30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021 – more detail here. Half-way through the bridging period is probably a good time for an update.
Update? Didn’t I read a few weeks ago that the EU issued the UK adequacy decision, and it’s now all done and dusted?
No, not really. What happened is that on 19th February 2021 the European Commission issued two UK adequacy decisions (one for transfers under the GDPR, and the other for transfers under the Law Enforcement Directive), but only in draft form. The drafts have now been passed to the European Data Protection Board (EDPB) for them to review and issue their non-binding (but influential) ‘advisory opinions’. After the advisory opinions have been issued, and any EDPB-recommended changes have been incorporated into the text of the adequacy decisions, the drafts will then need to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’. Once approved, the adequacy decisions can be formally adopted by the Commission, and become legally effective.
Ah, so not quite done and dusted. Will this all be wrapped up by 30th June?
Probably. The good news is that the draft adequacy decisions were issued by the European Commission without any material conditions attached to them, i.e. the Commission considers that the UK’s data protection laws and systems are adequate. Also positive was the prediction of the EU Head of International Data Flows, Bruno Gencarelli, who said in a LinkedIn webinar on 27th January 2021 that he was confident the UK adequacy decisions would be adopted “by the end of the bridging period”. Ditto the prediction of the EU Commissioner for Justice, Didier Reynders, who, according to Vincent Manancourt of politico.eu, said on 16th February 2021 that the EDPB’s “opinion on UK data flows decision [is] expected mid-April […] Whole process to be wrapped up by Brussels by end of May/early June”.
Less positive were the widely-publicised comments of the UK culture secretary Oliver Dowden, who in his FT article on 27th February said: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”; and that the UK can now be more “agile” when it comes to “[striking] our own international data partnerships with some of the world’s fastest growing economies. […] The EU has been slow to act on this, declaring only 12 countries ’adequate’ in the past few decades”. Announcing the UK’s intention to diverge from the GDPR and criticising the EU’s historic approach to adopting adequacy decisions, all while the EDPB is busy considering the UK’s application, may not have been Mr Dowden’s best idea.
All very interesting, but I’ve got data flows with EU customers and other data partners which need to continue after 30th June. What do I need to do?
You’ve got a number of options, including:
Tags: adequacy decision, brexit, EDPB, gdpr, SCCs, TCA
Posted in Privacy, Updates | No Comments »
In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield. In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned”.
Following the Schrems II judgment, the European Data Protection Board (EDPB) issued two pieces of guidance to help data exporters with the analysis required by the ECJ: Measures that supplement transfer tools (Recommendations 01/2020); and European Essential Guarantees (Recommendations 02/2020). In addition, the European Commission published updated draft SCCs for consultation, which are expected to be adopted in March 2021.
In practice, this means that businesses which propose to transfer – or to continue to transfer – personal data using SCCs (or another transfer tool) to a third country must first carry out a transfer impact assessment (TIA) with a successful outcome in accordance with the six-step process set out in the EDPB’s Measures that supplement transfer tools (Recommendations 01/2020):
Step 1: Map your data flow, i.e. the scope and categories of personal data to be transferred, the data subjects concerned, and the purposes for which the data is being transferred.
Step 2: Identify your transfer tool, which will usually be SCCs but could be for example Binding Corporate Rules (BCRs).
Step 3: Assess the laws of the third country for the purpose of identifying any respects in which those laws may not permit the data importer to comply with its obligations under the SCCs (or other transfer tool), and therefore not provide protection which is essentially equivalent to that provided by EU law. The EDPB’s European Essential Guarantees (Recommendations 02/2020) sets out the minimum standards by which the third country’s laws can be assessed.
Step 4: Identify appropriate supplementary measures to remedy any shortcomings disclosed by the assessment in Step 3. Supplementary measures may contractual, technical or organisational in nature.
Step 5: Implement your supplementary measures.
Step 6: Re-evaluate your assessment at appropriate intervals.
Also, note that the TIA must be properly documented, and include appropriate supporting documentation such as data mapping records and legal opinions from local counsel. And if the TIA discloses the existence of local laws which impinge on the effectiveness of the SCCs (or other transfer tool), and no supplementary measures are available to mitigate the risk, then the transfer cannot proceed/must be suspended immediately.
Reaction to the brave new, post-Schrems II world of data transfers has been mixed… Ensuring EU-standard privacy protection for data that is transferred outside the EEA is of course commendable, at least in principle. But requiring all businesses to not only put in place comprehensive contractual protections (e.g by way of SCCs) but also to carry out a time consuming, technically difficult and potentially very costly TIA for each type of transfer is arguably so onerous that many businesses, particularly SMEs, will take a risk-based view and simply dispense with the TIA. Other businesses may take the view that exporting data outside the EEA is simply too difficult, and replace its existing service providers with EEA-based providers.
The European Commission (EC) is of course aware of the difficulties that Schrems II has created for EEA organisations, including those which already have established global data sharing networks, and those looking to transfer data to non-EEA service providers for which are no equivalents available in the EEA. But while we wait for the EC to come up with some more workable alternative options, businesses which are exporting, or looking to export, personal data to third countries may now want to start:
Tags: adequacy, data transfer, gdpr, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »
22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, including in relation to the rules for data access by public authorities.
What happens next?
The European Data Protection Board (EDPB) will now review and provide its (non-binding) opinion on the draft decisions. Representatives of each EU member state will then be asked to approve the adequacy decisions (the so-called ‘comitology procedure’) before the decisions are adopted by the Commission. In the meantime data can continue to be transferred from the EEA to the UK under regime set out in the UK-EU Trade and Cooperation Agreement, as discussed in my article UK-EU data transfers from 1st January 2021 – where are we? If the draft adequacy decisions are adopted, they will be valid for four years, following which they will be renewed if the level of protection in the UK continues to be adequate.
Tags: adequacy decision, data protection, data transfer, gdpr, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.
Information audit
The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:
Privacy notice
The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:
Final thoughts…
Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »
A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’).
Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.
As well as being the right thing to do commercially, controllers and processors are required by Art 28(3) of the GDPR (now incorporated into UK law, as amended) to enter into a contract which sets out:
The contract must also stipulate the processor obligations listed in paragraphs (a) – (h) of Art 28(3):
If a processor wants to engages its own processor (a ‘sub-processor’), the processor must obtain the controller’s specific or general prior authorisation. If the authorisation is general, then the processor must notify the controller of any additional or replacement sub-processor (Art 28(2)). The processor must also enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA between the processor and the controller (Art 28(4)).
Posted in Privacy, Updates | No Comments »
29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful. (more…)
Tags: adequacy decision, data protection, gdpr, TCA, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism. (more…)
Tags: data protection, modular SCCs, privacy, SCCs, Schrems II, Standard Contractual Clauses, transfer mechanism
Posted in Privacy, Updates | No Comments »
Ok, let’s start with the basics. What is ‘special category data’?
Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as:
In short, special category data is personal data that needs more protection because it is sensitive.
And what does ‘more protection’ mean?
It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:
Tags: Article 9 conditions, dpa 2018, gdpr, lawful basis, lexoo, sensitive data, special category data, UK gdpr
Posted in Privacy, Updates | No Comments »
23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)
Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »