Many organisations haven’t taken steps to review their data protection compliance since the GDPR came into force in 2018, but there have been a number of significant changes to the regulatory landscape since then.
Data protection continues to be a major compliance issue, both in terms of risk (with potential fines of up to €20 million or 4% of global turnover) and of day to day practicalities. And when it comes to corporate transactions, data protection compliance is often a key issue – and stumbling block.
Below is a brief summary of the some of the key developments to be aware of.
New rules on international data transfers
In July 2020 the Court of Justice for the European Union (CJEU) declared that the EU-US Privacy Shield was invalid (in the Schrems II decision), so organisations could no longer rely on the Privacy Shield to validate transfers of personal data from the EU to the US. The CJEU also ruled that the EU’s standard contractual clauses (SCCs
) would not always be sufficient to lawfully transfer personal data from the EU to other countries and supplementary measures to protect the rights of the data subjects concerned might be required.
In November 2020 the European Data Protection Board published draft recommendations on the measures that should be taken to ensure compliance with the EU level of protection of personal data, setting out a 6-step process to help identify whether the SCCs will be sufficient and what supplementary measures might be needed.
In practice this means that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer and whether any additional measures are necessary.
UK/EU adequacy decision
On 28 June 2021 the European Commission adopted an “adequacy decision” confirming that personal data can continue to flow freely between the UK and the EU after Brexit. This will be a great relief to companies whose operations span the UK and the EU, as the alternative would have required extensive changes to privacy documentation.
Requirement to appoint an EU representative
The GDPR has an “extra-territorial effect”, i.e. it applies to organisations outside the EU where they carry out business in the EU. With a few exceptions, the GDPR requires such businesses to appoint, in writing, a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
Following Brexit, UK businesses which carry on business in the EU have to appoint a representative in the EU, and EU businesses which carry on business in the UK have to appoint a representative in the UK for data protection purposes.
This may seem like an administrative nicety, but remember the potential costs of breaching the GDPR: for example, the Dutch Data Protection Authority fined a non-EU website provider €525,000 in June for failing to appoint an EU representative.
New EU Standard Contractual Clauses
Last month the European Commission published new standard contractual clauses (the New Clauses
), revising and addressing many of the deficiencies of the old SCCs.
Businesses which operate in the EU and rely on the SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by 27 December 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from 27 September 2021.
Whilst the New Clauses are not currently valid under UK law and cannot be used by UK businesses to legitimatise the transfer of personal data out of the UK, UK businesses dealing with EU customers and suppliers are likely to be presented with the New Clauses by their counterparties and therefore need to be aware of the change.
The UK ICO is developing its own standard contractual clauses which it intends to circulate for comment this summer.
Read our blog New rules for international data transfers here
for more information.
New EU processor clauses
The EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR; whilst not mandatory, you may find them useful.
If you need advice on any aspect of data protection including, for example, transitioning to the new SCCs, international data transfers, intra-group data sharing agreements or a full audit, please do get in touch.