EU member states have agreed the two UK adequacy decisions, accepting that the UK's data protection laws provide sufficient protection for personal data flows from the EU to the UK.
The approval was reached by a committee of member state representatives. This approval should allow the European Commission to formally adopt the decisions.
Although no date has yet been announced, this is expected to be before the bridging mechanism expires at the end of this month.
The approval is based on the UK’s adoption of the GDPR. However, it is expected that this approval will be closely monitored to see whether the UK’s data protection laws diverge, over time, from EU law.
Transfers to third countries – standard contractual clauses
The European Commission has published its final implementing decision adopting new standard contractual clauses for the transfer of personal data two third countries (SCCs). The SCCs deal with three key issues:
- known deficiencies in the current standard contractual clauses (current SCCs); in particular, the SCCs now accommodate data transfers from processors to sub-processors and from EU-processors to controllers;
- they are consistent with GDPR (and not just the prior Data Protection Directive (Directive 95/46)); and
- they respond to the judgement in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II).
The SCCs can now be used (with effect from 27 June). However, data exporters and importers:
- can continue to use the Current SCCs until 27 September (however, after that date, the SCCs must be adopted) and
- for existing arrangements, have until 27 December 2022 to replace the Current SCCs with the SCCs.
The SCCs cover transfers from:
- Controller to another controller;
- Controller to processor;
- Processor to processor; and
- Processor to its appointing controller.
The SCCs can be used whenever the exporter is subject to GDPR, even where the exporter is not established in the EU.
The SCCs deal with Schrems II. Specifically, they include the following principals (retained from the current SCCs):
- the exporter being obliged to consider the level of protection for personal data in the third country;
- the importer being obliged to notify the exporter of any inability of the importer to comply with the SCCs; and
- (in the event of such non-compliance), an obligation on the exporter to terminate.
The SCCs cannot merely be adopted. It is necessary for the exporter to undertake impact assessments as to the protection for personal data offered in the third country. The exporter (and the importer) must consider (as part of the impact assessment) the law and practice of the third country as well as a number of other factors (including the length of the processing chain and number of parties involved, purpose of the processing and storage location of the data).
In addition, the SCCs impose obligations on the importer relating to attempts by public authorities in the third country to access personal data. These include:
- a requirement (where possible) to notify the exporter and data subjects of a request for access by a public authority;
- an assessment of the legality of such request (and an obligation to challenge if appropriate); and
- a limitation as to the amount of data disclosed.
Given the SCCs cater for a number of additional arrangements they look different to the current SCCs. They are in the form of general provisions and then specific provisions applicable to the type of exporting involved (e.g. Controller to controller v processor to processor).
Transfers to third countries – compliance
In parallel to the SCCs, the European Data Protection Board (EDPB) has adopted the final version of its Recommendations on measures to ensure compliance with EU data protection laws. These were first adopted in November 2020, following the ECJ's ruling in Schrems II and now take account of consultation feedback. The recommendations aim to assist exporters with assessing whether third countries offer sufficient protection.
In summary, the key considerations are:
- know your transfer: requirement to map the transfers including as to the adequacy and relevance of the data as well as to the number of parties involved/third country;
- verification of the transfer tool: specifically, on what basis under GDPR is the data being exported (e.g. Article 46);
- assessment as to law and practice: requirement to assess the law of the third country and examine the practices of public authorities in the third country (whilst legislation may meet the requirements of article 46, the practices of public authorities (including compliance with laws) must also be taken into account);
- identification of supplementary measures: if the assessment reveals the laws or practices of the third country impinge on the effectiveness of Article 46, what additional protections (if any) should apply; and
- formal procedural steps: take any additional procedural steps (e.g. consulting with a supervisory authority); and
- re-evaluate: re-evaluation of the protection afforded at regular intervals.
