See below for the latest Data Blast from our legal team: EU-UK data flows maintained with Commission confirming UK meets protection standards; New data transfer mechanisms published for exporting to the US and elsewhere; Microsoft offer data localisation option; Website fined for failure to appoint an EU representative; British Airways settles class action suit…
On 28 June 2021, the European Commission (EC) adopted two adequacy decisions in relation to the United Kingdom, under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), just ahead of the 30 June 2021 expiry of interim arrangements under the EU-UK Trade and Cooperation Agreement.
The adequacy decisions mean that businesses operating in the EU and the UK can continue cross-border transfers of personal data without adopting additional safeguards such as Standard Contractual Clauses (see below for details of the new clauses recently published). Such additional measures are required for transfers of personal data from the EU to jurisdictions which are not deemed ‘adequate,’ including the United States.
The adequacy decisions each include a sunset provision requiring the reassessment of the adequacy of the UK legal regime within four years, failing which, the free flow of personal data would end. The EC noted that it will be monitoring changes to UK data protection laws to ensure that the adequate protection of personal data is not compromised by any divergence from the GDPR, which was largely transposed into UK law post-Brexit (now known as the UK GDPR). The adequacy decisions already exclude transfers of personal data to the UK in the context of immigration control, reflecting a recent English Court of Appeal finding that the immigration ‘exceptions’ in the Data Protection Act 2018 are unlawful.
The UK government has stated that, as part of its National Data Strategy, data protection regulations will be considered to ensure that economic benefits from activities such as data sharing are not being unduly constrained. A recent report by the government’s Taskforce on Innovation, Growth and Regulatory Reform (available here), has caused considerable controversy by proposing to remove certain aspects of the UK GDPR, including certain individual rights in relation to decisions made using artificial intelligence technology. It is expected that the EC will be monitoring developments closely in the context of the adequacy decisions, to ensure that deviation from the requirements of the GDPR do not weaken protections for individuals.
The UK is also set to confirm the appointment of a new Information Commissioner – current Commissioner Elizabeth Denham’s term has been extended to accommodate the selection process – when Parliament returns after the summer recess. We shall report further as the new commissioner provides insight into their priorities for enforcement activities going forward.
European Commission publishes new Standard Contractual Clauses
On 4 June 2021, the EC published final versions of new Standard Contractual Clauses (SCCs), SCCs are template data transfer agreements which allow data exporters to transfer data outside of the EU to countries that have not been determined (by the EC) as having adequate domestic data protection laws.
With the adoption of the EU GDPR in May 2018, there was a clear need to replace the old SCCs, which were drafted during and designed for the pre-GDPR era. The need for updated SCCs was also precipitated by the ruling of the Court of Justice of the European Union in the Schrems II case (see our previous commentary here), which called into question whether the existing SCCs were sufficient as a data transfer mechanism on their own, without further inquiry into whether personal data transferred was adequately secure from (in particular) law enforcement access.
The EC adopted draft implementing decisions for the new SCCs in November 2020; the 4 June 2021 decisions take into account the joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), feedback from stakeholders, and contributions from EU Member States’ representatives.Where SCCs are appropriate, the new SCCs may now be used, and organisations must cease using the old SCCs by December 2022. The new SCCs are modular, and provide for a greater range of data transfer circumstances than the old SCCs: Controller-to-controller; controller-to-processor; processor-to-processor; and processor-to-controller. The new SCCs also helpfully provide a standard set of contractual provisions between controllers and processors which meet the requirements of article 28 of the GDPR.
Key features of the new SCCs include:
Modularity: The clauses aim to be user friendly, by allowing implementers to select the sections which apply to their particular data transfer circumstances. A note of caution for businesses; the new SCCs are far from a ‘plug and play’ solution, and require careful consideration in order to be implemented effectively.
A focus on legal compatibility of the importing country: Reflecting the decision in Schrems II, the new SCCs require parties to assess whether the importing country’s laws may undermine the protections afforded by the SCCs (in particular with respect to government surveillance and access to data).
Obligations in respect of governmental requests for data access: A data importer must (a) notify the data exporter if it receives a relevant access request; b) Assess the request’s legal validity; And c) pursue legal avenues to resist such requests.
Accountability: The new SCCs require the maintenance of data processing records and notification of data subjects with respect to data transfer details.
Sub-processors and onward data transfers: The new SCCs allow non-EU data processors and controllers to use SCCs for onward transfers of personal data, provided certain requirements are met.
Data subjects as beneficiaries: Data subjects are permitted to enforce directly a number of the new SCC provisions.
Cybersecurity: Annex 2 of the new SCCs requires a detailed description of the organisational and technical measures implemented for each of the transfer modules.
Addition of new parties: The new SCCs permit new parties to accede to executed SCCs through ‘docking,’ eg. adding the new entity as a party to the SCCs.
The new SCCs continue the EC’s risk-based approach to data transfers; parties to the SCCs are required to warrant that they have ‘no reason to believe’ that the importing territory’s laws will render the importer unable to fulfil its obligations under the new SCCs. Parties must take account of a data transfer’s specific circumstances, the laws of the importer’s country, and any relevant contractual, technical or organisational safeguards put in place. It is essential that such assessment is recorded, as it must be made available to the relevant DPA upon request.
The new SCCs cannot be relied upon for data transfers from the UK to jurisdictions such as the United States, the UK having left the EU. The ICO has stated that bespoke UK SCCs are in progress, with a view to publication for consultation during the summer; in the interim period, the ICO has made available tailored versions of the previous EU SCCs which businesses can implement.
Microsoft to allow EU customers to process and store in the EU
Microsoft Corp will allow commercial and public sector customers in the EU to store and process their data within the EU.
The company explained that the work required to execute the plan will be completed by the end of 2022 and will apply to its main cloud offerings, including Azure, Microsoft 365 and Dynamic 365. Microsoft explained that they will conduct consultations regarding the plan with EU regulators and customers over the summer. Currently, the company already operates datacentres in 13 European countries.
The announcement by Microsoft reflects the difficulties faced by large multinationals in managing their global data streams. For many large companies, the amount of data stored and its distribution across many countries has made it difficult to understand where their data resides, and if its storage and processing complies with regulations such as the GDPR, which was applies to all companies processing or controlling the personal information of EU residents.
As part of the announcement, Microsoft explained that its cloud services are already compliant with the requirements of the GDPR, and in certain instances already exceed them. Therefore, according to a Microsoft spokesperson, the move is focused less on ensuring compliance and more on reducing complexity.
However, critics suggest that the announcement by Microsoft is tacit admission that the company routinely processes EU-resident data outside of the EU. In a press release, founder of Think Privacy, Alexander Hanff, stated that ‘“I think it’s pretty obvious to most that when using cloud infrastructure, there is a level of access to that infrastructure from Microsoft for the purpose of customer support and various others. That in itself would constitute a transfer. Even if the data is stored in the EU, if somebody is accessing it from the US, then it’s considered a transfer under EU law.” Hanff added that, according to Microsoft’s biannual transparency reports, the company is the subject of a large number of requests from US government agencies.
Micosoft has previously stated that it will challenge such requests, as they relate to EU public sector or commercial customer data, and would provide compensation if, as a result of such requests, it disclosed data in violation of the GDPR that causes harm.
Locatefamily.com fined for failing to appoint EU data representative
The Dutch Data Protection Authority (DPA) fined person-tracing website Locatefamily.com €525,000 for failing to appoint an EU representative, in contravention of Art 27 of the EU General Data Protection Regulation (EU GDPR).
Locatefamily.com publishes individuals’ names, addresses and phone numbers on their website, often without the knowledge of those individuals. The website claims to hold personal data relating to more than 350,000,000 individuals globally, and according to the Dutch DPA, this includes data relating to 700,000 Dutch individuals. While Locatefamily.com does remove people’s information upon request, this was made difficult for EU resident individuals as a consequence of the company not having an EU representative.
In addition to the fine, the Dutch DPA ordered the company to appoint an EU representative by 19 May 2021, with an additional fine of €20,000 to be levied for every two weeks that the company does not have a representative, up to a maximum of €120,000.
The Dutch DPA (and others) received several complaints from EU-based individuals that their data had been published on Locatefamily.com without their consent, and that requests to remove the data were not being met by the site’s operators. Upon investigation, the Dutch DPA discovered that the website did not provide for an effective means of raising a subject access request with the company.
Art. 27 of the EU GDPR requires companies that are not established in the EU (but that process EU personal data) to appoint an EU-based representative to act as their point of contact for individuals and local EU data authorities. Enforcement of Art. 27 has been virtually non-existent since the GDPR came into force in May of 2018, and it is believed that the Dutch DPA’s enforcement action is the first of its kind.
Questions remain as to how the Dutch DPA plans to enforce the fine as they received very little cooperation from providers of Locatefamily.com. The Dutch DPA received assistance from the Office of the Privacy Commissioner in Ontario, Canada, where the website appeared to be hosted, but this did not ultimately enable the identification of those behind Locatefamily.com.
British Airways announces settlement of most claims following massive 2018 data breach
British Airways (BA) has announced the settlement of what was the largest opt-in group claim in the UK in relation to personal data, stemming from the 2018 data breach which we previously covered here and here. The data breach exposed the personal data of more than 400,000 BA customers, including names, addresses and payment card details. The severity of the breach originally prompted the Information Commissioner’s Office (ICO) to announce an intention to fine the company more than £180 million, though the eventual fine levied amounted only to £20 million. The group claim was joined by 16,000 affected individuals seeking compensation for damages including inconvenience, distress, annoyance and the loss of control over their personal data. Lawyers for the claimants had suggested that the total value of the claims relating to the data breach could be as high as £800 million. The settlement amount agreed by BA was not disclosed.
For more information please contact Partner, James Tumbridge at email@example.com