Photo of Asélle Ibraimova

On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).

Continue Reading South Korea granted adequacy decision

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas:

  1. IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
  2. Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
  3. Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.

The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”.
Continue Reading The ICO approves the first UK GDPR certification schemes

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)

Continue Reading Tune in for the latest updates on our Tech Law Talks podcast

The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.

The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations.  The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.

The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim.
Continue Reading EDPB adopts final recommendations on Supplementary Measures nearly a year after the CJEU’s Schrems II ruling

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
Continue Reading European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months

On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.

Scope of the recommendations

The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.

The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.

Why are these recommendations needed?

As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.

Continue Reading Storing credit card details for future purchases – EDPB recommends online retailers do so only with consent

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It became one of the leading pieces of legislation in the world to offer the highest levels of protection to the personal data of individuals. Many countries followed suit to raise the bar in how organisations handle personal data. The trend

On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.

Background

These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.

The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised.
Continue Reading DPC’s authority to inquire into the EU-U.S. data transfers confirmed by the Irish High Court

What is new?

During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new SCCs that are currently being finalised by the European Commission. These new EU SCCs will not be valid for use for restricted transfers of data outside the UK.

Why is this change taking place?

From 31 December 2020 organisations in the UK have been relying on existing SCCs (Decisions 2001/497/EC and 2010/87/EU) for transfers of data outside the UK except where such territories are recognised as adequate (e.g. countries in the EU, the EEA, and those that obtained the EU Commission’s adequacy decision). However, the existing SCCs will be repealed when the new EU SCCs come into play. Therefore, the ICO is taking measures to put in place new international transfer mechanisms for restricted transfers outside the UK.

Continue Reading ICO announces it is working on bespoke UK set of Standard Contractual Clauses