In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA).

The ICO has now launched the public consultation on its IDTA and accompanying guidance (available here). The consultation is open for feedback until 5pm on 7 October 2021.

Purpose of the IDTA

The IDTA will replace the current UK SCCs. The ICO has already made it clear that any transfers to third countries will need to take into account the Schrems II decision and apply supplementary measures, where required. The IDTA is a contract which organisations will be able to use when making a ‘restricted transfer’. The ICO is also consulting on how to define a ‘restricted transfer’ in light of the UK GDPR. In particular, the ICO is consulting on whether to keep its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR. Recognising the complexity of international transfers for businesses, the ICO Executive Director of Regulatory Strategy, Steve Wood, has said that the new guidance is designed to be accessible and to support the full range of organisations, from SMEs to multi-national companies.

Continue Reading The UK’s ICO launches public consultation on new Standard Contractual Clauses

Last September the Singapore High Court heard a case relating to Singapore’s Personal Data Protection Act (PDPA). An individual had left his former employer, an investment company, to join a competitor firm. At this new firm, he sent an email to a client of his former employer’s, another individual, whom he had come to know

The UK National Institute for Health and Care Excellence (NICE), along with the Care Quality Commission (CQC), Health Research Authority (HRA) and Medicines and Healthcare products Regulatory Agency (MHRA) have partnered to promote the use of artificial intelligence (AI) in health and care. The agencies are calling this initiative the “Multi-Agency Advisory Service for AI

What is new?

During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new SCCs that are currently being finalised by the European Commission. These new EU SCCs will not be valid for use for restricted transfers of data outside the UK.

Why is this change taking place?

From 31 December 2020 organisations in the UK have been relying on existing SCCs (Decisions 2001/497/EC and 2010/87/EU) for transfers of data outside the UK except where such territories are recognised as adequate (e.g. countries in the EU, the EEA, and those that obtained the EU Commission’s adequacy decision). However, the existing SCCs will be repealed when the new EU SCCs come into play. Therefore, the ICO is taking measures to put in place new international transfer mechanisms for restricted transfers outside the UK.

Continue Reading ICO announces it is working on bespoke UK set of Standard Contractual Clauses

In this episode, Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, or by working with a vendor to bring a product to market. Exploring a case study involving a global pharmaceutical company on the rollout of a health-related digital app,

On September 9, a federal judge in California dismissed claims brought by hiQ Labs, Inc. (hiQ) against LinkedIn Corp. (LinkedIn) that alleged that LinkedIn’s attempts to prevent hiQ from accessing public information on its website violated various antitrust laws. In an opinion that will continue to fuel debate over the relationship between antitrust and privacy,

Artificial intelligence, or AI, has the ability to process large sets of data. The term “AI” describes algorithms that can be taught to identify patterns or predict outcomes. If the algorithm is primed with a teaching set of data, then it can evaluate new sets of data based on the desired outcome. AI has been

Company investigations (whether self-initiated or required by regulators) generally require the collection, review, and analysis of data to identify documents and other materials that are relevant to the investigation. An investigation may result in the need to access sensitive personal data or, frequently, involve the review of other materials that happen to include personal data

Last week, on March 11, the California Department of Justice, Office of the Attorney General (AG) released its second set of revisions to its draft regulations under the California Consumer Privacy Act (CCPA). This second set of proposed revisions is based in part on comments received in response to an initial set of proposed revisions released by the AG last month (see February 10 Reed Smith client alert here). Written comments to this second set of proposed revisions must be submitted by March 27, 2020.

This set of proposed revisions was not extensive. Highlights appear below.
Continue Reading Still working on it – draft CCPA regulations are modified a second time