13 avril 2022
May - Data sharing – 5 de 6 Publications
Data transfers from the EU and UK to the USA have been problematic for years now as we've ridden the rollercoaster of transfer solutions and their successful challenges in the courts. A replacement to the Privacy Shield has long been promised by the EU and US, but where does that leave the UK? While it has prioritised an adequacy agreement with the US, it needs to be careful not to risk its own adequacy agreement with the EU.
Other transfer mechanisms exist of course, notably EC Standard Contractual Clauses and the UK International Data Transfer Agreement and Addendum, but these are far from easy to implement and are themselves under scrutiny. There can be no doubt that clarity on the issue of data transfers to the US is needed.
The EC and US government have announced agreement "in principle" of a new Trans-Atlantic Data Privacy Framework (TADPF) to facilitate frictionless data flows between the EU and USA. Full details have not been released but in its press release, the White House said the USA had made "unprecedented commitments" to:
It goes on to say that the Framework ensures:
The scheme will operate as before, on a self-certification basis signalling that an organisation complies with a set of Principles.
The announcement has been greeted with enthusiasm by organisations and privacy professionals. Privacy campaigners including Max Schrems and NOYB, have, however, been more cautious (to put it mildly). They warn that "we expect this to be back at the Court within months from (sic) a final decision".
This is based on the expectation that the final text of the Privacy Shield will use GDPR-friendly language (such as 'redress' and 'proportionality') but will not be underpinned by any substantial changes in US surveillance laws, although it seems likely some amendments to US law will be made by Executive Order including the establishment of a Data Protection Review Court. A recent US Supreme Court decision (FBI v Fagaza), reinforced the rights of surveillance authorities to access personal data so it remains to be seen whether a meaningful redress system will be set up for EU citizens concerned about access to their data.
A final version of the TADPF is not expected for the next few months, after which it will go through an approval process, so it is unlikely to be in place until the end of 2022 at the earliest. The EDPB has already signalled a cautious approach, saying it is waiting for full details and setting out the areas for scrutiny. Assuming it is adopted, it should at least hold for a year or two, even if there is an ensuing legal challenge. The European Commission and the US, not to mention businesses, will be hoping it fares better than that and provides a lasting solution where Safe Harbor and the Privacy Shield failed.
But what about UK-US transfers?
The proposed TADPF will not apply to transfers from the UK to the US so what does this agreement mean for the UK? The UK government has prioritised reaching an adequacy agreement with the US although so far there have been no concrete developments. One of the concerns about this was that any UK-US agreement might jeopardise the EU-UK adequacy agreement. If, however, the EC has recognised the US as providing adequate protection for EU data under particular conditions, any move towards US adequacy by the UK will become much less risky.
Does this mean the UK will seek to emulate the Commission's approach by giving a partial adequacy decision, recognising protections as adequate where they meet certain requirements or where the US importers are signed up to Privacy Shield 2.0 principles? Any steps by the UK to give the US an unqualified adequacy decision could still prove unpalatable to the EU.
Alternatively, will the UK take a similar approach to the one taken in relation to transfers under standard contractual clauses? The UK introduced its own International Data Transfer Agreement to replace the old SCCs, but also provided for use of an Addendum to the EC SCCs, making it easy for UK businesses transferring personal data to third countries from the UK and the EU, to 'bolt on' to them. The most recent indications are that the UK government may well formalise a UK-US adequacy arrangement before the end of 2022 and quite possibly before the EU-US replacement for Privacy Shield is formalised. Significantly, it is also likely that the UK government will publish its proposals to reform UK data protection law soon which will probably include changes to the international data transfer legal framework. In any event, the signs are positive that new solutions to the problems around data transfers to the US from the UK and EU are coming. How robust they turn out to be remains to be seen.
Stephanie Richter and Gabriel Drewek look at the draft Data Act which is intended to unlock industrial data, clarifying who can create value from data and under what conditions.
28 February 2022
par Stephanie Richter, LL.M. (Torino), CIPP/E, Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)
Debbie Heywood and Alex Walton look at EU and UK proposals to tackle the big data advantage of the major digital players.
1 May 2022
par Debbie Heywood
There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key proposals which will impact the use of data (personal and non-personal) and likely timelines, as at 10 May 2022.
17 May 2022
Anna Taylor and Jo Joyce look at the data sharing requirements for the proposed pensions dashboard and resulting data protection considerations.
17 May 2022
par Anna Taylor, Jo Joyce
Debbie Heywood looks at the recently announced draft Trans-Atlantic Data Privacy Framework to facilitate frictionless EU-US data flows – what does this mean for the UK?
13 April 2022
par Debbie Heywood
Miles Harmsworth looks at the ICO's Code of Practice on data sharing.
1 May 2022
par Miles Harmsworth
par Debbie Heywood
par Debbie Heywood
Can employers monitor their workers, how and to what extent?
par Debbie Heywood