Data Protection Updates | November 2021
18-month deadline for EU standard contractual clauses to be adopted:
There are new standard contractual clauses for international personal data transfers from the European Union to third countries (“New EU SCCs”).
The New EU SCCs take into account both the Schrems II decision and the requirements of the EU GDPR and enable businesses to account for a variety of complex data transfers and bring in new rules for restricted data transfers, but are also somewhat more flexible than the existing SCCs.
The New EU SCCs take a modular approach to implementation and cover a broad range of transfer scenarios including controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller transfers.
The new standard contractual clauses came into effect June 27, 2021.
The New EU SCCs include form provisions for granting specific or general authorization for processors to engage sub-processors in the context of controller-to-processor and processor-to-processor transfers and prohibit onward transfers to additional recipients in third countries unless the onward transfer recipient agrees to be bound by the SCCs, or another specified exemption applies.
The old SCCs will be repealed three months following publication of the implementation decision, after which they may no longer be used for new data transfers.
Businesses will have 18 months to update their existing data export/import arrangements with the New EU SCCs.
It is important that businesses take the next 18 months to analyse the new SCCs to determine whether the new terms affect operational processes and update their existing data-transfer agreements.
UK Adequacy Decision:
The UK is awaiting an adequacy decision from the European Commission for free transfers of personal data from the EU/EEA to the UK.
The draft adequacy decision from the European Commission does not allow the UK to deviate from the protections guaranteed by the EU GDPR. Despite the transfer tools being broadly the same, organisations are facing a prospect of having separate SCCs for transfers to third countries from the EU/EEA and from the UK.
While the draft adequacy decision from the European Commission was broadly positive, MEPs recently voted to re-evaluate the draft decision; reviews are ongoing a final decision is expected in the coming months.
In the meantime, it is key that appropriate safeguards (e.g. SCCs) are in place in order to ensure data transfers remain possible if an adequacy decision cannot be made by July 2021 and no extension is agreed.
Data Sharing Code of Practice is laid before Parliament
On 18 May 2021, the ICO’s Data Sharing Code of Practice was laid before Parliament. The new Code is a statutory code of practice, which the ICO is required to publish under the Data Protection Act 2018. The ICO is also required to take the new Code into account when considering whether an organisation has complied with data protection law when sharing personal data.
The Code aims to address misconceptions regarding data sharing, such as misconceptions surrounding consent, and that the GDPR and Data Protection Act 2018 prevent data sharing.
The ICO issued a statement on 18 May 2021, stating “The new data sharing code aims to give businesses and organisations the confidence to share data in a fair, safe and transparent way, and it dispels many of the remaining myths about data sharing.
The code will guide organisations through the practical steps they need to take to share data while protecting people’s privacy.”
The new Code will now lay before Parliament for 40 sitting days before coming into force. In addition to the Code, the ICO has published additional resources on its data sharing information hub.
Organisations should familiarise themselves with the Data Sharing Code of Practise so as to avoid confusion surrounding their rights and obligations under UK GDPR and the DPA 2018.
Announcement of New Commissioner:
On 26th August, The Department for Culture, Media and Sport announced that John Edwards is the Government’s preferred nominee to be the next Information Commissioner.
Edwards has been New Zealand’s privacy commissioner since February 2014 and is currently serving his second five-year term. Before taking on the role, he practiced law in Wellington, with over 20-years of experience specialising in information law.
He has also served in the New Zealand government’s Ministry of Health, state services commission, and has worked directly with the prime minister and the cabinet.
Edwards is perhaps best known to the wider world for his verbose Twitter presence and for taking a public dislike to Facebook: In the wake of the 2018 Cambridge Analytica data misuse scandal Edwards publicly announced that he was deleting his account with the social media company — accusing Facebook of not complying with the country’s privacy laws.
Subject to approval by the Digital, Culture, Media and Sport Select Committee, followed by approval by HM the Queen, John Edwards would succeed the current Commissioner Elizabeth Denham on 31st October 2021.
UK unveils post-Brexit global data plans
In a recent interview with The Telegraph, culture secretary Oliver Dowden outlined the UK Government’s desire to overhaul key parts of the EU’s data laws under proposals to turbocharge the UK’s post-Brexit digital economy, moving away from what he called “bureaucratic, tick-box exercises”.
Other plans include new “data adequacy” partnerships that will allow the UK to send people’s personal data internationally, to places such as the United States, Korea, Singapore, Dubai and Colombia, among others under the UK’s terms. Currently the UK operates under an adequacy decision with the EU, however there are concerns the government’s move away from the GDPR framework could put this at risk.
Further announcements are expected to come later this year.
ICO consults on its draft guidance for international transfers under the UK GDPR:
The Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.
The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’.
The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.
The consultation is split into three sections, offering a selection of proposals and options to consider.
- Proposal and plans for updates to guidance on international transfers.
- Transfer risk assessments.
- The international data transfer agreement.
The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications. Responses will help the regulator understand the practical impact of proposed approaches on organisations.
The announcement also included an Addendum. The Addendum is designed to be used alongside the European Commission SCCs, to allow them to be used to safeguard a transfer under the UK GDPR, instead of the IDTA. It makes limited amendments to the EU SCCs to make them work in a UK context.
The consultation also indicates that the ICO may consider taking this approach with other jurisdictions’ standard data transfer clauses too, in a business-friendly move.
This will be welcomed by multi-national organisations that wish to streamline their international transfers documentation.
China adopts new Personal Information Protection Law
On 20th August 2021, China announced the adoption of the Personal Information Protection Law (“PIPL”) which shall come into effect on 1st November 2021.
The PIPL is noteworthy as it provides rules for the processing of personal and sensitive information as well as for personal information protection processors, data subject rights and onward data transfers.
Breach of the provisions in the PIPL can result in penalties, which could amount to a percentage of annual turnover of the organisation.
Similarly to the GDPR, any Western companies doing business in China that involves processing citizens’ personal data must grapple with the law’s extraterritorial jurisdiction — meaning foreign companies will face regulatory requirements such as the need to assign local representatives and report to supervisory agencies in China.
The PIPL also provides citizens with a comprehensive set of rights wrapping their personal data, including putting a similarly high bar on consent to process what EU law refers to as ‘special category data’, such as health data.
The legislation also contains provisions to curb data-mining, stricter even than those in the GDPR.
USA Bi-Partisan Federal Privacy Bill
In a step towards a nation-wide privacy law in the USA, a bi-partisan group of senators have introduced an Act to protect consumer data privacy when collected by large tech platforms.
The Social Media Privacy Protection and Consumer Rights Act would force websites to grant users greater control over their data and allow them to opt out of data tracking and collection and to write their terms of service agreements in plain language so users understand what they’re accepting by using the platforms. If a website were to suffer a data breach, it would have to notify users within 72 hours of it occurring.
As various states introduce their own privacy laws, a federal law will help the issues that the sheer volume of overlapping statutes has created. A growing desire for a federal privacy framework that would make corporate compliance simpler.
A federal law will also go a long way towards making international data transfers to and from the USA simpler and safter.
If the USA ever wishes to gain an adequacy decision from the EU, UK and others, it will need to ensure that its federal data law ensures the same level of protection for individuals as the GDPR.
As always, if you require any assistance with data protection related issues, please contact us.
For further information, visit Corporate Security, where you can find out how we support clients with Corporate Security and digital forensics support. Email us at firstname.lastname@example.org and follow us on LinkedIn and Twitter @TenIntelligence for all updates.
Data Breach & Incident Response
Digital Forensic Investigations
Data Audit & Assessment