There have been a number of EU and UK developments affecting transfers of personal data. We summarise the key ones below and set out some practical steps to take in light of these developments. Any organisation which transfers personal data to or from the EU27 will need to work out what changes are required to address these new developments. We won’t have full clarity until the European Commission and EDPB finalise their current drafts but we recommend embarking now on the groundwork to be in a position to move swiftly once the building blocks are available.
The judgment of the Court of Justice of the European Union (“CJEU”) in July 2020 in the Schrems II case had a major impact on transferring of personal data from the EU:
(a) Privacy Shield was invalidated as a mechanism for transferring personal data to the US;
(b) where relying on data transfer tools such as the EU Standard Contractual Clauses (“SCCs”), an essentially equivalent level of protection is required in the recipient jurisdiction. This needs to be assessed in light of the law and practice in the recipient jurisdiction which may prejudice the SCCs; and
(c) if there is not an essentially equivalent level of protection in the third jurisdiction, additional or supplementary measures may be required in order to validly transfer the personal data outside of the EU or UK to that third jurisdiction.
Guidance from the European Data Protection Board (“EDPB”)
In November 2020, the EDPB published a recommendation on supplementary transfer tools. This recommendation was open for consultation until 21 December 2020, and we are currently awaiting an updated version from the EDPB. This recommendation sets out a “road map” for assessing data transfers, which includes the following steps:
- Step 1: Knowing your transfers. It is important to understand where personal data is being transferred to, which entity is processing it and in what capacity, and whether there are onward transfers to other jurisdictions.
- Step 2: Identifying the transfer tools you are relying upon. For example, are the SCCs used to legitimise the transfer to the third jurisdiction?
- Step 3: Assessing whether the transfer tool under Article 46 of the GDPR is effective in light of all the circumstances of the transfer. This is the assessment of the law and practice in the third jurisdiction if for example you are relying on the SCCs or any other GDPR transfer mechanism.
- Step 4: Adopting supplementary measures. The EDPB provides examples of what these supplementary measures could be.
- Step 5: Procedural steps if you have identified effective supplementary measures
- Step 6: Re-evaluating at appropriate intervals. This an ongoing process and not a one-off exercise. This needs to reviewed on an ongoing basis.
The recommendation includes guidance for assessing the law and practice in the third country to which the personal data is transferred. The EDPB also separately published an updated version of the European Essential Guarantees for Surveillance Measures. These are aimed at examining whether surveillance measures allowing access to personal data by public authorities in a third jurisdiction are justifiable. The European Essential Guarantees can be used as part of the assessment of surveillance laws and practices for these purposes.
In addition, the recommendation provides examples of supplementary measures which broadly fall into three categories: (a) contractual measures; (b) technical measures; and (c) organisational measures.
European Commission’s new version of the SCCs
The European Commission published an updated draft of the SCCs in November 2020. These have not yet been finalised. The new version of the SCCs adopts a modular approach and will address a number of scenarios not currently covered such as processor-to-processor transfers and processor-to-controller transfers. They will also address controller-to-processor and controller-to-controller transfers.
The new version of the SCCs also seeks to address the impact of the Schrems II judgment and includes provisions for when public authorities request access. Finally, the new version of the SCCs also includes updates necessary for contracts with data processors as required under Article 28 GDPR.
The current draft anticipates a year’s transition period from final approval of the new SCCs. The expectation is that all previous data transfer agreements that incorporate the existing SCCs need to be replaced with the new version of the SCCs during that one year period.
From 1 January 2021 the Brexit transition period ended and the EU GDPR ceased to apply directly in the UK. The GDPR has now been incorporated into UK domestic law, known as the “UK GDPR”.
The agreement reached between the UK and EU on 24 December 2020 allows for transfers of personal data from the EU to the UK to continue without additional measures such as the SCCs. This interim arrangement will continue for a period of up to six months whilst the European Commission considers whether to adopt an adequacy decision for the UK.
However, if the European Commission does not issue an adequacy decision in respect of the UK during this 6 month period (and it is not further extended), the UK will be regarded as a third jurisdiction for the purposes of the GDPR. This would mean appropriate safeguards would be required under the GDPR to transfer personal data from the EU to the UK. In practice, if the SCCs were used in those circumstances, this would also involve the assessment and potentially supplementary measures as described above.
For transfers from the UK to the EEA and jurisdictions which have previously received an adequacy decision from the European Commission, these transfers remain uninterrupted from a UK data protection perspective. This is because the UK has deemed the EEA member states, and jurisdictions subject to an adequacy decision from the European Commission, as adequate on a transitional basis.
In addition to data transfers, there are other data protection compliance steps which may be required in light of the end of the Brexit transition period. For example, if you are in the UK and are not established in the EU but are subject to the GDPR because you offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU, you may need to appoint a representative in the EU, and update your privacy notice to provide data subjects with the contact details of your EU representative. In addition, if you are in the EU and are not established in the UK, a similar requirement to appoint a UK representative under the UK GDPR could apply. There are also updates that may be required to your existing agreements, privacy notices and records of processing as a result of the end of the Brexit transition period.
In order to address these developments, it will be necessary to:
- Understand where your personal data is going and your data flows;
- Determine what data transfer tool(s) you are using under the GDPR and UK GDPR;
- If you are using the SCCs, carry out an assessment of the law and practice in the third jurisdiction to which the personal data is transferred;
- If as part of the assessment it is determined there is not an essentially equivalent level of protection in the recipient jurisdiction, put in place additional or supplementary measures, which can include technical measures as well as contractual measures;
- Longer term, update existing agreements with the new SCCs once these have been finalised. This includes updating both intra group data transfer agreements as well as agreements with third parties; and
- In relation to the UK, prepare for the situation where the UK does not receive an adequacy decision from the EU and is treated as a third jurisdiction for the purposes of the GDPR transfer restrictions. This will be relevant both for intra group data transfer agreements as well as transfers to/from third parties. In addition to data transfers, there may be other steps needed in light of the end of the end of the Brexit transition period, including representative requirements, updates to agreements, privacy notices and records of processing.