On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.
With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.
International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies.
The High Court has held that suspicious activity reports may amount to “personal data” for the purposes of the Data Protection Act 1998 (“DPA 1998”) and are potentially disclosable following a subject access request.