DECEMBER - JANUARYBUSINESSMANAGEMENTREVIEW.COM8By Kitty Rosser, Legal Director ,Birketts LLPDATA PROTECTION LAW REFORM TO EASE INTERNATIONAL DATA TRANSFERSInternational data transfers have long been a thorny issue, but they currently take the crown for the greatest cause of data protection headaches for privacy professionals. Birketts' Kitty Rosser takes a look at why data transfers have become so challenging and considers whether legal reform might provide a solution.There are currently three clearly identifiable factors contributing to data transfer difficulties:1. Schrems II;2. The introduction of new standard contractual clauses; and3. The increasing divergence in approach for transfers subject to EU GDPR and UK GDPR.When it comes to Schrems II, negotiations for new UK-US and EU-US data transfer mechanisms are now well in hand, albeit much uncertainty remains as to whether any resulting solutions will be sufficiently robust to withstand fresh legal challenges. However, the issue of greatest practical impact for most privacy professionals is the transfer risk assessment (TRA) requirement. Whilst there is guidance available from the European Data Protection Board (see Recommendations 01/2020) and pending from the Information Commissioner's Office, this is proving to be of little practical assistance to the average SME. Knowing that a requirement exists to "assess whether the standard contractual clauses or binding corporate rules are effective in light of all the circumstances of the transfer" is easy. Meeting the requirement is more problematic. Identifying relevant legislation and practice in another jurisdiction, assessing whether it is necessary and proportionate in a democratic society, and determining whether (and what) supplemental measures may be needed to enhance the protections afforded by the Article 46 transfer tool, is far from easy. One has to query how many organisations have access to the level of legal and technical expertise required to undertake an effective TRA. Without such expertise, does the TRA actually play any meaningful role in protecting personal data or is it reduced to a mere box ticking exercise?In the absence of a practical solution to assist organisations in completing TRAs, is it possible that the solution may lie in legal reform? The Retained Law (Revocation and Reform) Bill 2022 sets out a clear timetable for the revocation of retained EU Kitty Rosser
< Page 7 | Page 9 >