Commercial Technology and Data Lawyer and Arbor co-founder Ed Rea summarises recent developments, trends and hot topics in Data Privacy Law in the following Data Privacy law roundup.
European Commission adopts new set of Standard Contractual Clauses for international data transfers
On June 4 2021, the European Commission adopted a new set of Standard Contractual Clauses for international data transfers (“SCCs”). The new SCCs take into account the European Court of Justice’s (“ECJs”) decision in Schrems II which held the previous Privacy Shield arrangements which were relied upon to validate transfers of personal data to third countries in certain circumstances were invalid. The purpose of the new SCCs is to help companies legalise transfers of personal data outside of the EEA. They will also be a lawful mechanism for UK companies to use as well.
Unlike the previous SCCs which addressed only two transfer scenarios (i.e., controller to controller, and controller to processor), the new SCCs address four data transfer scenarios: (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller.
The parties must be able to demonstrate compliance with the new SCCs and in particular, the data importer must (i) keep appropriate documentation with regards to its processing activities which should be disclosed to the competent supervisory authority on request, and (ii) inform the data exporter promptly if it is unable to comply with the new SCCs. In the event that the data importer is in breach of the new SCCs or is unable to comply with them, the data exporter is obliged to suspend the transfer or termination the contract. The data exporter is also obliged to warrant that they have no reason to believe that the laws and practices in the third country prevent the data importer from fulfilling its obligations under the SCCs and that it has used reasonable efforts to determine the data importer is able to comply with the new SCCs.
Exporters and importers have 3 months from the date of publication to switch to the new SCCs for new transfers, or 18 months to switch to the new SCCs for existing transfer contracts. It should be noted that the new SCCs will only apply in relation to the transfer of personal data from the EEA and not from the UK. The UK will continue to rely on its old SCCs until it issues its SCCs which it is expected to do in late 2021. In the meantime, the ICO has recently announced that UK companies will be able to give feedback on draft UK standard SCCs for international data transfers in July 2021.
The new SCCs are available for download at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
EU/UK data flows approved
On 16 June, EU governments signed off declarations that the UK’s data protection rules offer ‘adequate’ protection for EU citizens’ personal data that is sent from the 27-member EU to the UK.
With the UK having left the EU, the European Commission is required to assess whether UK data protection laws provide protection law for EU citizens’ data that is as ‘adequate’ under the General Data Protection Regulation (EU GDPR).
The EU had originally given the UK a six-month grace period during which it carried out an assessment.
The latest approval paves the way for a formal adequacy decision soon and will give business more certainty over EU personal data flows to the UK following the UKs departure from the EU.
Locatefamily.com fined €525,000 for failure to appoint data protection representative
Locatefamily.com, a website which helps people find family members, was recently fined €525,000 by the Netherlands supervisory authority (the Autoriteit Persoonsgegevens or “AP”) for failure to appoint a Data Protection Representative (“DPR”), an obligation set out in Article 27 of the EU GDPR. The AP also imposed an order requiring Locatefamily.com to appoint a DPR or face an additional penalty of €20,000 for every 2 weeks of default subject to a maximum of €120,000. LocateFamily.com and its parent company were not located in the EU and have no business relationships in the EU. However, it was found that 700,000 people in the Netherlands were displayed on the Locatefamily.com site, many of which were displayed without their knowledge or consent. This decision is a timely reminder that organisations outside the EEA or the UK which process personal data of individuals within the EEA and the UK should check to see whether they need to appoint a DPR in the EEA/UK. This could occur in circumstances where, for example, where a US entity provides software services to EEA customers.
Ed Rea is a Commercial Technology and Data lawyer and co-founder of Arbor Law. Ed can be contacted at ed.rea@arbor.law