European Commission Adopts UK Adequacy Decisions Allowing Personal Data to Freely Flow from the EU to the UK
On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.
Long-Awaited Online Safety Bill is Introduced by the UK Government to Combat “Harmful” Online Content
Two years after the UK Government first put forward its intention to introduce a new regime to address illegal and harmful content online, the UK Government published the Online Safety Bill (“Bill”) on 12 May 2021. The Bill imposes duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content (e.g., by minimising the spread of such content). The Bill also aims to ensure that users are able to express themselves freely online and requires platforms to consider the importance of freedom of expression when fulfilling their duties.
European Data Protection Board Issues Final Schrems II Recommendations
The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
- better align with the new SCCs recently adopted by the European Commission; and
- allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.
Our previous blog post on the draft EDPB’s Schrems II recommendationsv provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
European Commission Publishes Details of its Forthcoming Data Act
The European Commission has formally launched its legislative initiative aimed at increasing access to and further use of data, so that more public and private actors can benefit from technologies such as Big Data and machine learning. The Commission has published its inception impact assessment on the forthcoming Data Act, on which interested stakeholders can submit comments until 25 June 2021. In parallel, the Commission has launched a public consultation for the legislative initiative, to be conducted by an online questionnaire, with a deadline of 3 September 2021. Feedback will be taken into account for further development and fine tuning of the initiative to be tabled in Q3-Q4 2021.
NHS’ Plans to Share Patient Records with Third Parties
NHS Digital (the national custodian for health and care data in England) in May 2021, announced a new data sharing initiative called the General Practice Data for Planning and Research (GPDPR) service. The launch of the GPDPR could result in the historical medical records of up to 55 million patients in England being shared with third parties.
Although the GP data collection was set to take place as of July 1, 2021, on June 8, 2021 it was announced that the launch will be postponed to September 1, 2021.
European Commission Adopts New Standard Contractual Clauses
The European Commission (EC) on June 4, 2021 adopted a new set of Standard Contractual Clauses for international data transfers (New SCCs). The New SCCs take into account the Court of Justice of the European Union’s (CJEU) decision in Schrems II, requirements under the EU General Data Protection Regulation (GDPR), and according to the EC “address the realities faced by modern business”. In particular, as it relates to companies ongoing Schrems II assessments the New SCCs provide details around the steps an importer should take when subject to a request for disclosure from a public authority, and helpfully confirm that in carrying out the assessment of a third country legal framework the factors which can be taken into consideration.
UK Moves to Reconcile Antitrust and Data Protection Enforcement in Digital Sectors
Last year, to address the increasing overlaps between data protection and antitrust enforcement, the UK launched the Digital Regulatory Cooperation Forum (DRCF). The DRCF brings together the four UK regulators most involved in digital matters (i.e., the Competition and Markets Authority (CMA), the Information Commissioner’s Office (ICO), the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA)). Its main objective is to enable coherent and informed regulation of the UK digital economy.
FCA Letter to E-Money Institutions: Why All UK Payment Service Providers Should Review Their Marketing Practices Now
On May 18, 2021, the UK Financial Conduct Authority (FCA) published a “Dear CEO” letter (the Letter) asking e-money institutions to ensure that their customers understand how their money is protected. The FCA has expressed concern that e-money institutions do not adequately disclose the differences in protections between e-money and bank accounts and that customers are not aware of the differences in protections between e-money services and traditional banking services, in particular that the UK Financial Services Compensation Scheme (FSCS) protection does not apply to e-money accounts.
SCCs, Adequacy, and Guidance: Latest Updates on International Data Transfers
The next few weeks will likely be very busy for companies on the GDPR international data transfer front as there have been a number of key European developments over the last few days including: (more…)
Transferring EU Data To US After New Contractual Safeguards – A Proposal to Notify Intelligence Agencies of “US Person” Prohibition on Targeting SCC Transfers
This article was first published by Law360 on May 17, 2021.
In light of new standard contractual clauses, or SCCs, to be issued shortly by the European Commission, as well as imminent new guidance from the European Data Protection Board, companies transferring personal data to the U.S. should consider taking steps to help ensure their data transfers are recognized as U.S. person communications.
This article sets forth possible text that companies could adopt as a supplemental measure to inform U.S. intelligence agencies that data transfers under SCCs are prohibited from being targeted.
