15/04/21 – If you’ve been following the progress of the UK adequacy decisions (see updates from December 2020 and March 2021), you will know that we have been waiting for the European Data Protection Board’s opinions on the draft UK adequacy decisions. As per the EDPB’s press release yesterday, these opinions have now been adopted.
Although the full texts are not yet available, the press release suggests that the EDPB’s opinions broadly supports the adequacy decisions, noting that the UK has “for the most part” mirrored the GDPR and the Law Enforcement Directive in its data protection framework, and that as a result many aspects of the UK’s law and practice are “essentially equivalent”.
However, the EDPB also emphasises that the alignment of the EU and UK data protection frameworks must be maintained going forward, and welcomes the European Commission’s decision to limit the duration of the adequacy decisions (to 4 years). The EDPB also urges the Commission to closely monitor how the UK applies restrictions to onward transfers of EEA personal data, including transfers pursuant to adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.
Next step is for the adequacy decisions to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’, following which they can be adopted by the Commission. I will keep you posted.
Tags: adequacy decision, brexit, data protection, data transfer, EDPB, gdpr
Posted in Privacy, Updates | No Comments »
In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield. In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned”.
Following the Schrems II judgment, the European Data Protection Board (EDPB) issued two pieces of guidance to help data exporters with the analysis required by the ECJ: Measures that supplement transfer tools (Recommendations 01/2020); and European Essential Guarantees (Recommendations 02/2020). In addition, the European Commission published updated draft SCCs for consultation, which are expected to be adopted in March 2021.
In practice, this means that businesses which propose to transfer – or to continue to transfer – personal data using SCCs (or another transfer tool) to a third country must first carry out a transfer impact assessment (TIA) with a successful outcome in accordance with the six-step process set out in the EDPB’s Measures that supplement transfer tools (Recommendations 01/2020):
Step 1: Map your data flow, i.e. the scope and categories of personal data to be transferred, the data subjects concerned, and the purposes for which the data is being transferred.
Step 2: Identify your transfer tool, which will usually be SCCs but could be for example Binding Corporate Rules (BCRs).
Step 3: Assess the laws of the third country for the purpose of identifying any respects in which those laws may not permit the data importer to comply with its obligations under the SCCs (or other transfer tool), and therefore not provide protection which is essentially equivalent to that provided by EU law. The EDPB’s European Essential Guarantees (Recommendations 02/2020) sets out the minimum standards by which the third country’s laws can be assessed.
Step 4: Identify appropriate supplementary measures to remedy any shortcomings disclosed by the assessment in Step 3. Supplementary measures may contractual, technical or organisational in nature.
Step 5: Implement your supplementary measures.
Step 6: Re-evaluate your assessment at appropriate intervals.
Also, note that the TIA must be properly documented, and include appropriate supporting documentation such as data mapping records and legal opinions from local counsel. And if the TIA discloses the existence of local laws which impinge on the effectiveness of the SCCs (or other transfer tool), and no supplementary measures are available to mitigate the risk, then the transfer cannot proceed/must be suspended immediately.
Reaction to the brave new, post-Schrems II world of data transfers has been mixed… Ensuring EU-standard privacy protection for data that is transferred outside the EEA is of course commendable, at least in principle. But requiring all businesses to not only put in place comprehensive contractual protections (e.g by way of SCCs) but also to carry out a time consuming, technically difficult and potentially very costly TIA for each type of transfer is arguably so onerous that many businesses, particularly SMEs, will take a risk-based view and simply dispense with the TIA. Other businesses may take the view that exporting data outside the EEA is simply too difficult, and replace its existing service providers with EEA-based providers.
The European Commission (EC) is of course aware of the difficulties that Schrems II has created for EEA organisations, including those which already have established global data sharing networks, and those looking to transfer data to non-EEA service providers for which are no equivalents available in the EEA. But while we wait for the EC to come up with some more workable alternative options, businesses which are exporting, or looking to export, personal data to third countries may now want to start:
Tags: adequacy, data transfer, gdpr, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »
22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, including in relation to the rules for data access by public authorities.
What happens next?
The European Data Protection Board (EDPB) will now review and provide its (non-binding) opinion on the draft decisions. Representatives of each EU member state will then be asked to approve the adequacy decisions (the so-called ‘comitology procedure’) before the decisions are adopted by the Commission. In the meantime data can continue to be transferred from the EEA to the UK under regime set out in the UK-EU Trade and Cooperation Agreement, as discussed in my article UK-EU data transfers from 1st January 2021 – where are we? If the draft adequacy decisions are adopted, they will be valid for four years, following which they will be renewed if the level of protection in the UK continues to be adequate.
Tags: adequacy decision, data protection, data transfer, gdpr, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »