new Trans-Atlantic Data Privacy Framework

The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.

The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
  • Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
  • A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
  • Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
  • Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.

New UK International Data Transfer Agreement

Vlad Arutyunyan
Millie Pierce

On 2 February 2022 the UK Government’s Department for Culture, Media and Sport put before Parliament the International Data Transfer Agreement (IDTA), an addendum to the new EU standard contractual clauses (New EU SCCs) (Addendum) and various transitional provisions. The documents can be accessed here.

The IDTA has been created as the UK equivalent to the New EU SCCs for international data transfers. The EU commission modernised the EU SCCs on 4 June 2021. The New EU SCCs can be used by parties to incorporate standardised clauses into their contracts. These clauses deal with different sections, for instance for data controllers and processors. The IDTA is a standalone agreement that will apply to all transfers of personal data outside of the UK regardless of whether a party is a data controller or processor. Whilst there are a few exceptions, this includes data importers who are subject to the rules of the UK GDPR.

When the New EU SCCs were published on 4 June 2021, they didn’t apply in the UK due to Brexit. The IDTA and the Addendum have been created to replace the current SCCs used in the UK. The IDTA will take the binding effects of the European Court of Justice Schrems II[1] decision into account.

By addressing the necessary UK legal requirements, the Addendum will allow data exporters who continue to operate in the EU and UK to rely on the New EU SCCs without the need for an IDTA. The intent is to simplify the process for data exporters and will be supported by further guidance from the ICO on the risk protection steps that data exporters will need to undertake when transferring data.

The introduction of the IDTA and Addendum has been welcomed by the ICO, they have stated that “The IDTA and Addendum will also help to support the UK’s digital economy, by enabling the global flow of people’s personal data in order to deliver goods and services.

The ICO will continue to develop the following guidance to provide help and support for businesses:

  • Clause by clause guidance to the IDTA and Addendum.
  • Guidance on how to use the IDTA.
  • Guidance on transfer risk assessments.
  • Further clarifications to the international transfers guidance.

The ICO have stated that the IDTA and the Addendum “are immediately of use to organisations transferring personal data outside of the UK“. The ICO hopes, subject to Parliamentary approval, that these changes will grant parties more confidence when entering into data transfer agreements. The ICO have confirmed that if approved, the IDTA, Addendum and transitional provisions will come into force on 21 March 2022.

[1] Previously EU to US transfer of data was permitted under the Privacy Shield Decision. This was ruled to be illegal and stricter requirement for data transfer were expected based on the SCCs.

International data transfers – the perfect storm

Nigel Miller (partner)

The position on international data transfers remains highly complex as a result of the perfect storm of Brexit, the CJEU Schrems II decision in 2020, new EU Standard Contractual Clauses (SCCs) and a proposed new UK international data transfer agreement (IDTA).

So far as transfers from the UK are concerned, the ICO’s consultation on its draft IDTA and guidance, which is intended to replace Standard Contractual Clauses (SCCs) for transfers from the UK, closed on 11 October 2021. We expect to see the new IDTA coming onstream in 2022. The ICO has also proposed a practical solution that the EU SCCs could be used for transfers from the UK with a short Addendum.

There is likely to be a short grace period when we can continue to use the old SCCs for new agreements, and then a 24-month period in which all existing agreements will need to be upgraded to the new format.

In the meantime, so far as transfers from the UK to countries other than in the EU (or other countries with adequacy findings) are concerned, we can continue to use the old (but not the new) EU approved SCCs, although the ICO has issued an adapted version of the EU SCCs which can be used with updated post-Brexit references.

So far as transfers from the EEA are concerned, we must now use the new (but not the old) EU SCCs. Moreover, all existing agreements based on the old EU SCCs will need to be migrated to the new EU SCCs by the end of 2022.

So, at the moment, if you have transfers from both the UK and the EEA, then a different approach is needed for each.

But it is not enough simply to sign up the IDTA / SCCs. Following Schrems II, you also need to undertake a transfer risk assessment (TRA) and, as needed, implement supplemental measures.

In this respect, the ICO has provided a draft TRA Tool as a guide to the process. This can be a relatively complex exercise but the ICO TRA Tool provides practical support. As the ICO comments, “If you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of …UK GDPR”.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

 

Do B2B companies not based in the EU need to comply with the GDPR?

Kolvin Stone
Kolvin Stone (partner)

I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR.

The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful.

This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoint an EU representative (and comply with the GDPR more generally in the EU).

The point has been raised by the privacy activist organization founded by Max Schrems (NOYB – European Center for Digital Rights), which stated in its submission in December 2020 on the European Commission’s proposed new standard contractual clauses that further guidance is needed to clarify the scope of the requirement to appoint an EU representative.

What is the issue in a nutshell?

Article 3(2)(a) of the GDPR states controllers and processors not based in the EU are subject to the GDPR where they process personal data of individuals in the EU in the course of offering goods or services to those individuals.

So, a U.K.-based clothing retailer selling items to an individual in France needs to comply with the GDPR. Makes sense as the retailer could be collecting a fair amount of information about the individual, including name, address, payment information and possibly some profile data.

But what happens if the U.K.-based retailer is selling to a company and only collecting business contact details in that context? It is not offering goods to an individual but a company. Does that mean the GDPR does not apply?

Interpretation of Article 3(2)(a)

On a literal reading of Article 3(2)(a), the answer must be yes. The B2B retailer is not offering goods to an individual.  The European Data Protection Board has published guidance to help clarify the scope of Article 3(2)(a) and all of the examples relate to business to consumer scenarios. Not helpful at all.

The EDPB could have taken the opportunity to make clear that Article 3(2)(a) also applies to B2B scenarios, and individuals should be read as individuals acting on behalf of companies. It did not do this, and I’m not sure why.

Is that an implicit recognition that Article 3(2)(a) may not apply to B2B scenarios? It would be somewhat of an anomaly that personal information collected in the context of B2B transaction is subject to the GDPR if you have an establishment in the EU but out of scope where you are not in the EU. And what about protecting the privacy rights of individuals at companies that are clearly entitled to protection?

Unfair advantage

It would create somewhat of an unfair advantage where you sell into the EU but are based outside of it. The GDPR and the extraterritoriality provisions were intended to level the playing field to ensure non-EU based technology businesses were also subject to the GDPR when active in the EU. Recognizing this, it is hard to justify an interpretation that excludes B2B transactions for non-EU based businesses.

There is no getting away from the fact that Article 3(2)(a) only refers to individuals and the EDPB guidance highlights B2C transactions.

While it seems odd to distinguish between B2B and B2C in this way, this distinction is well established (even if controversial) in the U.K. where B2B (e.g., corporate email accounts) communications are excluded from the scope of Privacy and Electronic Communications Act 2002. Only B2C (e.g., private email accounts) communications require opt-in consent. There are then forms for having different standards depending on whether the processing of personal data is in the context of B2B or B2C transactions.

Purposive and pragmatic interpretation

For my part, while Article 3(2)(a) is ambiguous, I’ve always worked on the basis that non-EU based organizations that engage solely in B2B activities are within the scope of the GDPR, although I have often had clients query this and highlight the fact that they are not selling to individuals.

With Brexit having occurred, clarity is important as U.K. businesses need to know as a matter of urgency the scope of their obligations as there is a real cost to having to appoint an EU representative.

The U.K. Information Commissioner’s Office has no clear official position on this issue and there are mixed messages on whether an EU representative is needed when the activities are pure B2B.

Scope for a UK approach

In September, the U.K. government published a consultation document on a new National Data Strategy with laudable goals to “build a world-leading data economy” with laws that are “not too burdensome” and “a data regime that is neither unnecessarily complex nor vague.”

In this context, is there scope for the U.K. to develop a different and more business-friendly interpretation of the GDPR? The U.K. courts and lawyers have historically taken a more literal approach to interpretation as compared to the EU courts and lawyers. Hence, my EU peers do not necessarily see the same issue with Article 3(2)(a). If the U.K. developed a more literal interpretation to Article 3(2)(a), that may reduce some regulatory friction to trade with the U.K. It would mean non-U.K.-based B2B businesses would not need to have a U.K. representative.

That, though, does not help the many U.K.-based businesses that are asking whether they now need to appoint an EU representative. Clarity from regulators would be extremely welcome.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Happy Data Privacy Day 2021!

Annually on 28 January, Data Privacy Day (or, if you prefer, Data Protection Day) is an “international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

We take the opportunity to highlight a number of key current issues with data protection.

  1. The EU / UK Trade Agreement: Three myths busted – Privacy and data protection
    Still reeling from the Brexit deal done on Christmas eve? The media (and social media in particular) are myth-ridden. Here, we consider and bust some myths related to privacy and data protection.
  2. Post-Brexit – data transfers
    As the UK and the EU reached a deal on Brexit, we provide a high level summary of the position on data transfers as from 1 January 2021.
  3. New – Standard Contractual Clauses
    Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the UK / EEA. We take a look at the proposed new SCCs and find some interesting developments.
  4. New guidance for international transfers post-Schrems II
    In July 2020, the European Court of Justice  thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. We look at the European Data Protection Board guidance on handling cross-border data transfers post-Schrems.
  5. AI and data protection – uncomfortable bedfellows? 
    Artificial intelligence (AI) has been around for a long time. However, it is only fairly recently that we have seen its use spread into our daily lives. With the gradual uptake of AI, one might wonder what the GDPR has to say on the matter. We look at some of the key data protection issues.
  6. ICO resumes investigation into Adtech 
    On 22 January 2021 the ICO announced that it was resuming its investigation into the AdTech sector. The ICO’s initial views were that RTB is unlawful. It can be expected that the ICO will issue assessment notices to specific companies in the coming months.  We look at the key issues.
  7. Lessons learned from BA, Marriott and Ticketmaster fines
    The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep customers’ personal data secure.  We look at lessons to be learned.
  8. Covid-19 and WFH – can you monitor your employees under GDPR?
    The pandemic has resulted in a seismic shift in the number of employees working from home. A question which often arises is: can employers use technology to monitor employees work patterns? We set out some of the key data protection considerations.
  9. Six data protection steps for returning to the workplace
    As lockdown restrictions may ease in the coming weeks / months, we look at the key steps organisations need to consider in relation to the use of personal information.
  10. Do you need to register under the Data Protection Act?
    One of the most-read items on our website! Maybe it’s because it could save you from a fine up to £4,350.  While that’s not in the same league as GDPR fines generally, it’s easily avoided by making sure your ICO registration is up to date.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.