In an increasingly interconnected world, preserving the free
flow of data across borders is crucial to the prosperity of
businesses operating in every industry. But over the last year,
there have been a number of important data protection developments
in Europe that have a direct impact on the supply chain and
distribution arrangements operated by organizations. These
developments are restricting the ways in which businesses can share
personal data within their organizations and with counterparties
internationally. They include:
Brexit – While the Brexit transition period ended as
2021 began, the continued free flow of personal data between the
European Union (“EU”) and the United Kingdom
(“UK”) was paramount to the survival of many businesses
operating in Europe. The EU-UK Trade and Cooperation Agreement
provided for a further transitional period of up to six months from
January 1, 2021, (the “Additional Transition Period”).
During this time, the UK is not a third country for the purposes of
the European General Data Protection Regulation (“EU
GDPR”). But the European Commission must pass a decision that
the UK offers an adequate level of data protection before the end
of this deadline if transfers of personal data are to continue
between businesses operating in the EU and UK in the medium to long
term without having to overcome additional restrictions.
Schrems II – A significant Court of Justice of the
European Union (“CJEU”) decision which, alongside
subsequent European Data Protection Board (“EDPB”)
guidance, has altered how international data transfers between
businesses must be evaluated and undertaken (for a further analysis
of the judgment see our Legal Update and further commentary).
New standard contractual clauses for international data
transfers (“New SCCs”) – Following Schrems II, the
European Commission (“EC”) has published a draft of New
SCCs (see our Legal Update), which will
govern the sharing of personal data between businesses inside and
outside of the EU.
We consider these developments below:
1. BREXIT
Following Brexit, data protection in England is governed by the
DPA 2018. Part 2 of the DPA 2018 contains the domestic general
processing regime and is also known as the “UK GDPR”. The
UK GDPR retains the European General Data Protection Regulation
(“EU GDPR”) as it was immediately before 11:00 p.m. (GMT)
on December 31, 2020, into English law by virtue of the European
Union Withdrawal Act 2018 (as amended by the European Union
(Withdrawal Agreement) Act 2020).
Currently, the requirements under the UK GDPR are substantially
similar to those under the EU GDPR However, it is worth noting that
the UK data protection regime is likely to diverge from the
EU’s over time, and amendments to supply chain and distribution
agreements may be required from time to time and so should be
regularly reviewed.
1.1 Transfer of Personal Data from the UK to EEA Third
Parties
Transfers from the UK to the European Economic Area
(“EEA”) are now considered a “restricted
transfer” under the UK GDPR, meaning that a transfer should
only be undertaken where there is an adequacy decision which
confirms the receiving country has an adequate data protection
regime or alternative appropriate safeguards are in place (such as
the new SCCs discussed below). However, the UK government has
applied a provisional adequacy decision (kept under review), which
means that no new arrangements are currently needed for transfers
from the UK to the EEA.
1.2 Transfer of Personal Data from the EEA to UK
Under the EU-UK Trade and Cooperation Agreement (“EU-UK
TCA”), personal data can continue to be transferred from the
EEA to the UK freely, as if the UK were an EU Member State (and
therefore has an adequate data protection regime), for up to six
months from January 1, 2021.
The EC published a draft adequacy decision in February 2021 for
transfers of EEA-based personal data to the UK. The EC and UK
government are working to complete the draft adequacy decision
adoption process before the end of the six-month bridging mechanism
currently in place since January 1, 2021, under which EEA-based
personal data can flow freely to the UK as though the UK was still
an EU Member State. If the draft adequacy decision is adopted
before the end of the six-month bridging period, transfers of
personal data from the EEA to the UK will be able to continue
freely. However, if the EC’s draft adequacy decision is not
adopted by the end of the six-month bridging period and no
alternative bridging mechanism is put in place, EEA-based third
parties will be required to implement an appropriate transfer
mechanism under the EU GDPR for transfers of personal data to the
UK once the six-month bridging period ends.
1.3 Transfer of Personal Data between the UK and non-EEA Third
Parties
Transfers from the UK to adequate non-EEA countries -
The UK has recognized the existing 12 EU adequacy decisions (which
apply to non-EEA countries). So long as this remains the
position, businesses can transfer personal data to non-EEA third
parties in these jurisdictions freely. The UK is preparing
to start its own adequacy assessments of non-EEA countries.
Transfers to the UK from adequate non-EEA countries -
Eleven of the 12 jurisdictions currently deemed adequate by the EU
(Andorra is pending) have confirmed they will allow uninterrupted
data transfers to the UK. So long as this remains the
position, non-EEA third parties in these jurisdictions can transfer
personal data to the UK freely.
Transfers to other non-EEA countries – If the non-EEA
country does not enjoy a UK-recognized adequacy decision, then it
will be necessary to ensure that the transferred data is adequately
protected using other means (e.g., SCCs or Article 49 UK GDPR
derogations will need to be in place), and an assessment of the
non-EEA legal framework will need to be undertaken.
EDPB guidance and CJEU decisions have cast doubt on the adequacy
of the legal frameworks in the United States, China and India due
to their national security laws, which, in some cases, allow
increased access to personal data for public authorities -transfers
of personal data to such countries therefore carry heightened
due-diligence requirements. If this is the position,
businesses need to consider whether appropriate safeguards are in
place and the requisite assessments are carried out (see
below).
2. SCHREMS II AND EDPB GUIDANCE
Businesses that transfer personal data from the UK or the EU to
recipients in another jurisdiction may only do so under the UK or
EU GDPR if the recipient is located in a country which the UK
Secretary of State or the European Commission (as applicable) has
determined offers adequate data protection (see above), if
appropriate safeguards are in place under Article 46 of the UK or
EU GDPR, or where a derogation applies under Article 49 of the UK
or EU GDPR.
Following Schrems II, and subsequent EDPB
recommendations, businesses relying on SCCs, binding corporate
rules or other Article 46(2) GDPR “appropriate
safeguards” are now also required to conduct an additional
assessment of the local law in the jurisdiction to which they are
transferring the personal data. If businesses conclude that the
power granted to public authorities to access the transferred data
in any jurisdiction “goes beyond what is necessary and
proportionate in a democratic society,” then the personal data
transfer can only occur if the implementation of
“supplementary measures” (such as encrypting the
transferred data so that the receiving party cannot view it, which
may fundamentally affect the viability of the service) will prevent
the public authorities in those jurisdictions from having access to
personal data from Europe. For further information about how to
determine if supplementary measures are required for a particular
transfer and which measures are appropriate, see our Legal Update.
We have recently seen the first example of a supervisory
authority taking action against a business for non-compliance with
the Schrems II ruling. The Bavarian data protection authority has
ruled against a business for using an email platform service, which
is run by a US-based provider, to send marketing emails. The
transfer of data to the platform was based on the SCCs, but it was
found the company had not considered whether supplementary measures
were needed in addition to these. The company has now ceased using
the service and was not fined.
3. NEW STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL
TRANSFERS
Once the EC’s New SCCs are adopted, which is expected in
2021, the New SCCs will replace the current EU SCCs used by
businesses as a mechanism for internationally transferring
EEA-based personal data under the EU GDPR. The draft implementing
decisions for the New SCCs would, if adopted in its current form,
require all arrangements incorporating the current SCCs to be
updated to cater for the New EU SCCs within a year of adoption.
The ICO has announced that it intends to consult on and publish
UK standard contractual clauses during 2021 (“UK SCCs”).
Such UK SCCs shall serve as a mechanism for transferring personal
data from the UK to non-adequate third countries. The UK SCCs are
likely to align somewhat with the New EU SCCs.
For further commentary on the New SCCs, see our Legal Update.
3.1 Onward Transfers of Personal Data
Any data processing agreements in place between businesses and
third parties must ensure that where third parties are transferring
personal data onwards to operations elsewhere they are doing so in
compliance with the UK GDPR and/or EU GDPR. They must also do so
only with the business’ consent (general or specific).
For example, the Spanish data protection authority recently
issued a ?2 million fine to a business where their outsourced
service provider (of database operations) was using a sub-processor
in Peru without any contractual provisions being put in place to
ensure the transfer of personal data to Peru occurred in a manner
that complied with the European data protection requirements.
If a business transfers personal data to a third-party processor
using the SCCs, these clauses will include obligations that the
contract between the third party and sub-processor mirrors the
relevant rights and obligations set out in the supply
chain/distribution arrangement. Generally, businesses have relied
on third parties to supervise their sub-processors’ data
processing activities. However, EDPB guidance on supplemental
transfer tools and the New SCCs suggest that this may not be an
adequate arrangement, and data transfer agreements with processors
should include adequate protection for the supervision and
monitoring of onward transfers, such as regular review periods.
Businesses should ensure that personal data will be
adequately protected during the onward transfer to, and processing
by, the proposed sub-processor before they consent to the
supplier’s use of sub-processors. If sub-processors are in
place already, then businesses should map the relevant data flows
to ensure adequate protection of personal data is in
place.
(The author would like to thank Ellen Hepworth and Alistair Ho
for their assistance preparing this Legal Update.)
This article was originally published on AllAboutIP – Mayer
Brown’s blog on relevant developments in the fields of
intellectual property and unfair competition law.
Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.
This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
