Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
This is my Summer 2022 update to my three vlogs on international transfers of personal data – which were thrown into the spotlight by Schrems II! Check out the vlogs for a quick refresher here:
Transfer Impact Assessments Data Transfers – Transfer Impact Assessments Data transfers – future developments
In this blog I’m kicking off August with a review of the summer’s EU and UK international transfer developments, and my top 10 practical tips. The ground is shifting quite quickly here, so I’d recommend tea and biscuits or perhaps a hard hat…
First let’s look at the EU.
The EU position continues to harden, with the headline: there is (almost) no “risk-based” approach for international transfers.
Big tech and public sector bearing the brunt
The predominant recipient of enforcement action continues to be the advertising giants Google, Meta and Amazon. However, regulators have a growing interest in public sector use of other US providers and products, e.g. Microsoft Teams, and there is growing anticipation of private sector enforcement.
Harder enforcement cases – Google Analytics & public sector procurement
Following the Austrian DSB, French CNIL, and Dutch AP, the Italian Garante is the latest supervisory authority (SA) to decide that using Google Analytics (GA) without further safeguards is not compliant with GDPR.
To reiterate this, the CNIL has published two documents in the last few weeks: (1) an English translation of its Q&A on its GA decisions and (2) suggestions for using an EU proxy as a supplemental measure for GA. There are a few unsurprising points:
…and a few more surprising(!) ones:
Meanwhile, the German Public Procurement Chamber of Baden-Württemberg has gone even further – stating in July that the mere possibility of third country access is a transfer under Article 44. The decision stemmed from a challenge by an unsuccessful (EU) bidder in a procurement process: while the (cheaper) successful party’s servers were in Germany, it (a) had a US parent and (b) was permitted under the confidentiality and data transfer terms to disclose personal data in third countries to comply with the law or a binding order. The presence of a US parent may therefore continue to be used as an instigator for challenge by similarly unsuccessful bidders in public procurement processes.
Denmark – an alternative interpretation for global CSPs?
However, the approach above contrasts with the Danish DDPA’s March Guidance on Cloud Service Providers (CSPs) and associated FAQs, reiterated recently on 1 August in its CSP due diligence questionnaire for controllers. Under that guidance (see 3.6) – “It is not in itself unlawful to use a CSP whose [third country] parent company is subject to [domestic] laws… giv[ing] law enforcement authorities the competence to request information held by other group members, including those in the EU/EEA.” Numerous pages to also repeat that a controller can transfer personal data to a CSP that falls within FISA without supplemental measures, if the controller can demonstrate that it will not be accessed in practice – for example the CSP has not received any requests (see e.g. page 25). This seems to therefore advocate a risk-based approach. (I also refer to Examples 7 and 14, which clearly permit use of an EU subsidiary of a US-based provider and transfers where there is a “LOW” residual risk.)
In the same CSP guidance, citing from its guidance on third county transfers, the DDPA obliges controllers to implement controls, regularly audit and (if aware of unauthorised transfers) terminate arrangements, but any unauthorised transfer by the processor is “considered as “unintended” on part of the controller”, in respect of which (a) the controller is not obligated to comply with the [international transfer] provisions” and (c) the processor is deemed a controller.
For now, therefore, it looks like Danish controllers can take comfort that the DDPA is taking a more pragmatic approach than those above – permitting both a “risk-based” approach and (subject to a TIA) use of “third-country-parented” CSPs.
(For completeness, there are some (erroneous) headlines reporting a hardening by the DDPA in the first “hardware” decision on Google Chromebooks and Workspace. However, the decision centres on an inadequate DPIA and public comments from the decision’s author (Allan Frank) advise that it should not be more widely interpreted)
Ireland – no more EU Insta(?), but two more Commissioners
The lead SA for most of Big Tech and the instigator of the CJEU referral resulting in Schrems II – the Irish Data Protection Commission (DPC) remains at the eye of the storm.
Earlier in July, the DPC confirmed to Reuters that it had (finally!) issued a draft decision to the other EU SAs ordering Meta to cease EU-US data flows for Instagram. Subsequently referred to the EDPB following several SAs’ objections, a non-public binding decision was adopted by the EDPB at its plenary on 28 July. The DPC now has one month to issue its final decision to Meta – and we’ll be taking a close look when it does!
In the same week, the Irish Minister for Justice announced that it would be appointing two further Data Protection Commissioners, chaired by current Commissioner, Helen Dixon. This aims to alleviate the “working burden” and “investigative complexity” – however, some privacy groups have objected to Dixon continuing to lead given her enforcement record.
Political in-fighting
Where does this leave the EU governmental party line? Well, it’s unclear.
Hostility continues between the European Parliament – which considers enforcement insufficient and wants the Commission to take a more active role – and the European Commission – which has historically supported the Irish DPC and appears reluctant to directly enforce the GDPR. The anger of certain MEPs has been made clear in LIBE sessions (for example questions to Oliver Micol – summary and video – speech from 11:20, see especially 11:36 onwards(!)) and questions submitted to the Commission (for example E-002560/2022 and E-002561/2022).
Most recently on the DPC, EURACTIV’s Luca Bertuzzi reports MEPs will visit Ireland in September to meet with stakeholders including the Irish Council for Civil Liberties (ICCL) and the DPC (the DPC having previously refused to appear before the European Parliament), and the European Ombudsman continues to investigate whether the European Commission has insufficiently monitored DPC enforcement.
Privacy Shield 2.0/Transatlantic Data Privacy Framework
A draft is expected soon!
According to Politico’s Mark Scott, EU officials spent three days at the end of July in Washington reviewing the draft Executive Order amending US surveillance powers and remedying the Schrems II deficiencies. Once the draft is published, we expect around 6 months of approvals before the European Commission can issue an adequacy decision – and that’s if it’s not way-laid by Schrems or other NGOs.
Switzerland – no risk based approach either?
Bonus (EFTA) point here – the Swiss data protection regulator (FDPIC) appears to be aligning itself with the general EU SA “no risk-based” approach. In a letter to the Swiss National Accident Insurance Fund (Suva) published in June, the FDPIC noted that there was no basis in law for Suva’s “risk based” TIA for Microsoft Office 365 based on the Rosenthal/IAPP template. (Suva has issued a strong rebuttal and we are awaiting developments.)
Now let’s turn to the UK.
Conversely to the EU, the UK Government and ICO appears to be softening the UK’s international transfers position, including (i) pushing forward with several adequacy decisions, including the USA, and (ii) permitting a “risk-based” approach on international transfers.
ICO
The new UK Commissioner’s outlook seems to be converging with the Government’s “pro-innovation” one. As the Government’s preferred candidate, it is unsurprising that his recent supportive commentary differs in flavour from his predecessor’s – particularly on the Government’s proposals to reduce the ICO’s independence and diverge from the EU GDPR (see below) – but this lack of independence seems to be upsetting both business and civil society, especially when risking adequacy (see below).
Google Analytics
No news here – the ICO has kept conspicuously quiet on GA and we consider it unlikely to take any enforcement action, particularly if it continues down the road below.
Transfers guidance.
At the ICO’s July Data Protection Practitioner’s Conference (DPPC), the ICO presented its draft response to its consultation on the published (and already in force) IDTA and the (still in draft) Transfer Risk Assessment (TRA) and associated guidance. The presenters stressed that attendees should not yet rely on the content, as while it gave a “strong flavour”, the precise wording hadn’t been finalised. (Interestingly, they had also not yet discussed their proposals with the EU SAs.)
Therefore, with those health warnings, key points were:
Final versions of the TRA and guidance were promised in the following order:
(Surprised? You’re not alone. By the flood of comments on the day, it’s safe to say that the session caused a good deal of confusion(!).)
UK Reform
On 18 July, The Government published its Data Protection and Digital Information Bill (DPDI Bill) aiming to reform the UK GDPR, DPA and PECR. (We’ll be publishing a longer review of the changes.)
For international transfers, the DPDI Bill introduces a “data protection test” for assessing the standard of protection for processing of personal data in a third country. This should be based on the “outcomes” for data subjects, and transfers will be permitted if the standard is not materially lower than under UK GDPR. Some of the other relevant reforms include:
Matt Warman, introducing the DPDI Bill in the House of Commons stated that it “could create around £1 billion in business savings over ten years”. While many of the proposed changes do not radically depart from the EU GDPR, they are enough to raise eyebrows in the EU, and by contrast to the estimated savings, the Government’s estimates around £2.5 billion in costs if we lose EU adequacy (see 566).
Both Truss and Sunak have also stated they will pursue these reforms (or greater) if appointed Prime Minister.
…so on that adequacy question?
Ok so, firstly, nothing seems to be threatening the adequacy decision under the UK GDPR permitting flows from the UK to the EU.
However…
If you’ve read the above, it won’t surprise you that it’s not looking as rosy for the EU’s UK decisions. Publicly both the UK Government and the ICO state they don’t consider the above will affect the EU adequacy decisions. Indeed, the UK Government deemed it “highly unlikely” in their risk assessment, and the Commissioner used his DPPC speech to affirm that “it’s clear the UK can go its own way”.
However the EU doesn’t seem to agree. Speaking to Neil Hodge of Compliance Week, the European Data Protection Supervisor (EDPS) expressed interest in seeing the UK’s reforms as a “sandbox” for future reforms to the EU GDPR, and considered that the DPDI Bill, as opposed to the original proposals, are “professionally thought-out” and “not just political propaganda”. However, he also expressed concerns over the changes to the ICO, US adequacy and long-term divergence. Following the DPDI Bill’s publication, an MEP has already submitted questions to the Commission on whether it will review UK adequacy. (To which a response is expected by early September.)
In addition to the Data Protection considerations, it’s also worth noting that the broader political situation has continued to deteriorate. As the UK pursues its intentions to breach the Northern Irish protocols, the EU Commission has issued a further four infringement proceedings.
…and as we saw the first time around, adequacy decisions can certainly be political.
Right – now for 10 practical tips!
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research