Tag: international data transfers
25. June 2021
On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.
In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.
The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:
“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”
Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.
22. June 2021
On June 21st, 2021 during its 50th plenary session, the European Data Protection Board (EDPB) adopted a final version of its recommendations on the supplementary measures for data transfers.
In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has decided that, while the Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism, controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In the cases where the effectiveness of appropriate safeguards is reduced due to the legal situation in the third country, exporters may need to implement additional measures that fill the gaps.
To help exporters with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted this recommendation. They highlight steps to follow, potential information sources as well as non-exhaustive examples of supplementary measures that are meant to help exporters make the right decisions for data transfers to third countries.
The recommendations advise exporters to follow the following steps in order to have a good overview of data transfers and potential supplementary measures necessary:
1. Know the data transfers that take place in your organization – being aware of where data flows is essential to identify potentially necessary supplementary measures;
2. Verify the transfer tool that each transfer relies on and its validity as well as application to the transfer;
3. Assess if a law or a practice in the third country impinges on the effectiveness of the transfer tool;
4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard;
5. Take formal procedural steps that may be required by the adoption of your supplementary measure, depending on the transfer tool you are relying on;
6. Re-evaluate the level of protection of the data you transfer at appropriate intervals and monitor any potential changes that may affect the transfer.
The EDPB Chair, Andrea Jelinek, stated that “the effects of Schrems II cannot be underestimated”, and that the “EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance”.
The recommendations clearly highlight the importance of exporters to understand and keep an eye on their data transfers to third countries. In Germany, the Supervisory Authorities have already started (in German) to send out questionnaires to controllers regarding their data transfers to third countries and the tools used to safeguard the transfers. Controllers in the EU should be very aware of the subject of data transfers in their companies, and prepare accordingly.
10. June 2021
On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.
The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.
What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:
Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller
The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.
The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.
However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.
Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.
2. June 2021
The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.
The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.
Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.
The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.
Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:
I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.
If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.
6. April 2021
On March 30th, 2021, EU Justice Commissioner Didier Reynders and Chairperson of the Personal Information Protection Commission of the Republic of Korea Yoon Jong In announced the successful conclusion of adequacy talks between the EU und the Republic of Korea (“South Korea”). These adequacy discussions began in 2017, and there was already initially a high level of convergence between the EU and the Republic of Korea on data protection issues, which has been further enhanced by additional safeguards to further strengthen the level of protection in South Korea. Recently, South Korea’s Personal Information Protection Act (“PIPA”) took effect and the investigative and enforcement powers of South Korea’s data protection authority, the Personal Information Protection Commission (“PIPC”), were strengthened.
In the GDPR, this adequacy decision is based on Art. 45 GDPR. Article 45(3) GDPR empowers the EU Commission to adopt an implementing act to determine that a non-EU country ensures an “adequate level of protection”. This means a level of protection for personal data that is substantially equivalent to the level of protection within the EU. Once it has been determined that a non-EU country provides an “adequate level of protection”, transfers of personal data from the EU to that non-EU country can take place without further requirements. South Korea will be the 13th country to which personal data may be transferred on the basis of an adequacy decision. An adequacy decision covering both commercial providers and the public sector will enable free and secure data flows between the EU and the Republic of Korea and it will complement the EU-Republic of Korea Free Trade Agreement.
Until the free flow of data can occur, the EU Commission must initiate the procedure for adopting its adequacy finding. In this procedure, the European Data Protection Board will issue an opinion and a committee composed of representatives of the EU member states must agree. The EU Commission may then adopt the adequacy decision.
4. December 2020
New Zealand’s Office of the Privacy Commissioner announced the Privacy Act 2020 has taken effect. Certain aspects of the Privacy Act came into force on July 1st, 2020, with most operative provisions commencing from December 1st, 2020. The new law affords better privacy protections and greater obligations for organisations and businesses when handling personal information. It also gives the Privacy Commissioner greater powers to ensure the agencies comply with the Privacy Act.
Notably, the updated legislation features new breach reporting obligations, criminal penalties and provisions on international data transfers.
Part 6. of the Privacy Act 2020 covers notifiable privacy breaches and compliance notices. It introduces a new mandatory reporting requirement. When an agency becomes aware of a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (unless a specific limited exception applies), the agency must notify the Privacy Commissioner and affected individuals as soon as practicable. In addition, the Privacy Commissioner may issue a compliance notice to an agency to require it to do something or stop doing something to comply with the Privacy Act. For the sake of completeness, it should be mentioned that there is no distinction between a data controller and a data processor. The term “agencies” refers to all data processing bodies.
Furthermore, new criminal offences have been incorporated into Part 9. of the Privacy Act (Section 212). It is now an offence to mislead an agency for the purpose of obtaining access to someone else’s personal information – for example, by impersonating an individual or falsely pretending to be an individual or to be acting under the authority of an individual. The Privacy Act also creates a new offence of destroying any document containing personal information, knowing that a request has been made in respect of that information. The penalty for these offences is a fine of up to $ 10,000.
Moreover, in accordance with Part 5. of the Privacy Act (Section 92), the Privacy Commissioner may direct an agency to confirm whether it holds any specified personal information about an individual and to provide the individual access to that information in any manner that the Privacy Commissioner considers appropriate.
What’s more, a new Information Privacy Principle (IPP) has been added to Part 3. of the Privacy Act (Section 22), which governs the disclosure of personal information outside New Zealand. Under IPP 12, an agency may disclose personal information to a foreign person or entity only if the receiving agency is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act.
Apart from that, pursuant to Part 1. of the Privacy Act (Section 4), the privacy obligations also apply to overseas agencies within the meaning of Section 9 that are “carrying on business” in New Zealand, even if they do not have a physical presence there. This will affect businesses located offshore.
Privacy Commissioner John Edwards welcomes the Privacy Act, noting that the new law reflects the changes in New Zealand’s wider economy and society as well as a modernised approach to privacy:
The new Act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator.
Since the Privacy Act 2020 replaces the Privacy Act 1993, which will still be relevant to privacy complaints about actions that happened before December 1st, a guidance has been issued on which act applies and when. The Office of the Privacy Commissioner has also published a compare chart that shall help navigate between the acts.
23. November 2020
At the end of October 2020, China issued a draft for a new „Personal Information Protection Law” (PIPL). This new draft is the introduction of a comprehensive system in terms of data protection, which seems to have taken inspiration from the European General Data Protection Regulation (GDPR).
With the new draft, China’s regulations regarding data protection will be consisting of China’s Cybersecurity Law, Data Security Law (draft) and Draft PIPL. The new draft legislation contains provisions relating to issues presented by new technology and applications, all of this in around 70 articles. The fines written in the draft for non-compliance are quite high, and will bring significant impact to companies with operations in China or targeting China as a market.
The data protection principles drawn out in the draft PIPL include transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy and accountability. The topics that are covered include personal information processing, the cross-border transfer of personal information, the rights of data subjects in relation to data processing, obligations of data processors, the authority in charge of personal information as well as legal liabilities.
Unlike China’s Cybersecurity Law, which provides limited extraterritorial application, the draft PIPL proposes clear and specific extraterritorial application to overseas entities and individuals that process the personal data of data subjects in China.
Further, the definition of “personal data” and “processing” under the draft PIPL are very similar to its equivalent term under the GDPR. Organizations or individuals outside China that fall into the scope of the draft PIPL are also required to set up a dedicated organization or appoint a representative in China, in addition to also report relevant information of their domestic organization or representative to Chinese regulators.
In comparison to the GDPR, the draft PIPL extends the term of “sensitive data” to also include nationality, financial accounts, as well as personal whereabouts. However, sensitive personal information is defined as information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety, which opens the potential for further interpretation.
The draft legislation also regulates cross-border transfers of personal information, which shall be possible if it is certified by recognized institutions, or the data processor executes a cross-border transfer agreement with the recipient located outside of China, to ensure that the processing meets the protection standard provided under the draft PIPL. Where the data processor is categorized as a critical information infrastructure operator or the volume of data processed by the data processor exceeds the level stipulated by the Cyberspace Administration of China (CAC), the cross-border transfer of personal information must pass a security assessment conducted by the CAC.
It further to keep in mind that the draft PIPL enlarges the range of penalties beyond those provided in the Cybersecurity Law, which will put a much higher pressure on liabilities for Controllers operating in China.
Currently, the period established to receive open comments on the draft legislation has ended, but the next steps have not yet been reported, and it not yet sure when the draft legislation will come into full effect.
18. November 2020
A day after the European Data Protection Board (EDPB) issued its recommendations on supplementary measures, on November 12th the European Commission issued a draft on implementing new Standard Contractual Clauses (SCCs) for data transfers to non-EU countries (third countries). The draft is open for feedback until December 10th, 2020, and includes a 12-month transition period during which companies are to implement the new SCCs. These SCCs are supposed to assist controllers and processors in transferring personal data from an EU-country to a third-country, implementing measures that guarantee GDPR-standards and regarding the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.
The Annex includes modular clauses suitable for four different scenarios of data transfer. These scenarios are: (1) Controller-to-controller-transfer; (2) Controller-to-processor-transfer; (3) Processor-processor-transfer; (4) Processor-to-controller-transfer. Newly implemented in these SCCs are the latter two scenarios. Since the clauses in the Annex are modular, they can be mixed and matched into a contract fitting the situation at hand. Furthermore, more than two parties can adhere to the SCC and the modular approach even allows for additional parties to accede later on.
The potential of government access to personal data is distinctly addressed, since this was a main issue following the “Schrems II” ruling. Potential concerns are met by implementing clauses that address how the data importer must react when laws of the third country impinge on his ability to comply with the contract, especially the SCCs, and how he must react in case of government interference. Said measures include notifying the data exporter and the data subject of any government interference, such as legally binding requests of access to personal data, and, if possible, sharing further information on these requests on a regular basis, documenting them and challenging them legally. Termination clauses have been added, in case the data importer cannot comply further, e.g. because of changes in the third country’s law.
Further clauses regard matters such as data security, transparency, accuracy and onwards transfer of personal data, which represent issues that have all been tackled in the older SCCs, but are to be updated now.
17. November 2020
Following the recent judgment C-311/18 (Schrems II) by the Court of Justice of the European Union (CJEU), the European Data Protection Board (EDPB) published “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” on November 11th. These measures are to be considered when assessing the transfer of personal data to countries outside of the European Economic Area (EEA), or so-called third countries. These recommendations are subject to public consultation until the end of November. Complementing these recommendations, the EDPB published “Recommendations on the European Essential Guarantees for surveillance measures”. Added together both recommendations are guidelines to assess sufficient measures to meet standards of the General Data Protection Regulation (GDPR), even if data is transferred to a country lacking protection comparable to that of the GDPR.
The EDPB highlights a six steps plan to follow when checking whether a data transfer to a third country meets the standards set forth by the GDPR.
The first step is to map all transfers of personal data undertaken, especially transfers into a third country. The transferred data must be adequate, relevant and limited to what is necessary in relation to the purpose. A major factor to consider is the storage of data in clouds. Furthermore, onwards transfer made by processors should be included. In a second step, the transfer tool used needs to be verified and matched to those listed in Chapter V of the GDPR. The third step is assessing if anything in the law or practice of the third country can impinge on the effectiveness of the safeguards of the transfer tool. The before mentioned Recommendations on European Essential Guarantees are supposed to help to evaluate a third countries laws, regarding the access of data by public authorities for the purpose of surveillance.
If the conclusion that follows the previous steps is that the third countries legislation impinges on the effectiveness of the Article 46 GDPR tool, the fourth step is identifying supplementary measures that are necessary to bring the level of protection of the data transfer up to EU Standards, or at least an equivalent, and adopting these. Recommendations for such measures are listed in Annex 2 of the EDPB Schrems II Recommendations. They may be of contractual, technical, or organizational nature. In Annex 2 the EDPB mentions seven technical cases they found and evaluates them. Five were deemed to be scenarios for which effective measures could be found. These are:
1. Data storage in a third country, that does not require access to the data in the clear.
2. Transfer of pseudonymized data.
3. Encrypted data merely transiting third countries.
4. Transfer of data to by law specially protected recipients.
5. Split or multi-party processing.
Maybe even more relevant are the two scenarios the EDPB found no effective measures for and therefore deemed to not be compliant with GDPR standards.:
6. Transfer of data in the clear (to cloud services or other processors)
7. Remote access (from third countries) to data in the clear, for business purposes, such as, for example, Human Resources.
These two scenarios are frequently used in practice. Still, the EDPB recommends not to execute these transfers in the upcoming future.
Examples of contractual measures are the obligation to implement necessary technical measures, measures regarding transparency of (requested) access by government authorities and measures to be taken against such requests. Accompanying this the European Commission published a draft regarding standard contractual clauses for transferring personal data to non-EU countries, as well as organizational measures such as internal policies and responsibilities regarding government interventions.
The last two steps are undertaking the formal procedural steps to adapt supplementary measures required and re-evaluating the former steps in appropriate intervals.
Even though these recommendations are not (yet) binding, companies should take a further look at the recommendations and check if their data transfers comply with the new situation.
28. September 2020
Following the recent ruling by the Court of Justice of the European Union (“CJEU”) the Swiss Data Protection Commissioner (“EDÖB”) published a statement concerning the level of Data Protection of Data Transfers under the Swiss-U.S. Privacy Shield. The “Schrems II” decision by the CJEU is not legally binding in the Switzerland because Switzerland is neither a EU nor a EEA country. But as the EDÖB and the Joint European Data Protection Authorities work closely together, the decision has first implications for Swiss data exporters.
In accordance with Swiss Data Protection law (Art. 7 VDSG), the Swiss Data Protection Commissioner maintains a publicly accessible list of countries assessing the level of Data Protection guaranteed by these countries. This list shall serve Swiss data exporters as a guidance for their data exporting activities and acts as a rebuttable presumption. EU and EEA countries have continuously been listed in the first column of the list because they are regarded to provide an adequate level of Data Protection. The U.S. has been listed in the second column as a country providing “adequate protection under certain conditions”, which meant a certification of U.S. data importers under the Swiss-U.S. Privacy Shield.
Subsequent to the CJEU ruling, the EDÖB decided to list the U.S. in the third column as a country providing “inadequate protection”, thereby also acting on his past annual reviews of the Swiss-U.S. Privacy Shield. In his reviews, the EDÖB already criticised that data subjects in Switzerland lack access to the courts in the U.S. on account of Data Protection violations and that the Ombudsman-mechanism is ineffective in this regard.
Lastly, the EDÖB pointed out that the Swiss-U.S. Privacy Shield remains in effect since there has not been a decision by Swiss courts comparable to the CJEU decision and that his assessment has the status of a recommendation. However, the EDÖB advises Swiss data exporters to always make a risk assessment when transferring Personal Data to countries with “inadequate protection” and possibly to apply technical measures (e.g. BYOK encryption) in order to protect the data from access by foreign intelligence services.
