Do B2B companies not based in the EU need to comply with the GDPR?

Kolvin Stone
Kolvin Stone (partner)

I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR.

The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful.

This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoint an EU representative (and comply with the GDPR more generally in the EU).

The point has been raised by the privacy activist organization founded by Max Schrems (NOYB – European Center for Digital Rights), which stated in its submission in December 2020 on the European Commission’s proposed new standard contractual clauses that further guidance is needed to clarify the scope of the requirement to appoint an EU representative.

What is the issue in a nutshell?

Article 3(2)(a) of the GDPR states controllers and processors not based in the EU are subject to the GDPR where they process personal data of individuals in the EU in the course of offering goods or services to those individuals.

So, a U.K.-based clothing retailer selling items to an individual in France needs to comply with the GDPR. Makes sense as the retailer could be collecting a fair amount of information about the individual, including name, address, payment information and possibly some profile data.

But what happens if the U.K.-based retailer is selling to a company and only collecting business contact details in that context? It is not offering goods to an individual but a company. Does that mean the GDPR does not apply?

Interpretation of Article 3(2)(a)

On a literal reading of Article 3(2)(a), the answer must be yes. The B2B retailer is not offering goods to an individual.  The European Data Protection Board has published guidance to help clarify the scope of Article 3(2)(a) and all of the examples relate to business to consumer scenarios. Not helpful at all.

The EDPB could have taken the opportunity to make clear that Article 3(2)(a) also applies to B2B scenarios, and individuals should be read as individuals acting on behalf of companies. It did not do this, and I’m not sure why.

Is that an implicit recognition that Article 3(2)(a) may not apply to B2B scenarios? It would be somewhat of an anomaly that personal information collected in the context of B2B transaction is subject to the GDPR if you have an establishment in the EU but out of scope where you are not in the EU. And what about protecting the privacy rights of individuals at companies that are clearly entitled to protection?

Unfair advantage

It would create somewhat of an unfair advantage where you sell into the EU but are based outside of it. The GDPR and the extraterritoriality provisions were intended to level the playing field to ensure non-EU based technology businesses were also subject to the GDPR when active in the EU. Recognizing this, it is hard to justify an interpretation that excludes B2B transactions for non-EU based businesses.

There is no getting away from the fact that Article 3(2)(a) only refers to individuals and the EDPB guidance highlights B2C transactions.

While it seems odd to distinguish between B2B and B2C in this way, this distinction is well established (even if controversial) in the U.K. where B2B (e.g., corporate email accounts) communications are excluded from the scope of Privacy and Electronic Communications Act 2002. Only B2C (e.g., private email accounts) communications require opt-in consent. There are then forms for having different standards depending on whether the processing of personal data is in the context of B2B or B2C transactions.

Purposive and pragmatic interpretation

For my part, while Article 3(2)(a) is ambiguous, I’ve always worked on the basis that non-EU based organizations that engage solely in B2B activities are within the scope of the GDPR, although I have often had clients query this and highlight the fact that they are not selling to individuals.

With Brexit having occurred, clarity is important as U.K. businesses need to know as a matter of urgency the scope of their obligations as there is a real cost to having to appoint an EU representative.

The U.K. Information Commissioner’s Office has no clear official position on this issue and there are mixed messages on whether an EU representative is needed when the activities are pure B2B.

Scope for a UK approach

In September, the U.K. government published a consultation document on a new National Data Strategy with laudable goals to “build a world-leading data economy” with laws that are “not too burdensome” and “a data regime that is neither unnecessarily complex nor vague.”

In this context, is there scope for the U.K. to develop a different and more business-friendly interpretation of the GDPR? The U.K. courts and lawyers have historically taken a more literal approach to interpretation as compared to the EU courts and lawyers. Hence, my EU peers do not necessarily see the same issue with Article 3(2)(a). If the U.K. developed a more literal interpretation to Article 3(2)(a), that may reduce some regulatory friction to trade with the U.K. It would mean non-U.K.-based B2B businesses would not need to have a U.K. representative.

That, though, does not help the many U.K.-based businesses that are asking whether they now need to appoint an EU representative. Clarity from regulators would be extremely welcome.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Happy Data Privacy Day 2021!

Annually on 28 January, Data Privacy Day (or, if you prefer, Data Protection Day) is an “international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

We take the opportunity to highlight a number of key current issues with data protection.

  1. The EU / UK Trade Agreement: Three myths busted – Privacy and data protection
    Still reeling from the Brexit deal done on Christmas eve? The media (and social media in particular) are myth-ridden. Here, we consider and bust some myths related to privacy and data protection.
  2. Post-Brexit – data transfers
    As the UK and the EU reached a deal on Brexit, we provide a high level summary of the position on data transfers as from 1 January 2021.
  3. New – Standard Contractual Clauses
    Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the UK / EEA. We take a look at the proposed new SCCs and find some interesting developments.
  4. New guidance for international transfers post-Schrems II
    In July 2020, the European Court of Justice  thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. We look at the European Data Protection Board guidance on handling cross-border data transfers post-Schrems.
  5. AI and data protection – uncomfortable bedfellows? 
    Artificial intelligence (AI) has been around for a long time. However, it is only fairly recently that we have seen its use spread into our daily lives. With the gradual uptake of AI, one might wonder what the GDPR has to say on the matter. We look at some of the key data protection issues.
  6. ICO resumes investigation into Adtech 
    On 22 January 2021 the ICO announced that it was resuming its investigation into the AdTech sector. The ICO’s initial views were that RTB is unlawful. It can be expected that the ICO will issue assessment notices to specific companies in the coming months.  We look at the key issues.
  7. Lessons learned from BA, Marriott and Ticketmaster fines
    The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep customers’ personal data secure.  We look at lessons to be learned.
  8. Covid-19 and WFH – can you monitor your employees under GDPR?
    The pandemic has resulted in a seismic shift in the number of employees working from home. A question which often arises is: can employers use technology to monitor employees work patterns? We set out some of the key data protection considerations.
  9. Six data protection steps for returning to the workplace
    As lockdown restrictions may ease in the coming weeks / months, we look at the key steps organisations need to consider in relation to the use of personal information.
  10. Do you need to register under the Data Protection Act?
    One of the most-read items on our website! Maybe it’s because it could save you from a fine up to £4,350.  While that’s not in the same league as GDPR fines generally, it’s easily avoided by making sure your ICO registration is up to date.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Post-Brexit – data transfers

Nigel Miller (partner)

As the UK and the EU have now reached a deal on Brexit, what’s the position on data transfers as from 1 January 2021?

Here’s a high-level summary:

Transfers from UK to EEA – these will be subject to UK GDPR. The UK government has confirmed that such transfers are not restricted and so can continue as before without the need for any transfer tool to be put in place.

Transfers from UK to third countries outside the EEA – the position remains similar to the current GDPR rules. Although the UK will in due course make its own adequacy decisions, for the time being existing EU adequacy decisions and the EU approved standard contractual clauses will continue to be recognised.

Transfers from EEA to UK from 1 January 2021 the UK is a “third country” so far as EU GDPR is concerned; therefore, transfers from EEA to UK will be restricted transfers. The UK was seeking an “adequacy decision” from the European Commission as part of the Brexit deal to permit such transfers to continue without the need for a transfer tool to be put in place. A joint declaration published alongside the deal makes clear that the EU will undertake this adequacy assessment. However, an adequacy decision was not part of the deal. Pending this, a temporary arrangement has been agreed to allow data to continue to be transferred from the EEA to the UK for the next four months (extendable to six months).

Given this temporary arrangement, thankfully it is not necessary for organisations involved in such transfers to rush to put in place standard contractual clauses or another transfer tool as from 1 January. However, this will need to be kept under careful review in Q1 and Q2 2021.

Transfers to the US which relied on Privacy Shield – as a result of the Schrems II decision in July 2020, which invalidated the Privacy Shield arrangement, another transfer tool needs to be put in place, such as standard contractual clauses. But see next point.

Using standard contractual clauses – as well as transfers which have become restricted transfers as a result of Brexit, all restricted transfers will need to be reviewed in 2021 with the implementation of the proposed new standard contractual clauses issued by the European Commission in November 2020 – see https://idatalaw.com/2020/11/20/new-standard-contractual-clauses/

In addition to the above, following Schrems II, in order to rely on standard contractual clauses organisations must carry out a “transfer impact assessment” to determine whether the clauses guarantee an equivalent level of protection for the transferred data as applies under GDPR; if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection – see further https://idatalaw.com/2020/11/20/new-guidance-for-international-transfers-post-schrems-ii/

Putting aside international transfers for a moment, we wish you all the best for a healthy and successful 2021!

New – Standard Contractual Clauses!

Nigel Miller
Nigel Miller

Background

Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the EEA. The attraction is that they are relatively straight forward and cost-effective to implement. The problem is that the current versions are hopelessly out of date and, given that they are often simply signed and “left in the drawer”, don’t really do a convincing job in terms of protecting personal data.

It was always the intention to update them to reflect the GDPR. However, two years on from GDPR go-live in May 2018, the old versions of SCCs are still very much in use in the absence of alternative solutions. Then, in July 2020, along came the decision of the European Court of Justice (“ECJ”) in Schrems II which shook up the world of international data transfers.

Schrems II

The Schrems II decision has two main consequences.  First, the ECJ found that the EU-US Privacy Shield like its predecessor the Safe Harbor – is invalid as a transfer mechanism.  Second, although the validity of SCCs was upheld, the ECJ stressed that simply signing off the SCCs will not always be sufficient. The ECJ said that the parties to the SCCs need to:

  • carry out a transfer impact assessment as to whether there is adequate protection for data in the country concerned; and
  • if necessary, implement “supplementary measures” to ensure that individuals have equivalent protections in respect of their data as afforded under EU law.

On 11 November 2020 the European Data Protection Board (“EDPB”) issued for consultation its much awaited guidance on these issues. This sets out the steps data exporters must take to determine if they need to put in place supplementary measures to be able to transfer data outside the EEA, and provides examples of measures that can be used. For our article on this, please see here

New SCCs

And then, barely noticed, the next day, the European Commission published its proposals for the new SCCs. There is a relatively short consultation period on the proposed new SCCs expiring on 10 December 2020.  Once the proposed new SCCs are approved, probably before the end of the year, we’ll have 12 months in which to replace all existing SCCs with the new ones. And this is far from a form-filling or box-ticking exercise.

We’ve taken a look at the proposed new SCCs and find some interesting developments:

  • The SCCs adopt a modular approach to cater for various transfer scenarios. They can be used for transfers from (i) controllers to other controllers, (ii) controllers to processors, (iii) processors to sub-processors and (iv) processors to controllers. This is helpful as the current SCCs do not cope with categories (iii) or (iv) which is problematic.
  • While the current SCCs can only be used by EU based controllers, the new SCCs can also be used by parties who are outside the EU who may be subject to the GDPR by virtue of its extraterritorial reach.
  • They allow for more than two parties to sign up to the SCCs, which can be useful (for example) for intra-group transfers.
  • They also allow for additional parties to accede to the clauses from time to time as exporters or importers.  For example, onward transfers by the importer to a recipient in another third country can be allowed if the recipient accedes to the SCCs.
  • Data subjects must be able to enforce the SCCs as a third party beneficiary. As such the SCCs must be governed by a law that allows for third party beneficiary rights.
  • For transparency purposes, data subjects should be provided with a copy of the SCCs and should be informed of any change of the identity of any third party to which the personal data is disclosed.
  • In respect of transfers by a controller to a processor, or by a processor to a sub-processor, the SCCs comply with the data processing requirements of the GDPR so that it will no longer be necessary to supplement the SCCs with data processing clauses.
  • The SCCs support EU processors by allowing for the transfer by an EU processor to a controller in a third country, reflecting the limited self-standing obligations of processors under the GDPR.
  • The SCCs have also been written with Schrems II in mind and provide for certain specific safeguards. The exporter must warrant that it has used reasonable efforts to determine that the importer is able to satisfy its obligations under the clauses and must document its transfer impact assessment. In the event that, for example, the importer is subject to a legal requirement to disclose data to a government or law enforcement agency, the importer must notify the exporter and, where possible, challenge the request. The data exporter may be required to suspend the data transfers if it considers that no appropriate safeguards can be ensured.

What about Brexit?

The new SCCs may become effective just around the time the transition period expires and the UK fully leaves the EU. So, what will be the position so far as the UK is concerned?

First, the UK Government are seeking an “adequacy decision” from the European Commission as part of the Brexit deal. If there is no deal, or no adequacy decision or other transitional arrangement, in place by 31 December 2020, then the UK will become a third country and data transfers from the EU to the UK will need to comply with EU GDPR transfer restrictions. In this scenario, SCCs will be required for transfers from the EU to the UK. The new SCCs will be particularly helpful as they can be used to cover transfers by EUA based processors to UK controllers or sub-processors, something which is not possible under the current SCCs.

As regards transfers from the UK, UK rules will mirror the current GDPR rules. The UK government has confirmed that, when the transition period ends, transfers from the UK to the EEA will not be restricted.

The rules on transfers to countries outside the EEA will remain similar to the current GDPR rules. Although the UK will make its own adequacy decisions after the end of the transition period, the UK government has confirmed that it intends to recognise existing EU adequacy decisions and the EU approved SCCs.

Next steps

Organisations now have a year to review all international transfers. Where necessary this will involve conducting transfer impact assessments, implementing the new SCCs in place of the current ones, adopting supplemental measures, putting in place flow-down terms where there are onward data transfers and providing enhanced transparency to data subjects. Certain data transfers may need to be discontinued or restructured. It’s going to be a busy 2021!

New guidance for international transfers post-Schrems II

Ben Nolan
Ben Nolan

In July this year, the European Court of Justice (“ECJ”) thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. In that case, the ECJ invalidated the Privacy Shield as a transfer mechanism. However, perhaps even more significantly, the ECJ upheld the validity of standard contractual clauses (“SCCs”) but only with major conditions attached, with the court effectively ruling that:

  • organisations seeking to rely on SCCs must carry out a transfer impact assessment to determine whether the SCCs guarantee an equivalent level of protection for the transferred data as applies under GDPR; and
  • if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection.

Since the ruling, organisations transferring personal data on the basis of SCCs have been left somewhat in the dark about how exactly to conduct transfer impact assessments and what any “supplementary measures” may look like.

However, the European Data Protection Board (“EDPB”) has now issued its much awaited guidance on these issues (“EDPB Guidance”) (available here), which we discuss below.

EDPB Guidance

Transfer impact assessments

Transfer impact assessments essentially amount to a review of the laws and practices of the country where the recipient of the data is based to determine whether these would prevent the SCCs from ensuring an equivalent level of protection for the transferred data to that provided in the EU. The EDPB Guidance provides that these should be conducted by the transferring entity in conjunction with the entity receiving the data.

Laws which the EDPB Guidance suggests should present major red flags for organisations seeking to transfer personal data to third countries include those which impose requirements on organisations to disclose personal data to public authorities or which grant public authorities’ powers of access to personal data.

To help organisations assess whether the surveillance laws in place in the country of the recipient of the data are compatible with EU laws, the EDPB has published separate guidance on the European Essential Guarantees for surveillance measures (accessible here). The key criteria to be taken into account are as follows:

  • Processing should be based on clear, precise and accessible rules.
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  • An independent oversight mechanism should exist.
  • Effective remedies need to be available to the individual.

Separately, the EDPB Guidance also stresses that transfer impact assessments should be objective in nature rather than subjective, meaning organisations should not give weight to factors such as the likelihood of the transferred personal data being accessed by surveillance authorities and handled inappropriately. This is interesting as it contrasts with a white paper published by the US government in September in response to the Schrems II ruling. In that paper, the US government attempted to appease concerns in relation to data transfers to the US by stating that US intelligence authorities are not interested in the vast majority of data transferred from Europe to the US despite them often having the power to access that data.

Supplementary measures

If, following a transfer impact assessment, it is clear that the SCCs alone would not ensure an equivalent level of protection for the transferred personal data, supplementary measures must be implemented to protect against the risks identified. The EDPB Guidance provides for three types of supplementary measures which can be taken: technical measures; contractual measures; and organisational measures. The exact supplementary measures to be implemented should be decided on a case-by-case basis depending on the specific issues raised by the transfer impact assessment.

The EDPB Guidance contains a handful of examples of supplementary measures in the context of specific scenarios which are set out in Annex 2 of the guidance. These include:

  • Technical measure: use of “strong encryption” using state-of-the-art techniques whereby only the organisation transferring the data (or an entity entrusted with this task in the UK / EEA) holds the key to decrypt the data.
  • Contractual measure: inclusion of a contractual provision committing the transferring entity and receiving entity to assist individuals in exercising their rights in the third country through redress mechanisms and legal counselling.
  • Organisational measure: adopting internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access transferred data.

For transfers to countries with broad surveillance laws, the EDPB Guidance suggests that only implementation of technical measures will be sufficient to ensure an equivalent level of protection for the transferred data, irrespective of any contractual or organisational measures applied.

Whilst the EDPB Guidance is helpful to a point, the EDPB is forthright in making it known that implementation of supplementary measures will not always be enough to ensure an equivalent level of protection for transferred personal data. The EDPB gives the following two examples of when supplementary measures will not be effective:

  • Transfers to cloud services providers or other processors based in countries with broad surveillance laws which require access to data in an unencrypted form.
  • Remote access to data for business purposes by an organisation in a country with broad surveillance laws.

This will no doubt frustrate many companies which regularly carry out these transfers and which will now need to consider alternative approaches in relation to these going forward.

Practical steps for organisations

In light of the EDPB Guidance, organisations transferring personal data outside the EU or UK will need to:

  1. Review all existing international transfers they make. The EDPB Guidance applies in respect of new and existing transfers.
  2. Consider the basis upon which transfers are made. If transferring to a third country which is not subject to an adequacy decision, conduct a transfer impact assessment to verify whether the transferred personal data would benefit from an equivalent level of protection on the basis of SCCs alone.
  3. If the transferred personal data does not benefit from an equivalent level of protection, consider what technical, contractual or organisational measures could be applied to the transfer to ensure an equivalent level of protection and, if applicable, implement such measures.
  4. If it appears that no supplementary measures are available, consider whether it is possible to transfer the data on the basis of a derogation under Art. 49.
  5. If Art. 49 does not apply, consider what alternative approaches are available (for example, pursuing a data localisation strategy or using a service provider based in a third country whose laws would not prevent the effectiveness of the SCCs).

If you require any assistance with carrying out the above steps in relation to your organisation, please contact a member of the team or speak with your usual Fox Williams contact.