• Contact Us

What’s New in the World of Data Protection?

on Thursday, 08 July 2021.

It has been an exciting few weeks in the world of data protection, with a plethora of news, recommendations and commentary to keep us busy. The highlight being that personal data can continue to flow freely from the EU to the UK.

In other news, the EU have finalised standard contractual clauses for sending personal data outside of the European Economic Area (EEA) and finalised model contractual clauses for use between controllers and processors.   

Adequacy Decision for the UK

Some good news to start with is that the European Commission has granted the UK an adequacy decision under the GDPR. The practical effect of this is that personal data can flow freely from the EEA (EU, Norway, Iceland and Liechtenstein) to the UK.

If the UK had not received an adequacy decision, then data exporters in the EEA would have to put a safeguard in place to protect the personal data being sent to the UK. The decision will therefore be a relief for any business that routinely receives personal data from Europe (eg uses Cloud storage with servers in Ireland).

Interestingly, the decision includes a 'sunset clause', which limits the duration of adequacy to four years. The European Commission will monitor relevant legal developments in the UK to check whether our laws still provide essentially equivalent protection to personal data as the GDPR. This should provide some welcome continuity for businesses after a few years of relatively frequent changes.

Quick Brexit Recap

Before we delve into more EU-focused news, it's worth reminding ourselves how Brexit affected data protection law. At the end of 2020, the GDPR became the UK GDPR so that it works in a UK-only context. Most businesses in the UK are predominantly caught by the UK GDPR rather than the EU GDPR. That being said, some businesses in the UK will be caught by the EU GDPR in certain circumstances. For example, if a business targets goods or services at people in the EEA, it might have to comply with the EU GDPR in respect of those activities.

The European judgment often simply known as 'Schrems II' is still part of UK law because it was decided before the end of 2020. As readers may recall, the European Court held that even when a safeguard is used to protect personal data being transferred outside of the EEA, in some circumstances supplementary measures are required to ensure that the safeguard remains effective. One such safeguard is the Standard Contractual Clauses (SCCs).

Coronavirus Legal Advice

Replacement EU Standard Contractual Clauses Published in Final Form

On 4 June 2021, the European Commission published the final version of the new SCCs for international data transfers. These new clauses count as one of the safeguards under the EU GDPR to compliantly send personal data to countries without an adequacy decision.

If your business is subject to the EU GDPR, the new SCCs can be used now. You can continue to use the old SCCs for new transfers until 27 September 2021. The use of the old SCCs can continue until 27 December 2022 provided that:

  • the processing operations that are the subject matter of the contract do not change
  • reliance on the old SCCs ensures that the personal data is subject to appropriate safeguards

At the moment the new clauses can only be used under the EU GDPR and businesses subject to the UK GDPR have to use the old versions instead. However, the ICO has indicated that the UK is considering whether to recognise the new EU SCCs in due course. This would be welcome news to businesses subject to both the UK and EU GDPRs.

The ICO will be publishing UK specific SCCs for public consultation later this summer.

Recommendations on Supplemental Transfer Tools for International Transfers

As we mentioned above, the Schrems II decision means that when the SCCs, or another safeguard such as Binding Corporate Rules (BCRs), are used supplementary measures are sometimes needed to make sure that the safeguard remains effective. This is particularly the case when transferring to a country, such as the USA, where the public authorities have sweeping powers to access data.  

The European Data Protection Board (EDPB) has now released its updated guidelines on these supplementary measures for international transfers. The EDPB recommendations have departed only slightly from the approach mapped out in the draft version that was produced last year, outlining the six-step process for ensuring compliant international data transfers. The EDPB has produced a useful infographic outlining the relevant steps.

In summary, the guidelines state that if you are relying on a safeguard (eg the SCCs) then you must consider whether the laws and practices in the receiving country compromise the protection provided by the safeguard. Reassuringly, this assessment is limited to the legislation and practices relevant to the protection of the specific personal data you are transferring. If the safeguard is compromised then you must consider what supplementary measures would fill the gaps in the protection. These measures can be technical (eg encryption), organisational or contractual.

The guidelines set a high bar for compliance but it is important to note that they are not directly applicable to transfers from the UK, and the ICO will release its own guidance in due course (possibly as early as later this month). However, in the meantime, your business may find the guidelines helpful in deciding what measures to put in place to comply with the Schrems II judgment.

Controller Processor Clauses

The EU has also finalised its model clauses to be used in contracts between controllers and processors. By way of a reminder, a processor processes personal data on behalf of another organisation (the controller). The contract between the two must contain certain provisions for compliance with data protection law.

The clauses are designed to be used in the EU, but could be amended to work in a UK context. Unlike the SCCs, organisations are permitted to amend these model clauses. Do bear in mind though, that the clauses go above and beyond what is legally required in some areas and broadly speaking favour the controller over the processor. One reason why the clauses benefit the controller is that there is no mechanism which allows the processor to charge the controller for their assistance, for example, with audits and the controller's compliance (eg data protection impact assessments).     

If you would like any advice on transferring personal data outside of the UK, or regarding your controller processor agreements please contact Claire Hall in our Data Protection team on 07467 148750. Alternatively, please complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input