The European Data Protection Board (EDPB) recently adopted Guidelines 05/2021 (the Guidelines) on the interplay between what it means to be outside the European Economic Area (EEA) but directly applicable to the General Data Protection Regulation (GDPR) and what constitutes an international transfer under Chapter V of the GDPR.

The Guidelines set out a ‘cumulative’ definition providing a three-step assessment, and each step of the definition needs to be satisfied before a transfer is deemed to be a transfer of personal data. The guidance seeks to address the questions raised by the European Commission (EC) when it issued the standard contractual clauses (SCCs) earlier this year. The main question is whether personal data processed by a company outside the EEA but subject to the GDPR is a transfer or not.

The Guidelines seek to settle that question that such movements of personal data are not transfers. Instead, the Guidelines state the controllers or processors of such personal data, due to their being subject to the GDPR, must apply Chapter V to the personal data they transfer to a third country as if they were located in the EEA. What can be deemed a ‘geographic’ transfer rather than a legal one separately subject to Chapter V. The Guidelines, however, are open for a consultation period, so the question does not have a definitive answer yet.Continue Reading GDPR: Is it a transfer? Is it not a transfer? It’s EDPB guidance on Chapter V

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA).

The ICO has now launched the public consultation on its IDTA and accompanying guidance (available here). The consultation is open for feedback until 5pm on 7 October 2021.

Purpose of the IDTA

The IDTA will replace the current UK SCCs. The ICO has already made it clear that any transfers to third countries will need to take into account the Schrems II decision and apply supplementary measures, where required. The IDTA is a contract which organisations will be able to use when making a ‘restricted transfer’. The ICO is also consulting on how to define a ‘restricted transfer’ in light of the UK GDPR. In particular, the ICO is consulting on whether to keep its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR. Recognising the complexity of international transfers for businesses, the ICO Executive Director of Regulatory Strategy, Steve Wood, has said that the new guidance is designed to be accessible and to support the full range of organisations, from SMEs to multi-national companies.Continue Reading The UK’s ICO launches public consultation on new Standard Contractual Clauses

On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.

Background

These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.

The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised.
Continue Reading DPC’s authority to inquire into the EU-U.S. data transfers confirmed by the Irish High Court

What is new?

During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new SCCs that are currently being finalised by the European Commission. These new EU SCCs will not be valid for use for restricted transfers of data outside the UK.

Why is this change taking place?

From 31 December 2020 organisations in the UK have been relying on existing SCCs (Decisions 2001/497/EC and 2010/87/EU) for transfers of data outside the UK except where such territories are recognised as adequate (e.g. countries in the EU, the EEA, and those that obtained the EU Commission’s adequacy decision). However, the existing SCCs will be repealed when the new EU SCCs come into play. Therefore, the ICO is taking measures to put in place new international transfer mechanisms for restricted transfers outside the UK.Continue Reading ICO announces it is working on bespoke UK set of Standard Contractual Clauses

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of both guidelines. 

In simple terms, BCRs are a business-specific framework that allows intra-organisational cross-border transfers of data from organisations within the European Union to their affiliates outside of the EU. BCRs underpin shared data processing standards compatible with the General Data Protection Regulation (GDPR) and wider EU data protection law. The GDPR incorporates BCRs into legislation and sets out various conditions at article 47 that must be met when businesses utilise them.

The revised guidelines (WP256 for Controllers and WP257 for Processors) address the principles and elements businesses should incorporate in their BCRs. The guidelines have revised the original guidance, although they remain largely similar to what was published in draft last year.Continue Reading Binding corporate rules – Article 29 Working Party issues revised guidelines

Background

On 3 October 2017, the Irish High Court held that it is up to the European Court of Justice (“ECJ”) to determine whether Standard Contractual Clauses (“SCCs”) are a valid method of transferring personal data outside of the EU in compliance with privacy law.  SCCs are widely used by businesses that transfer data from the EU to the US as a means to comply with European data protection laws.  They are intended to give EU citizens the same level of privacy and protection when their data is stored in the US, as when it is stored in the EU.

The case involves an Austrian lawyer, Max Schrems, who originally filed a complaint with the Irish Data Protection Commissioner (the “Commissioner”) challenging Facebook’s use of SSCs.  Schrems brought the case following revelations in The Guardian that the US National Security Agency had direct access to data on European users of Facebook stored in the US, as originally transferred from the EU.  Schrems argued that the Commissioner should order Facebook to suspend sending data to the US, claiming that the standard clauses were not adequate to protect privacy under EU legal standards due to a lack of safeguards against US government surveillance.

The Commissioner argued that the case should be referred to the ECJ to determine whether the Commission’s decision on standard clauses is consistent with the EU Charter of Fundamental Rights. Justice Caroline Costello agreed that there were “well-founded grounds” for challenging the European Commission decision to approve SCCs as valid data transfer channels. The Irish judge held that only the ECJ has the jurisdiction to rule on the validity of a European measure.

The case is the latest to question whether methods used by large tech firms such as Facebook, Google and Apple to transfer data outside the European Union, provide EU consumers sufficient protection from US surveillance. This case also affects other companies that store information across borders and seek to transfer it for business purposes.Continue Reading Irish High Court asks European Court to rule on legality of EU-US data transfers

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.

APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.Continue Reading South Korea joins APEC’s Cross Border Privacy Rules system