidiary companies have very little autonomy with the parent effectively determining the means and the purposes of processing personal data making it a controller or joint controller for the various processing activities.  The HR function is located in the US and so personal data flows from the UK to the US.  Some customer data flows from the UK to India and Singapore.

As each of the data flows out of the UK is a Restricted Transfer, they need suitable safeguards per Article 44 UK GDPR.   Several months ago a complex arrangement of intra-company contracts was worked up to support the international data flows but the new UK US Data Bridge presents a new opportunity to simplify some of the arrangements.  It doesn’t have any impact on the transfers to India or Singapore – they still need something like a transfer risk assessment (TRA) and standard contractual clauses implemented, but the admin around transfers of HR data to the US could become a little easier as of 12^th October when the Data Bridge comes into effect.

The first step in the process is to ensure that the US parent is eligible to participate in the EU US Data Protection Framework (DPF) as not all US organisations can register.  Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) are currently eligible to participate in the DPF program.

Assuming that the parent company is able to register, then it should do this and also ensure it registers to participate in the UK extension: the so called UK US Data Bridge.  It should pay the fees for a) participation in the scheme, and b) for the “tax” to fund the arbitration scheme.

The US parent needs to draft a privacy policy statement that complies with the requirements of the DPF – note that these do not follow the same formula as a GDPR privacy notice.  The US parent needs to implement an independent mechanism to allow people to bring unresolved complaints brought about under the DPF principles for recourse free of charge.  It needs to designate a point of contact for handling complaints, access requests etc, and ensure that systems of work are in place to respond to any such complaint within 45 days.

The final step before submitting an application is to ensure that the applicant has procedures in place for verifying that the attestations and assertions it makes about its DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the DPF Principles.  Verification can be by self-assessment or external assessment.

The UK entity needs to consider implementing a fall-back arrangement in case the DPF is successfully challenged in a Schrems 3-type scenario, and ensure that its privacy policies and records of processing activities are updated and re-distributed if necessary to reflect the changes to the safeguards implemented for restricted transfers.

Importantly, the UK entity ought to heed to advice of the ICO in its critique of the DPF and ensure that if the personal data being transferred includes any genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning sexual orientation or criminal offense data, it is explicitly identify it as “sensitive” to the data importer, to ensure it attracts the appropriate protections under the DPF.  Don’t assume that the definitions and treatment of what we know as special categories of personal data are the same in the US as they are in the UK.

If our client can get the above in place, and is able to transfer personal data to the US on the basis of the UK Extension to the DPF, it will not need to conduct a TRA so data transfers may become a lot simpler to align with compliance requirements and obligations.

Upcoming Episode

Episode 142: Top 10 Priorities for a Data Protection Officer

Stay tuned for our next episode, where we’ll discuss the top priorities for Data Protection Officers (DPOs). Whether you’re new to the role or an experienced practitioner, we’ll explore the key focuses every DPO should have and the skills that set you apart. If there is an area you would like to focus on during this discussion, please reach out.