The European Commission published a draft decision on UK adequacy for transfers of personal data from the EU to the UK, which you can read here. This EC conducted an assessment of the UK’s GDPR framework under the UK Data Protection Act 2018, including data protection rules applicable to UK law enforcement and national security and surveillance. It concludes that the UK ensures an ‘essentially equivalent’ level of protection to that within the EU, under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), meaning data transfers can flow from the EU to the UK without further safeguards.
Continue Reading Data flows to the UK from the EU won’t hit a dam

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Continue Reading The EDPB and EDPS adopt joint opinions on the new draft SCCs

With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear.

As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is an “adequacy decision” granted by the European Commission. If a third country is deemed adequate by the European Commission, the personal data can be transferred to that country without any additional safeguards being required.Continue Reading The UK is preparing its adequacy decisions post Brexit

On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).

The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.

The main changes introduced by the draft SCCs are summarised below.Continue Reading European Commission releases draft updated standard contractual clauses

On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here).

Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between a controller and a processor (e.g. purpose and duration of processing, details of the measures used to ensure security of data) as well as the obligations that apply to the processor (e.g. processing only on the documented instructions of the controller, implementation of security measures, assistance).

The clauses offer a useful insight into the Commission’s expectations on data processing agreements, which should assist organisations with any review (and, if required, development) of their data processing agreement templates.Continue Reading European Commission publishes draft Article 28 clauses for consultation

Following a previous European Commission recommendation to support the gradual lifting of coronavirus (COVID-19) restrictions through mobile data and apps, on 19 October 2020, the European Commission has set up an EU-wide system for the interoperability of track and trace apps.

Background

National contact tracing and warning apps can play a key role in all phases of COVID-19 management by warning users if they had been in contact with someone who has indicated they tested positive for COVID-19 and giving appropriate health advice. Most EU Member States have developed national contact tracing and warning apps which can be used on voluntary basis.

The new ‘gateway’ system allows these national apps across the EU to talk to each other and exploits the full potential of national apps by moving towards a centralised system where they can be interoperable through a single gateway service.

The design of the gateway system builds on the set of technical specifications as set out in the EU Commission Guidelines for interoperability, EU toolbox and the EU Commission and European Data Protection Board guidelines on data protection for contact tracing and warning apps.
Continue Reading European Commission implements interoperable gateway for COVID-19 contact tracing and warning apps

On 13th May, the European Commission’s eHealth Network published its interoperability guidelines for approved contact tracing mobile applications in the EU, guiding developers when designing and implementing applications and backend solutions to ensure efficient tracing of cross-border infection chains. These guidelines serve as a follow-up action to their previously published ‘Common EU Toolbox for Member States’ on mobile applications to support contact tracing in the EU’s fight against COVID-19 on 15th April.

Why are interoperable apps considered important in the fight again COVID-19? It is almost inevitable that in today’s day and age we would look to technology to be part of the solution. The hope is that interoperable apps will facilitate the tracing of cross-border infection chains, which is particularly valuable for cross-border workers, tourism, business trips and neighbouring countries.
Continue Reading The Commission’s eHealth Network looks to develop the interoperability framework for contact tracing apps

On 18 March, the Task Force for Relations with the United Kingdom (UKTF) of the European Commission published its Draft Text of the Agreement on the New Partnership with the United Kingdom (Draft Agreement). It translates the negotiating directives, approved by Member States, into a legal text, in line with the Political Declaration agreed between the EU and the UK. The Draft Agreement was sent to the UK following consultation with the European Parliament and the Council of the European Union, and aims to provide a tool to support the negotiations and enable progress with the UK’s relationship with the EU.

The Draft Agreement covers all areas of the negotiations. Most importantly for us, the Draft Agreement includes provisions around the digital economy and data protection. These draft provisions ensure that the parties commit to a high level of data protection and recognise the importance of promoting and protecting the fundamental rights of privacy and data protection. The parties also agree to cooperate (as much as national laws permit) at bilateral and multilateral levels, which may include dialogue, exchange of expertise, and cooperation on enforcement with respect to personal data protection.
Continue Reading No, we haven’t forgotten about Brexit: UKTF publishes a draft agreement for the future EU-UK partnership

Never one to miss a bandwagon, the European Commission has published three documents to mark the first year of GDPR:

  • a Eurobarometer survey on data protection (Eurobarometer Survey);
  • a multi-stakeholder expert group (MEG Report); and
  • guidance on the free flow of non-personal data within the EU (reported on here).

We set out some of

The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework for a common European data space and free movement of all data within the European Union”. The European Commission has published practical guidance to help users understand the interaction between these two regulations.
Continue Reading European Commission issues guidance on the free flow of non-personal data in the EU