In other news, the EU have finalised standard contractual clauses for sending personal data outside of the European Economic Area (EEA) and finalised model contractual clauses for use between controllers and processors.
Some good news to start with is that the European Commission has granted the UK an adequacy decision under the GDPR. The practical effect of this is that personal data can flow freely from the EEA (EU, Norway, Iceland and Liechtenstein) to the UK.
If the UK had not received an adequacy decision, then data exporters in the EEA would have to put a safeguard in place to protect the personal data being sent to the UK. The decision will therefore be a relief for any business that routinely receives personal data from Europe (eg uses Cloud storage with servers in Ireland).
Interestingly, the decision includes a 'sunset clause', which limits the duration of adequacy to four years. The European Commission will monitor relevant legal developments in the UK to check whether our laws still provide essentially equivalent protection to personal data as the GDPR. This should provide some welcome continuity for businesses after a few years of relatively frequent changes.
Before we delve into more EU-focused news, it's worth reminding ourselves how Brexit affected data protection law. At the end of 2020, the GDPR became the UK GDPR so that it works in a UK-only context. Most businesses in the UK are predominantly caught by the UK GDPR rather than the EU GDPR. That being said, some businesses in the UK will be caught by the EU GDPR in certain circumstances. For example, if a business targets goods or services at people in the EEA, it might have to comply with the EU GDPR in respect of those activities.
The European judgment often simply known as 'Schrems II' is still part of UK law because it was decided before the end of 2020. As readers may recall, the European Court held that even when a safeguard is used to protect personal data being transferred outside of the EEA, in some circumstances supplementary measures are required to ensure that the safeguard remains effective. One such safeguard is the Standard Contractual Clauses (SCCs).
On 4 June 2021, the European Commission published the final version of the new SCCs for international data transfers. These new clauses count as one of the safeguards under the EU GDPR to compliantly send personal data to countries without an adequacy decision.
If your business is subject to the EU GDPR, the new SCCs can be used now. You can continue to use the old SCCs for new transfers until 27 September 2021. The use of the old SCCs can continue until 27 December 2022 provided that:
At the moment the new clauses can only be used under the EU GDPR and businesses subject to the UK GDPR have to use the old versions instead. However, the ICO has indicated that the UK is considering whether to recognise the new EU SCCs in due course. This would be welcome news to businesses subject to both the UK and EU GDPRs.
The ICO will be publishing UK specific SCCs for public consultation later this summer.
As we mentioned above, the Schrems II decision means that when the SCCs, or another safeguard such as Binding Corporate Rules (BCRs), are used supplementary measures are sometimes needed to make sure that the safeguard remains effective. This is particularly the case when transferring to a country, such as the USA, where the public authorities have sweeping powers to access data.
The European Data Protection Board (EDPB) has now released its updated guidelines on these supplementary measures for international transfers. The EDPB recommendations have departed only slightly from the approach mapped out in the draft version that was produced last year, outlining the six-step process for ensuring compliant international data transfers. The EDPB has produced a useful infographic outlining the relevant steps.
In summary, the guidelines state that if you are relying on a safeguard (eg the SCCs) then you must consider whether the laws and practices in the receiving country compromise the protection provided by the safeguard. Reassuringly, this assessment is limited to the legislation and practices relevant to the protection of the specific personal data you are transferring. If the safeguard is compromised then you must consider what supplementary measures would fill the gaps in the protection. These measures can be technical (eg encryption), organisational or contractual.
The guidelines set a high bar for compliance but it is important to note that they are not directly applicable to transfers from the UK, and the ICO will release its own guidance in due course (possibly as early as later this month). However, in the meantime, your business may find the guidelines helpful in deciding what measures to put in place to comply with the Schrems II judgment.
The EU has also finalised its model clauses to be used in contracts between controllers and processors. By way of a reminder, a processor processes personal data on behalf of another organisation (the controller). The contract between the two must contain certain provisions for compliance with data protection law.
The clauses are designed to be used in the EU, but could be amended to work in a UK context. Unlike the SCCs, organisations are permitted to amend these model clauses. Do bear in mind though, that the clauses go above and beyond what is legally required in some areas and broadly speaking favour the controller over the processor. One reason why the clauses benefit the controller is that there is no mechanism which allows the processor to charge the controller for their assistance, for example, with audits and the controller's compliance (eg data protection impact assessments).