ICO Confirms UK Firms May Rely on Public Interest Derogation for SEC Transfers Friday, January 29, 2021
On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”). Such firms or branches include investment advisers, securities-based swap dealers and other market participants. The ICO also reviewed the application of the UK GDPR to transfers made by UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a U.S. exchange or market.
Introduction
With the UK now unambiguously out of the EU, the EU General Data Protection Regulation (2016/679) (“
EU GDPR”) has been replaced by the United Kingdom General Data Protection Regulation (“
UK GDPR”). In this third instalment of our Data & Brexit Digest, we highlight some practical implications of Brexit for data protection contractual drafting and policies.
What should you consider in terms of contractual and policy drafting?
Contracts
Statutory references: Standard terms and conditions and other contractual documents should be updated to include the correct statutory references. Where an agreement has a cross-border element, this will involve considering the extent to which the UK GDPR, the EU GDPR and/or other data protection laws may apply to each party, and how this should be reflected in the drafting. This should take account of the specific circumstances, such as the location of the parties and the nature of any services being provided.
The UK Information Commissioner’s Office has warned that many media companies are breaking the law and urged them to review how they use personal data as it resumed its adtech investigation.
Its probe into the UK’s £13bn a year online advertising industry will particularly look into widespread non-compliance with GDPR, the EU data regulations which were incorporated into UK law in 2018.
Under GDPR people must unambiguously opt-in to receive marketing communications and to share their personal data. GDPR states that marketers and publishers must also abide by strict rules around the storage of data and how it is shared with other companies.