In an increasingly interconnected world, preserving the free flow of data across borders is crucial to the prosperity of businesses operating in every industry. But over the last year, there have been a number of important data protection developments in Europe that have a direct impact on the supply chain and distribution arrangements operated by organizations. These developments are restricting the ways in which businesses can share personal data within their organizations and with counterparties internationally. They include:
- Brexit – While the Brexit transition period ended as 2021 began, the continued free flow of personal data between the European Union (“EU”) and the United Kingdom (“UK”) was paramount to the survival of many businesses operating in Europe. The EU-UK Trade and Cooperation Agreement provided for a further transitional period of up to six months from January 1, 2021, (the "Additional Transition Period"). During this time, the UK is not a third country for the purposes of the European General Data Protection Regulation ("EU GDPR"). But the European Commission must pass a decision that the UK offers an adequate level of data protection before the end of this deadline if transfers of personal data are to continue between businesses operating in the EU and UK in the medium to long term without having to overcome additional restrictions.
- Schrems II – A significant Court of Justice of the European Union ("CJEU") decision which, alongside subsequent European Data Protection Board ("EDPB") guidance, has altered how international data transfers between businesses must be evaluated and undertaken (for a further analysis of the judgment see our Legal Update and further commentary).
- New standard contractual clauses for international data transfers ("New SCCs") – Following Schrems II, the European Commission ("EC") has published a draft of New SCCs (see our Legal Update), which will govern the sharing of personal data between businesses inside and outside of the EU.
We consider these developments below:
Following Brexit, data protection in England is governed by the DPA 2018. Part 2 of the DPA 2018 contains the domestic general processing regime and is also known as the "UK GDPR". The UK GDPR retains the European General Data Protection Regulation ("EU GDPR") as it was immediately before 11:00 p.m. (GMT) on December 31, 2020, into English law by virtue of the European Union Withdrawal Act 2018 (as amended by the European Union (Withdrawal Agreement) Act 2020).
Currently, the requirements under the UK GDPR are substantially similar to those under the EU GDPR However, it is worth noting that the UK data protection regime is likely to diverge from the EU's over time, and amendments to supply chain and distribution agreements may be required from time to time and so should be regularly reviewed.
1.1 Transfer of personal data from the UK to EEA third parties
Transfers from the UK to the European Economic Area (“EEA”) are now considered a "restricted transfer" under the UK GDPR, meaning that a transfer should only be undertaken where there is an adequacy decision which confirms the receiving country has an adequate data protection regime or alternative appropriate safeguards are in place (such as the new SCCs discussed below). However, the UK government has applied a provisional adequacy decision (kept under review), which means that no new arrangements are currently needed for transfers from the UK to the EEA.
1.2 Transfer of personal data from the EEA to UK
Under the EU-UK Trade and Cooperation Agreement ("EU-UK TCA"), personal data can continue to be transferred from the EEA to the UK freely, as if the UK were an EU Member State (and therefore has an adequate data protection regime), for up to six months from January 1, 2021.
The EC published a draft adequacy decision in February 2021 for transfers of EEA-based personal data to the UK. The EC and UK government are working to complete the draft adequacy decision adoption process before the end of the six-month bridging mechanism currently in place since January 1, 2021, under which EEA-based personal data can flow freely to the UK as though the UK was still an EU Member State. If the draft adequacy decision is adopted before the end of the six-month bridging period, transfers of personal data from the EEA to the UK will be able to continue freely. However, if the EC's draft adequacy decision is not adopted by the end of the six-month bridging period and no alternative bridging mechanism is put in place, EEA-based third parties will be required to implement an appropriate transfer mechanism under the EU GDPR for transfers of personal data to the UK once the six-month bridging period ends.
1.3 Transfer of personal data between the UK and non-EEA third parties
Transfers from the UK to adequate non-EEA countries – The UK has recognized the existing 12 EU adequacy decisions (which apply to non-EEA countries). So long as this remains the position, businesses can transfer personal data to non-EEA third parties in these jurisdictions freely. The UK is preparing to start its own adequacy assessments of non-EEA countries.
Transfers to the UK from adequate non-EEA countries – Eleven of the 12 jurisdictions currently deemed adequate by the EU (Andorra is pending) have confirmed they will allow uninterrupted data transfers to the UK. So long as this remains the position, non-EEA third parties in these jurisdictions can transfer personal data to the UK freely.
Transfers to other non-EEA countries – If the non-EEA country does not enjoy a UK-recognized adequacy decision, then it will be necessary to ensure that the transferred data is adequately protected using other means (e.g., SCCs or Article 49 UK GDPR derogations will need to be in place), and an assessment of the non-EEA legal framework will need to be undertaken.
EDPB guidance and CJEU decisions have cast doubt on the adequacy of the legal frameworks in the United States, China and India due to their national security laws, which, in some cases, allow increased access to personal data for public authorities —transfers of personal data to such countries therefore carry heightened due-diligence requirements. If this is the position, businesses need to consider whether appropriate safeguards are in place and the requisite assessments are carried out (see below).
2. SCHREMS II AND EDPB GUIDANCE
Businesses that transfer personal data from the UK or the EU to recipients in another jurisdiction may only do so under the UK or EU GDPR if the recipient is located in a country which the UK Secretary of State or the European Commission (as applicable) has determined offers adequate data protection (see above), if appropriate safeguards are in place under Article 46 of the UK or EU GDPR, or where a derogation applies under Article 49 of the UK or EU GDPR.
Following Schrems II, and subsequent EDPB recommendations, businesses relying on SCCs, binding corporate rules or other Article 46(2) GDPR "appropriate safeguards" are now also required to conduct an additional assessment of the local law in the jurisdiction to which they are transferring the personal data. If businesses conclude that the power granted to public authorities to access the transferred data in any jurisdiction "goes beyond what is necessary and proportionate in a democratic society," then the personal data transfer can only occur if the implementation of "supplementary measures" (such as encrypting the transferred data so that the receiving party cannot view it, which may fundamentally affect the viability of the service) will prevent the public authorities in those jurisdictions from having access to personal data from Europe. For further information about how to determine if supplementary measures are required for a particular transfer and which measures are appropriate, see our Legal Update.
We have recently seen the first example of a supervisory authority taking action against a business for non-compliance with the Schrems II ruling. The Bavarian data protection authority has ruled against a business for using an email platform service, which is run by a US-based provider, to send marketing emails. The transfer of data to the platform was based on the SCCs, but it was found the company had not considered whether supplementary measures were needed in addition to these. The company has now ceased using the service and was not fined.
3. NEW STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL TRANSFERS
As discussed above, SCCs are likely to be used for many international data transfers as a safeguard for transfers because they set out clear and legislation-compliant obligations between the two parties. The New SCCs are heavily influenced by Schrems II and a number of suggestions from a range of recent EDPB guidance/recommendations, such as that on the concepts of controller, joint controller and processors (07/2020), supplementary measures for personal data transfer tools (01/2020) and the European Essential Guarantees for surveillance measures (02/2020).
Once the EC's New SCCs are adopted, which is expected in 2021, the New SCCs will replace the current EU SCCs used by businesses as a mechanism for internationally transferring EEA-based personal data under the EU GDPR. The draft implementing decisions for the New SCCs would, if adopted in its current form, require all arrangements incorporating the current SCCs to be updated to cater for the New EU SCCs within a year of adoption.
The ICO has announced that it intends to consult on and publish UK standard contractual clauses during 2021 ("UK SCCs"). Such UK SCCs shall serve as a mechanism for transferring personal data from the UK to non-adequate third countries. The UK SCCs are likely to align somewhat with the New EU SCCs.
For further commentary on the New SCCs, see our Legal Update.
3.1 Onward transfers of personal data
Any data processing agreements in place between businesses and third parties must ensure that where third parties are transferring personal data onwards to operations elsewhere they are doing so in compliance with the UK GDPR and/or EU GDPR. They must also do so only with the business’ consent (general or specific).
For example, the Spanish data protection authority recently issued a €2 million fine to a business where their outsourced service provider (of database operations) was using a sub-processor in Peru without any contractual provisions being put in place to ensure the transfer of personal data to Peru occurred in a manner that complied with the European data protection requirements.
If a business transfers personal data to a third-party processor using the SCCs, these clauses will include obligations that the contract between the third party and sub-processor mirrors the relevant rights and obligations set out in the supply chain/distribution arrangement. Generally, businesses have relied on third parties to supervise their sub-processors' data processing activities. However, EDPB guidance on supplemental transfer tools and the New SCCs suggest that this may not be an adequate arrangement, and data transfer agreements with processors should include adequate protection for the supervision and monitoring of onward transfers, such as regular review periods.
Businesses should ensure that personal data will be adequately protected during the onward transfer to, and processing by, the proposed sub-processor before they consent to the supplier's use of sub-processors. If sub-processors are in place already, then businesses should map the relevant data flows to ensure adequate protection of personal data is in place.
(The author would like to thank Ellen Hepworth and Alistair Ho for their assistance preparing this Legal Update.)