2021年7月19日
Radar - July 2021 – 1 / 3 观点
A number of issues have thrown data exports into the spotlight in the last couple of years:
Not just one but three developments:
UK adequacy
EU-UK adequacy decisions were adopted on 27 June.
In March, we covered the draft EU-UK adequacy decisions. EC adequacy decisions enable the free-flow of personal data from the EEA to the country benefitting from the decision. A UK adequacy decision is, by some considerable margin, the optimal solution to the Brexit data problem.
One major change from the draft decisions is that the final versions do not cover data transferred for the purpose of UK immigration control. The carve out is a result of the recent Court of Appeal judgment which held that the immigration exemption in the Data Protection Act 2018 was unlawful. The Commission has said it will reassess the need for the exclusion once the UK makes changes to the offending exemption.
The EC stresses that the decisions are dependent on the UK continuing to maintain an adequate level of protection and that they can be suspended at any point if it does not. The decisions expire on 27 June 2025 unless renewed.
New SCCs
As we discussed last month, the EC published new SCCs which reflect the GDPR and take a more flexible, modular approach. These came into force in the EU on 27 June 2021.
Those using the old SCCs must transfer over to the new ones within 18 months. They cannot, however, be used where a non-EU importer is importing personal data caught by s3(2) GDPR (ie where the personal data is of data subjects in the Union and the processing activities are related to the offering of goods or services to data subjects in the EU, or to the monitoring of their behaviour where that behaviour takes place in the EU).
The old SCCs will continue to be used in the UK until the ICO finalises new ones.
EDPB final recommendations on supplementary measures
In the Schrems II decision, the CJEU said it was up to controllers to assess on a case by case basis, whether or not the data being exported would receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect the data if it did not. Where any additional measures would still fail to ensure adequate protection, the transfer could not take place.
No detail was provided as to what those supplementary measures might be and under what circumstances they would need to be used until the EDPB published its draft recommendations for supplementary measures in November 2020 which we discussed here.
These have now been finalised and there have been a few significant changes, in particular to the section on Step 3 (assessing whether the Article 46 transfer tool is effective considering all circumstances of the transfer).
There is now a focus on examining the practices of the relevant third country as well as on the letter of the law, assessing the specifics of the transfer (ie how likely the data is to be accessed or to be the subject of an access request), and taking the experience of the importer in terms of law enforcement access into account although that will not in itself be decisive.
The transfer impact assessment (TIA) is now explicitly specific to the legislation and practices relevant to the specific data being transferred.
Step 3 involves assessing whether there is anything in the law and/or practices in the third country which may reduce the effectiveness of the transfer tool being used. This examination will be particularly relevant where:
In the first two situations, the controller will have to suspend the transfer or implement adequate supplementary measures to proceed.
In the third situation, in light of uncertainties around the potential application of problematic legislation, the controller may decide to suspend the transfer, implement supplementary measures, or proceed with the transfer without implementing supplementary measures if the controller considers and is able to demonstrate and document that there is no reason to believe the relevant and problematic legislation will be interpreted and/or applied in practice so as to cover the transferred data and importer.
The TIA should initially be based on publicly available legislation. It must contain elements concerning access to data by public authorities of the third country of the importer such as:
While publicly available legislation is the starting point, the controller must also look at practices in force in the third country. This includes where:
The annexes have not changed significantly beyond clarifying some of the examples and giving a more detailed list of possible sources of information to assess a third country (Annex 3).
There can be no doubt that the new EC SCCs and the EDPB guidance on supplementary measures, together with the UK adequacy decisions, have cleared up some of the uncertainties and anomalies around the data transfer regime.
Questions do remain and we'll be looking at these in-depth in our next edition of Global Data Hub in August which will also cover sector-specific issues in life sciences and real estate.
We have a wealth of content on on our Global Data Hub.