The United Kingdom left the European Union on 31 January 2020. As part of the EU-UK Trade and Cooperation Agreement that came provisionally into force on 1 January 2021, the EU has agreed to delay personal data transfer restrictions for a period of four months, which can be extended with another two further months. At the end of that transitional period, data controllers or data processors that are located outside the UK but that offer goods or services or monitor data subjects in the UK shall appoint a data representative in the UK, e.g. a UK DPO with whom we can put you in contact.
The UK Government is seeking adequacy decisions from the European Commission. In the absence of adequacy
decisions at the end of the transitional period, transfers from the European Economic Area (“EEA”) to the UK shall be considered as transfers to a third country and will therefore need to comply with EU data protection transfer restrictions.
By way of a reminder, the European Data Protection Board (“EDPB”) has issued recommendations on additional measures that should be implemented when transferring personal data outside the EEA in its recommendations 01/2020 of 11 November 2020 (“Recommendations”). The EDBP has moreover issued additional recommendations (i.e. recommendations 02/2020 of 15 December 2020) on transfers of personal data between EEA and non-EEA public authorities and bodies.
This publication concerns the general rules set forth in the Recommendations 01/2020 but we are available in case of questions regarding any specific rule.
The Recommendations were adopted further to the recent Schrems II ruling, issued by the Court of Justice of the European Union (CJEU) on 16 July 2020 (C-311/18). In the Schrems II ruling, the CJEU ruled out that the standard data protection clauses adopted by the Commission regarding data transfers from controllers in the EU to processors established outside the EU or EEA are not enforceable towards public authorities of third countries (since they are not party to the contract). As a consequence, data exporters will, on a case-by-case basis, need to take supplementary measures to ensure compliance with the level of protection required under EU law in a particular third country.
In its Recommendations, the EDPB provides a methodology for exporters of personal data to determine the additional measures that will need to be put in place when transferring personal data outside of the EU or the EEA.
The Recommendations reiterate the importance of the accountability principle for data transfers, and outline several steps that must be undertaken by exporters of personal data (controllers and processors), including:
1. Get extensive knowledge of the data transfers
Data exporters shall map all data transfers to third countries while ensuring that the personal data that are transferred are adequate, relevant and limited to what is necessary for the purposes concerned. The EDBP points out that remote access from a third country (for example in support situations) and/or storage in a cloud outside the EEA is also considered to be a transfer.
2. Check the transfer tool used to transfer personal data
Several transfer tools are listed under Chapter V GDPR. If there is an adequacy decision with regard to the transfer tool for that third country, there is no need to take any steps other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, data exporters shall rely on one of the transfer tools listed under Article 46 GDPR (e.g. legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses, etc.). Only in some cases relating to occasional and nonrepetitive transfers and only under certain conditions will data exporters be able to rely on one of the derogations provided for in Article 49 GDPR.
3. Assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools
The assessment should be primarily focused on third country legislation that is relevant to the transfer, considering the transfer tool relied on. Particular attention must be paid when the legislation governing the access to data by public authorities is ambiguous or not publicly available. In the absence of legislation governing the circumstances in which public authorities may access personal data, data exporters should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to the data in a manner not in line with EU standards.
"Map data transfers to third countries (including UK) and ensure an adequate level of protection."
4. Identify and adopt supplementary measures where necessary
Depending on the result of the assessment carried out in step 3 above, data exporters should identify on a case-by case basis supplementary measures for data transfers to a specific third country. Such supplementary measures may have a contractual, technical or organisational nature that should be combined so they support and build on each other.
The Recommendations provide a non-exhaustive list of examples of supplementary measures:
The Recommendations identify technical measures that could be effective in some specific scenarios only. Any changes to the scenarios may give rise to different conclusions. If a data exporter were to use a hosting service provider in a third country to store personal data, e.g. for backup purposes, personal data shall be processed using strong encryption before transmission; the encryption algorithm and its parameterization shall be robust against cryptanalysis performed by the public authorities in the recipient country; the encryption algorithm shall be flawlessly implemented by properly maintained software, ...The Recommendations also identify scenarios in which no effective measure can be found.
The contract with the data importer could provide for obligations to use specific technical measures, to enhance the transparency obligation, to take specific actions (such as the commitment to review, under the law of the country of destination, the legality of any order to disclose data), to allow the data subjects to exercise their rights (e.g. the contract could oblige the importer and/or the exporter to notify the data subject promptly of any request or order received from public authorities of the third country).
Additional organisational measures may consist of internal policies, organisational methods, standards, best practices, ...Data exporters shall take any formal procedural steps for the adoption of the identified supplementary measures, and should evaluate at appropriate intervals the level of protection afforded to the data transferred. Accountability is a continuing obligation (Article 5(2) GDPR).