As business gets back on the move Rob Masson, CEO of The DPO Centre, runs through five key points that UK travellers need to know about regulation and data privacy
Over the last year, travelling abroad for business has ground virtually to a halt with the Covid-19 pandemic affecting all corners of the globe. However, as we come out of the other side and travel starts to pick up again, now is an opportune time to discuss the top considerations that business travellers need to know about data privacy.
Now the UK is officially out of the European Union, EU GDPR is no longer directly applicable in the UK. However, when the EU GDPR first came into force in May 2018, the Data Protection Act (DPA) 2018 was enacted into UK law. Post-Brexit, the DPA 2018 now defaults to UK GDPR. For organisations that process both UK and EU residents’ data, both the EU GDPR and the UK GDPR must now be complied with. Over time, the two will likely diverge due to case law, potentially adding further complexity.
International data transfers
For many organisations, travelling for business is a means of cultivating commercial relationships abroad. In these instances, there is likely to be personal data transferred between a UK organisation, and organisations located outside of the UK (in “third countries”), otherwise known as restricted transfers. Where a restricted transfer occurs, the UK GDPR makes it clear that an appropriate transfer mechanism must be in place. This will vary depending upon the context of the transfer, but there are three possible mechanisms: adequacy, appropriate safeguards, or an Article 49 derogation.
It is important to also remember that whilst the UK GDPR applies to the transfer of UK residents’ personal data, there may be different national rules in the third country that apply to transfers of their own residents’ personal data abroad. It is therefore important to research the local data protection laws and how they apply to international data transfers prior to beginning the data processing.
As mentioned above, “adequacy” is one mechanism that can be used to lawfully transfer personal data internationally. Adequacy is a status that the UK government can give to a country if it is satisfied that the country’s national laws provide a level of personal data protection that is “essentially equivalent” to the protection provided in UK law. Personal data can flow freely with countries that have received an adequacy decision, making it the most straightforward international data transfer mechanism.
Currently, the UK has given adequate status to the same countries that the EU Commission has deemed “adequate” under the EU GDPR. It has also granted the EU itself adequacy, although the EU has yet to reciprocate. Post-Brexit, a six-month bridging period was agreed which enables personal data to flow freely between the UK and the EU. But, at the time of writing, if the EU decides not to award an adequacy decision to the UK, then additional safeguards will be required to transfer EU residents’ personal data to the UK.
Artificial intelligence regulation
In April 2021, the EU Commission released a proposal for a regulatory framework that aims to govern when and how AI can be used in the EU. Whilst at present it is only in the proposal stage, so the content is subject to change, the regulation will impact organisations outside of the EU if they are offering AI systems for sale in the EU or using AI in any way that would impact EU residents. This new regulation therefore may impact UK businesses who deal in AI, and their decision on whether to conduct business in the EU, not least because, in some cases, even offering for sale a prohibited AI system in the EU could land an organisation with a €30m fine (or 6% of annual global turnover).
Covid-19 vaccine passports
This topic and its privacy implications have been hotly contested for months. However, despite significant opposition from the privacy community, it appears that vaccine passports are going to be the key to enabling travel abroad this year. As this information relates to special category health data, any processing requires additional controls. In April, it was determined that the NHS app used to book doctor’s appointments is going to be used to enable individuals to prove that they have been vaccinated against Covid-19 or had a negative test result before flying, and thus will be essential for business travellers.
Better to be safe
From the above it is clear that events in the last year and a half, namely Covid-19, Brexit and the ever-increasing technological developments, have come together to result in a whole host of new privacy considerations for individuals who travel internationally for business. Ultimately, it comes down to this: know your jurisdictions. Prior to travelling, knowing the laws in the destination countries, as well as UK laws, and how they apply is essential to avoid any slip-ups or nasty fines. The DPO Centre provides outsourced data protection officers who can assist your organisation with understanding the ever-changing compliance landscape and mitigate compliance risks.