Archive for the ‘Updates’ Category

« Older Entries | Newer Entries »

What’s happening with SCCs? – Part 3 (UK SCCs)

Part 1 and Part 2 of the What’s been happening with SCCs? updates have tracked the EU’s and the UK’s progress in developing standard contractual clauses (SCCs) to deal with the transfer of personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection, as well as the publication of the new EU SCCs.  This update focuses on the UK SCCs.

On 11th August 2021 the ICO launched a  consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK‘.  As part of the consultation the ICO published its proposal for UK standard contractual clauses in the form of a brand new international data transfer agreement (IDTA), as well as its new Transfer Risk Assessment (TRA) and tool.  The ICO is also requesting comments on an update of its existing guidance on international transfers.  The consultation closes on 7th October 2021.

All very interesting I’m sure.  But is any of this relevant to me?

Short version is that if you’re transferring UK citizens’ personal data to a ‘third country’ (i.e. a country which is not considered by the UK to have ‘adequate’ data protection laws (full list here), then yes. You will need to use one of the transfer mechanisms (or ‘appropriate safeguards‘) set out in Article 46 of the GDPR (now incorporated into UK law as the UK GDPR, as amended).  And although the UK GDPR provides for a variety of transfer mechanisms, for most businesses the only practical option in these circumstances will be for both the (UK) data exporter and (third country) data importer to enter into an IDTA, having first completed a Transfer Risk Assessment (TRA).

Bear in mind that for these purposes:

Ah, ok.  So what do I need to know?

The new IDTA and TRA requirements will not not become law until the end of 2021 or, more likely, spring 2022.  Between now and then the situation is a bit of a mess.  UK law provides that the old EU SCCs must continue to be used as the Article 46 transfer mechanism, even after 27 September 2021 when they cease to be lawful for new EU cross-border data transfers.  Although some commentators have suggested that, in a post-Schrems II world, a better approach is for UK data exporters to use the new EU SCCs until the new IDTA is adopted, my view is that for the time being most UK data exporters should stay compliant with UK law and either make Brexit-required changes to their existing SCCs or, for new transfers, put in place a data transfer agreement based on the old EU SCCs.

The timelines for UK data exporters being legally required to use the new IDTA for international data transfers will be 3 months for new transfers and 21 months for existing transfers, each period running 40 days from the date on which the IDTA is laid before Parliament as a regulation.

Some high-level comments on the IDTA:

  1. In contrast to the modular new EU SCCs (which will need quite a bit of copying and pasting), the IDTA is a single agreement, made up of four parts:
    • Part 1 (Parties and signature) sets out a series of tables which capture the variables, including the status of the parties (i.e. controller, processor etc), details of the proposed data transfers, details of the data to be transferred, purposes of the transfers, and the security requirements.  If the IDTA forms part of an MSA or other commercial agreement between the exporter and importer, the MSA can be recorded as a ‘Linked Agreement’.
    • Part 2 (Extra Protection Clauses) is optional, but enables the parties to include any additional security, organisational and/or contractual protections that are considered necessary following the TRA.
    • Part 3 (Commercial Clauses) is also optional, enabling the parties to include any commercial terms that they have agreed.
    • Part 4 (Mandatory Clauses) constitutes the bulk of the IDTA, and sets out the parties’ rights and obligations in relation the data transfers.
  2. The ICO have done their best to use plain English and avoid legal terminology, and generally to keep the IDTA as user-friendly as possible.  But the IDTA template (excluding guidance notes and Q&A) runs to 43 pages, and putting one in place will require a fair bit of work.
  3. For organisations putting in place new EU SCCs for EEA-to-third country data transfers,  the ICO has helpfully produced a short addendum which, once completed and signed, will enable the EU SCCs to be used also for transfers from the UK.
  4. In contrast to the new EU SCCs, which need to be reviewed ‘at appropriate intervals’ the IDTA (and associated TRA) should be reviewed annually, which is perhaps overly onerous for low-risk transfers.
  5. A more detailed analysis of the Mandatory Clauses of the IDTA to follow once the ICO consultation is completed.

And some comments on the TRA:

  1. The TRA precedent is intended to be use for medium and low risk transfers.  High risk transfers, such as transfers to countries with poor human rights records, are likely to require more sophisticated transfer risk assessments.  The TRA is not mandatory – data exporters are free to use what form of risk assessment they consider appropriate.
  2. As with the IDTA, the ICO have done their best to make the TRA accessible and user friendly.  It contains numerous, ‘real life’ practical examples showing when transfers may be permitted.  It also explains what constitutes high, medium and low risk in the context of international transfers, and (helpfully) confirms that where the risk of harm that the transfer causes to data subjects is minimal then the transfer is permitted by default.
  3. But the TRA is 49 pages long, and will constitute a significant undertaking for all but the most well-resourced data exporters.  And although the ICO recognises the challenge that data exporters face in obtaining information about the legal framework of the data importer’s country, suggesting that information may be available via ‘reports issued by the Foreign Commonwealth and Development Office and charitable organisations‘, the ICO does not address the obvious question why this information cannot be provided by the ICO (and/or appropriate government department), instead suggesting that data exporter may need to obtain ‘expert advice‘.
  4. On a positive note, and unlike the new EU SCCs, the objective of the TRA is not necessarily to ensure that the legal framework of the data importer’s country is ‘essentially equivalent’, but whether it provides ‘very similar protections’ to those in the UK.  The TRA also makes the point that countries which have surveillance regimes may in fact be more legitimate than countries whose lack of surveillance laws may suggest a lack of safeguards.
  5. The findings from the TRA must be documented to ensure there a record of the assessment. If a data exporter uses its best efforts to complete the TRA, the ICO will take this into account in any regulatory action resulting from a later GDPR breach.

Hmm… 49-page risk assessments and 43-page data transfer agreements.  Doesn’t exactly sound ‘agile’?

You’re referring to the comments of the UK culture secretary, Oliver Dowden, who suggested in his article in the FT last February that that the UK can now be more ‘agile’ when it comes to ‘[striking] our own international data partnerships with some of the world’s fastest growing economies’.

If we accept the importance of ensuring a meaningful level of protection for UK citizens’ data when shared with third parties outside the UK then we either have to provide a mechanism which gives organisations the ability to put in place a framework to ensure a meaningful level of protection, or we go down the data localisation route and make it unlawful for personal data to be transferred from the UK to any ‘third country’.

Despite the reservations mentioned above, the ICO have in my view done a good job striking a balance between the need for ‘agility’, and the need to provide meaningful protection of personal data in a world which, for the most part, falls far behind the ‘gold standard’ of EU and now UK data protection.  But the elephant in the room remains why the ICO (or appropriate government department) cannot provide UK data exporters carrying out a TRA with guidelines regarding each third country’s legal framework, third-party surveillance rights and safeguards, and their similarity to those in the UK.  It will be interesting to see if this is addressed by the consultation.

 

 

 

Tags: , , , , , , , , , ,
Posted in Privacy, Updates | No Comments »

EU-UK data transfers – final update

05/07/21  (updated) – As part of the Trade and Cooperation Agreement the EU and the UK agreed a six-month ‘bridging period’, allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021, to give the European Commission enough time to adopt the adequacy decisions which are necessary to allow personal data to continue to flow from the EEA to the UK.  (If you’re not sure what I’m talking about, then you catch up here and here.)

Anyway, good news.  With a full two days to spare, the Commission formally adopted the adequacy decisions for the UK on 28th June – one for transfers of personal data under the GDPR and the other under the Law Enforcement Directive.  As a result personal data continues to flow freely from EEA countries to the UK after the end bridging period.

Unlike the adequacy decisions adopted by the Commission for other third countries, the ones adopted for the UK have ‘sunset clauses’ which means that, unless renewed by the Commission, the decisions automatically expire in four years’ time.  Furthermore, the Commission can intervene at any time during the four-year period if it considers that changes to UK law reduce the level of protection currently in place.

Tags: , , , , , ,
Posted in Privacy, Updates | No Comments »

What’s happening with SCCs? – Part 2

09/06/21 – At the end of last week, and more than three months later than originally expected, the European Commission published final versions of its new standard contractual clauses (SCCs) for the transfer of personal data to third countries (New EU SCCs).

The New EU SCCs replace the standard contractual clauses adopted by the European Commission in 2004 and 2010.  They have been significantly updated to be consistent with the GDPR, and also address many of the issues raised by the CJEU in its Schrems II judgment.  Unlike their rather inflexible predecessors, the New EU SCCs are modular in format and can be adapted to accommodate various data transfer scenarios, including processor-to-processor transfers which will be welcomed by many B2B service providers.

Until the beginning of last month, it was assumed by most privacy geeks that the New EU SCCs, when adopted, would simply be topped-and-tailed by the ICO and then rolled out for use by UK  companies transferring personal data to ‘third countries’ (i.e. countries without a UK adequacy finding, which currently includes the U.S.).  However, last month we were somewhat taken by surprise when the ICO announced that it is currently working on bespoke standard contractual clauses for the UK (UK SCCs), expected to be published in draft form for consultation later this month.

Schrems II underlined the importance that the EU attaches to protecting its citizens’ personal data after it has been transferred out of the EU.  The UK government on the other hand has stated its post-Brexit intention to ‘strike [its] own international data partnerships’ and to be more ‘agile’.  It will therefore be interesting to see if the UK SCCs take a more permissive approach than the rigorous, post-Schrems II approach adopted by the New EU SCCs.  And if the UK SCCs are significantly less protective than the New EU SCCs, whether the European Commission will threaten to take another look at the adequacy decisions for the UK…  Given that we’re now only three weeks away from the 30th June deadline (when, in the absence of an extension, the UK becomes a ‘third country’ for GDPR purposes), this could be very bad news for UK businesses receiving personal data from customers and other data partners within the EEA.

Part 3 to follow once the UK SCCs have been issued for consultation.

Posted in Privacy, Updates | No Comments »

UKJT’s Digital Dispute Resolution Rules

26/05/21 – The UK Jurisdiction Taskforce (UKJT) received extensive and overwhelmingly positive publicity for the Legal Statement on the Status of Cryptoassets and Smart Contracts that it published in December 2019 – you can read more about the Legal Statement here.

On 22nd April 2021 the UKJT published its Digital Dispute Resolution Rules (Rules) which:

Key features of the Rules:

Since their publication a few weeks ago, the reaction has been largely favourable, with praise for the simplicity, flexibility, speed and certainty of the Rules.  Whether the positive initial reaction now translates into broad uptake by participants in the new digital technologies remains to be seen.

Posted in Technology, Updates | No Comments »

What’s happening with SCCs? – Part 1

05/05/21 – If your organisation does not transfer personal data to ‘third countries’, i.e. countries outside the EEA that do not have a UK adequacy finding, then breathe a sigh of relief and feel free to go and do something else.  If, however, your organisation does transfer personal data to a ‘third country’ (which for these purposes includes the U.S.), then this is likely to be relevant to your data processing arrangements.

During an IAPP/LinkedIn Live event last week, the European Commission’s Head of International Data Flows and Protection, Bruno Gencarelli, explained that the delay to the adoption of the EU’s new Standard Contractual Clauses (New EU SCCs) is principally due to the volume of feedback that the European Commission has received since the publication of the draft New EU SCCs last November.  However, according to Mr Gencarelli, it is now ‘a question of weeks‘ until the New EU SCCs are adopted by the Commission.

Most privacy lawyers – including me – have been assuming that once the New EU SCCs are adopted by the Commission, then the UK’s ICO will adopt pretty much identical standard contractual clauses for UK data exporters.  This assumption has been based in part on the ‘copy & paste’ approach that the UK has so far taken to incorporating the EU GDPR (and for that matter the existing EU SCCs) into UK law, and in part on the fact that the UK is currently looking to secure a ‘clean’ EU adequacy decision while fully aware of the importance that the EU attaches to maintaining ongoing alignment of the EU and UK data protection frameworks.

It therefore came as a bit of a surprise when the ICO’s Deputy Information Commissioner, Steve Wood, announced today that the ICO ‘is working on bespoke UK standard clauses for international transfers, and intend to go to consultation on them in the summer‘.  No details yet, but the message is clear – if you’re expecting the UK’s new SCCs to be a ‘copy & paste’ of the EU’s New SCCs, then don’t.  And in terms of timing, it looks like UK data exporters may have to wait for another few months before they have access to updated SCCs for their transfers.

Part 2 to follow as soon as we have some more detail.

Tags: , , , ,
Posted in Privacy, Updates | No Comments »

Overview of the European Commission’s proposed AI regulation

26/04/21 – The European Commission aims to turn the EU into ‘the global hub for trustworthy Artificial Intelligence (AI)’.  With that objective in mind, on 21st April 2021 the Commission published its Proposal for a Regulation on a European approach for Artificial Intelligence.

Very interesting, I’m sure.  But presumably not relevant to those of us who are no longer in the EU?  Or to those of us who aren’t building robots to conquer the human race, haha?

On the EU point, the regulation applies to both EU and non-EU providers who market or deploy AI system in the EU, all users of AI systems in the EU, as well as providers and users of AI systems that are located outside the EU but where the outputs of the AI systems are used in the EU.  In other words, the regulation potentially extends far beyond the EU’s borders.

And for the Asimov fans out there, the regulation’s definition of ‘AI system’ is perhaps a little disappointing: ‘software that is developed with one or more of the techniques and approaches listed in Annex I and [which] can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing environments they interact with’.

Annex I in full:

(a)        Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;

(b)         Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems;

(c)         Statistical approaches, Bayesian estimation, search and optimization methods.’

Ah I see what you mean.  So what do I need to know?

Well, the proposed regulation runs to 107 pages (not including the Annexes), so there’s quite a bit to digest.  But by way of an overview:

  1. Timing. The regulation will now be reviewed and debated by the European Parliament, and then by the Council of Europe.  Given the subject matter, the regulation is also likely to generate extensive comments from AI providers and other interested parties.  Once adopted by the Commission, the regulation is then subject to a 24-month grace period before it applies fully (Article 85(2)).  Being realistic we’re looking at go-live in 2023, and very possibly 2024.
  2. Risk-based approach. The regulation takes a risk-based approach, with AI systems falling into one of three categories: prohibited AI practices, high-risk systems, and lower-risk systems.
  3. Prohibited AI practices. The regulation prohibits four specific practices involving AI (Article 5):
    1. Marketing or deploying AI systems that ‘deploy subliminal techniques beyond a person’s consciousness’ in order to distort their behaviour in a way that causes or may cause harm.
    2. Marketing or deploying AI systems that exploit vulnerabilities due to age, physical or mental disability in order to distort someone’s behaviour in a manner that causes or may cause harm.
    3. Marketing or deploying by public authorities AI systems that evaluate or classify the trustworthiness of people with a social score (social scoring).
    4. Use of ‘real-time’ remote biometric identification systems (e.g. facial recognition systems) for law enforcement purposes, with broad exemptions for certain criminal justice-related purposes. Biometric testing is likely to be one of the more controversial aspects of the regulation; the European Data Protection Supervisor (EDPS) has already issued a press release criticising the Commission for not adopting a stricter approach.
  4. High-risk systems. The regulation specifies two categories of high-risk AI systems:
    1. The first category consists of AI systems used as safety components of products, or AI systems which are themselves products, that are regulated under the ‘New Legislative Framework’ legislation listed in Annex II to the regulation, e.g. toys, medical devices, motor vehicles, gas appliances etc. Checking that these AI safety components, or AI systems, comply with the regulation (‘conformity assessments’) will be incorporated into the existing third-party compliance and enforcement mechanisms for the relevant products.
    2. The second category are stand-alone AI systems that the Commission considers have ‘fundamental rights implications’. These are listed in Annex III to the regulation, and include AI systems used for:

Stand-alone systems will be subject to conformity assessments, as well as quality and risk management systems and post-market monitoring. Following the conformity assessments, the AI systems must then be registered in a European Commission-managed database, to ensure public transparency and assist ongoing supervision.

  1. Lower-risk systems. AI systems which are not prohibited or high-risk are subject to relatively light-touch regulation.  There are no conformity assessment for lower-risk systems.  And although all providers must inform individual users that they are interacting with an AI system (unless it is ‘obvious from the circumstances and the context of use’), there is no obligation for providers of lower-risk AI systems to provide information about the system’s algorithm or how it operates, as is the case for providers of high-risk systems.
  2. Data governance. Providers of high-risk systems are required to adopt rigorous data governance and management practices in relation to training, validation and testing datasets to reduce the risk of potential biases and other inaccuracies.
  3. Sandboxes. The regulation encourages EU member states to establish sandboxes (i.e. controlled environments) to enable providers to test innovative technologies on the basis of an agreed testing plan, and to reduce the regulatory burden (including conformity assessment fees) for SMEs and start-ups.
  4. Penalties. For corporate providers of AI systems there are three levels of fines:
    1. Non-compliance with Article 5 (prohibited AI practices, see para 3 above) or Article 10 (data governance, see para 6 above) is subject to a fine of up to €30,000,000 or 6% of total annual worldwide turnover, whichever is the higher.
    2. For non-compliance of any other provision of the regulation, up to €20,000,000 or 4% of total annual worldwide turnover, whichever is the higher.
    3. For the supply of incorrect, incomplete or misleading information to regulatory bodies, up to €10,000,000 or 2% of total annual worldwide turnover, whichever is the higher.

I see what you mean about quite a bit to digest.  Anything I need to do now?

Although the regulation is likely to be subject to various changes over the next few months – particularly in the areas of biometric testing and social scoring – the fundamental principles are unlikely to change.  So if you’re involved with the development, marketing, sale or distribution of software that constitutes a high-risk AI system then you may want to start thinking about how the regulation will impact areas such the accuracy of your datasets, risk of bias, and algorithmic transparency.

Tags: , , , , ,
Posted in Technology, Updates | No Comments »

UK adequacy decisions – lukewarm thumbs-up from the EDPB

15/04/21 – If you’ve been following the progress of the UK adequacy decisions (see updates from December 2020 and March 2021), you will know that we have been waiting for the European Data Protection Board’s opinions on the draft UK adequacy decisions.  As per the EDPB’s press release yesterday, these opinions have now been adopted.

Although the full texts are not yet available, the press release suggests that the EDPB’s opinions broadly supports the adequacy decisions, noting that the UK has “for the most part” mirrored the GDPR and the Law Enforcement Directive in its data protection framework, and that as a result many aspects of the UK’s law and practice are “essentially equivalent”.

However, the EDPB also emphasises that the alignment of the EU and UK data protection frameworks must be maintained going forward, and welcomes the European Commission’s decision to limit the duration of the adequacy decisions (to 4 years).  The EDPB also urges the Commission to closely monitor how the UK applies restrictions to onward transfers of EEA personal data, including transfers pursuant to adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.

Next step is for the adequacy decisions to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’, following which they can be adopted by the Commission.  I will keep you posted.

Tags: , , , , ,
Posted in Privacy, Updates | No Comments »

EU-UK data transfers – update

30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021 – more detail here.  Half-way through the bridging period is probably a good time for an update.

Update?  Didn’t I read a few weeks ago that the EU issued the UK adequacy decision, and it’s now all done and dusted?

No, not really.  What happened is that on 19th February 2021 the European Commission issued two UK adequacy decisions (one for transfers under the GDPR, and the other for transfers under the Law Enforcement Directive), but only in draft form.  The drafts have now been passed to the European Data Protection Board (EDPB) for them to review and issue their non-binding (but influential) ‘advisory opinions’.  After the advisory opinions have been issued, and any EDPB-recommended changes have been incorporated into the text of the adequacy decisions, the drafts will then need to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’.  Once approved, the adequacy decisions can be formally adopted by the Commission, and become legally effective.

Ah, so not quite done and dusted.  Will this all be wrapped up by 30th June?

Probably.  The good news is that the draft adequacy decisions were issued by the European Commission without any material conditions attached to them, i.e. the Commission considers that the UK’s data protection laws and systems are adequate.  Also positive was the prediction of the EU Head of International Data Flows, Bruno Gencarelli, who said in a LinkedIn webinar on 27th January 2021 that he was confident the UK adequacy decisions would be adopted “by the end of the bridging period”.  Ditto the prediction of the EU Commissioner for Justice, Didier Reynders, who, according to Vincent Manancourt of politico.eu, said on 16th February 2021 that the EDPB’s “opinion on UK data flows decision [is] expected mid-April […] Whole process to be wrapped up by Brussels by end of May/early June”.

Less positive were the widely-publicised comments of the UK culture secretary Oliver Dowden, who in his FT article on 27th February said: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”; and that the UK can now be more “agile” when it comes to “[striking] our own international data partnerships with some of the world’s fastest growing economies. […] The EU has been slow to act on this, declaring only 12 countries ’adequate’ in the past few decades”.  Announcing the UK’s intention to diverge from the GDPR and criticising the EU’s historic approach to adopting adequacy decisions, all while the EDPB is busy considering the UK’s application, may not have been Mr Dowden’s best idea.

All very interesting, but I’ve got data flows with EU customers and other data partners which need to continue after 30th June.  What do I need to do?

You’ve got a number of options, including:

  1. Do nothing. If the GDPR adequacy decision isn’t adopted by 30th June 2021 (and the bridging period isn’t extended), then deal with the situation on 1st  If this option appeals, then bear in mind that although you may be willing to take a risk-based view on the legality of your post-30th June data flows, your EEA data partner may not.
  2. Put in place a valid transfer mechanism or safeguard (most likely Standard Contractual Clauses (SCCs)) ASAP, even though they may end up not being needed. This is clearly ‘best practice’, and consistent with the ICO’s recommendation:  “If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April”.
  3. Contact each of your EEA data partners, and suggest to them that if the GDPR adequacy decision has not been adopted by say end of May, or even mid-June, then you will both work together with a view to putting in place SCCs by 30th June.

Tags: , , , , ,
Posted in Privacy, Updates | No Comments »

Who owns the copyright in software created by your employees?

12/03/21 – In accordance with the Copyright, Designs and Patents Act 1988 where any work “is made by an employee in the course of his employment, his employer is the first owner of any copyright in the work, subject to any agreement to the contrary”. (more…)

Tags: , , , , , ,
Posted in Technology, Updates | No Comments »

Transfer Impact Assessment – what is it, and do I need to do one?

In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield.  In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned”.

Following the Schrems II judgment, the European Data Protection Board (EDPB) issued two pieces of guidance to help data exporters with the analysis required by the ECJ: Measures that supplement transfer tools (Recommendations 01/2020); and European Essential Guarantees (Recommendations 02/2020).  In addition, the European Commission published updated draft SCCs for consultation, which are expected to be adopted in March 2021.

In practice, this means that businesses which propose to transfer – or to continue to transfer – personal data using SCCs (or another transfer tool) to a third country must first carry out a transfer impact assessment (TIA) with a successful outcome in accordance with the six-step process set out in the EDPB’s Measures that supplement transfer tools (Recommendations 01/2020):

Step 1:  Map your data flow, i.e. the scope and categories of personal data to be transferred, the data subjects concerned, and the purposes for which the data is being transferred.

Step 2: Identify your transfer tool, which will usually be SCCs but could be for example Binding Corporate Rules (BCRs).

Step 3: Assess the laws of the third country for the purpose of identifying any respects in which those laws may not permit the data importer to comply with its obligations under the SCCs (or other transfer tool), and therefore not provide protection which is essentially equivalent to that provided by EU law.  The EDPB’s European Essential Guarantees (Recommendations 02/2020) sets out the minimum standards by which the third country’s laws can be assessed.

Step 4: Identify appropriate supplementary measures to remedy any shortcomings disclosed by the assessment in Step 3.  Supplementary measures may contractual, technical or organisational in nature.

Step 5: Implement your supplementary measures.

Step 6: Re-evaluate your assessment at appropriate intervals.

Also, note that the TIA must be properly documented, and include appropriate supporting documentation such as data mapping records and legal opinions from local counsel.  And if the TIA discloses the existence of local laws which impinge on the effectiveness of the SCCs (or other transfer tool), and no supplementary measures are available to mitigate the risk, then the transfer cannot proceed/must be suspended immediately.

Reaction to the brave new, post-Schrems II world of data transfers has been mixed… Ensuring EU-standard privacy protection for data that is transferred outside the EEA is of course commendable, at least in principle.  But requiring all businesses to not only put in place comprehensive contractual protections (e.g by way of SCCs) but also to carry out a time consuming, technically difficult and potentially very costly TIA for each type of transfer is arguably so onerous that many businesses, particularly SMEs, will take a risk-based view and simply dispense with the TIA.  Other businesses may take the view that exporting data outside the EEA is simply too difficult, and replace its existing service providers with EEA-based providers.

The European Commission (EC) is of course aware of the difficulties that Schrems II has created for EEA organisations, including those which already have established global data sharing networks, and those looking to transfer data to non-EEA service providers for which are no equivalents available in the EEA.  But while we wait for the EC to come up with some more workable alternative options, businesses which are exporting, or looking to export, personal data to third countries may now want to start:

Tags: , , , ,
Posted in Privacy, Updates | No Comments »

Next Page »« Previous Page

Get in touch

  • Your email address will only be used to respond to your message