The UK Government has relaunched its efforts to reform the UK’s data protection regime, with the Data Protection and Digital Information Bill (No. 2) (the “Bill“) being introduced to Parliament on Wednesday 8 March. The Bill supersedes a previous version that was originally published in July 2022 (see our previous legal update).
UK GDPR
ICO’s Updated Guidance on International Personal Data Transfers Offers an Alternative Approach to Carrying Out Transfer Risk Assessments
The UK Information Commissioner’s Office (the “ICO”) published new guidance on transfer risk assessments (“TRAs”) and a template for carrying out a TRA.
All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data subject to the UK GDPR outside the United Kingdom using…
Deadline to Update Template Contracts to Address International Personal Data Transfers Outside the UK
Companies that rely on standard contractual clauses for transferring personal data from the United Kingdom to jurisdictions not considered to offer an adequate level of data protection under the UK General Data Protection Regulation can no longer use the old EU standard contractual clauses in new contracts as of today, Wednesday 21 September 2022.…
UK Government Sets Out its Plans for UK Data Protection Reform
The UK Government has published its response to the consultation on its proposed reform of the UK’s data protection regime (which we have provided further information on in our previous legal update available here.) Whilst the UK Government has proposed several incremental reforms to the UK’s data protection laws that will diverge from the…
The Free Flow of Personal Data From the European Economic Area to the United Kingdom Can Continue (at Least for Now)
Today, 28 June 2021, the European Commission formally adopted two adequacy decisions with respect of transferring personal data from the European Economic Area (the “EEA”) to the United Kingdom (the “UK”): one under the EU General Data Protection Regulation and one under the EU Law Enforcement Directive. The two decisions come into…
English High Court Considers Limits of the Extraterritorial Reach of the GDPR in Relation to an Overseas Website
The General Data Protection Regulation (“GDPR”) has extraterritorial reach, meaning that many organisations based outside the European Economic Area (“EEA”) and the United Kingdom (in the case of the UK GDPR) must comply with GDPR obligations for personal data processing activities which fall within the territorial scope of Article 3 of…
Brexit – Data Protection After the Brexit Transition Period
Whilst the UK left the European Union (“EU”) on 31 January 2020 (“Exit Day”) it remained within the EU’s legal framework during the Brexit Transition Period (“Transition Period”). When the Transition Period ends at 11:00 p.m. GMT on 31 December 2020 (“Completion Day”), EU law that was…