This article is based on a recent presentation to the Association of Corporate Counsel (ACC) National Capital Region. Womble Bond Dickinson attorneys Tara Cho (U.S.), Malcolm Dowden (UK) and Andrew Kimble joined Andrea Shandell, Vice President, Privacy Initiatives - Operations at BBB National Programs, in presenting this 90-minute webinar. Womble Bond Dickinson Washington, DC Office Managing Partner Elizabeth Lee provided introductory remarks.
Like London buses, you wait for privacy law developments to happen, and they come en masse. Such is the case in Europe, where data protection professionals are dealing with the fallout of both the end of the UK’s Brexit implementation period and the landmark EU court decision in Schrems II. Both developments have tremendous implications not only for UK and EU companies, but also for many organizations doing business in Europe and the United Kingdom.
The Brexit transition period officially ended on Dec. 31, 2020, ending the UK’s membership in the European Union. The separation means that GDPR, the sweeping data privacy regulation in place throughout the EU, no longer applies in the UK. In its place, the United Kingdom has implemented a very similar set of rules called the “UK GDPR”. U.S.- and UK-based organizations operating across Europe need to be aware of these different regulations, particularly as they diverge moving forward.
It is possible for companies to face separate enforcement actions related to both GDPR and the UK GDPR. So data mapping becomes even more important for companies.
The Schrems II Ruling and Why It Matters to U.S. Companies
The July 2020 Schrems II ruling in European Court invalidated the EU-U.S. Privacy Shield agreement, which offered one mechanism for lawful transfers of personal data from the EU to the U.S. Striking down the Privacy Shield took away one of the key mechanisms to justify international data transfers from the EU to the U.S., but it didn’t entirely remove the possibility of such transfers. The ruling confirmed standard contractual clauses (“SCCs”) as potentially viable mechanisms for the transfers of personal data to non-EU nations, but depending on the level of protection afforded by the receiving jurisdiction, SCCs may need to be accompanied by additional contractual or technical measures to protect personal data. For example, these measures may include strong pseudonymisation or encryption.
The main concern expressed by the European Court in Schrems II is the concern that the U.S. government can take protected data concerning EU residents from companies at any time. The Biden Administration has made negotiating a replacement to the privacy shield with the EU a top priority, understanding that reaching such agreement or similar adequacy determination is critical to transatlantic trade.
As for UK-U.S. data transfers, the nations are more comfortable working together and believe that once the U.S.-EU data transfer negotiations are completed, the UK and U.S. will be able to strike their own agreement quickly. Some in Congress have proposed retaliatory legislation that would wall off data from U.S. consumers to international companies.
But at the moment, companies in Europe can try to transfer data to the U.S. in the short term using contractual provisions and additional protective measures. But the days of signing a data protection agreement and standard contractual clauses and calling it a day are past. Risk management and assessment must be clearly addressed and documented moving forward.
One element is standard contractual clauses (SCCs). These establish protections between the EU or UK data exporter and the U.S. recipient. A new set of such clauses was just adopted by the European Commission June 4, 2021. These new SCCs are more robust in their protections and usage, and feature a modular approach covering:
-
Controller-to-controller;
-
Controller-to-processor;
-
Processor-to-processor; and
-
Processor-to-controller.
The new SCCs also include a “docking clause’ that allow a third party to join/accede to the SCCs at a later date.
In addition, the ICO announced in May 2021 that it is working on a new, separate set of SCCs for the UK. The new rules will govern the transfer of personal data to other nations outside of the United Kingdom. It remains to be seen how these new UK SCCs will differ (or be similar to) the new EU SCCs. Therefore, just as companies consider the slight distinctions between GDPR and UK GPDR requirements, such companies may be forced to use separate sets of SCCs to address transfers from the EEA versus UK.
U.S. companies and UK companies doing business in the U.S. also should consider additional technological safeguards, including analyzing the applicability of U.S. surveillance to the data in question and offering contractual protections to data holders. Also, while pseudonymisation and encryption are key safeguards, data protection authorities across some member states have made clear that in order to reasonably rely on such measures, companies should maintain the key codes and encryption keys in the EU or otherwise outside the reach of U.S. surveillance. In a sense, some rulings and guidance from EU member states, subsequent to the Schrems II decision, imply there are no measures by which to securely transfers data to the U.S. and that in addition to protecting data from bad actors, U.S. companies must also account for how they will protect such data from intrusion by their own government.
EU to UK Transfers of Personal Data
With the UK leaving the European Union, transfers of personal data between EU nations and the United Kingdom now become an area of concern for companies doing business in these markets.
An EU draft adequacy decision was published in February 2021, saying the UK GDPR provides satisfactory protection of personal data; however, the adequacy decision has not been finalized and adopted. Also, the adequacy decision is contingent on the UK:
-
Remaining a member of the Council of Europe;
-
Continuing to adhere to the European Convention of Human Rights and submitting to the jurisdiction of the European Court of Human Rights; and
-
Continuing implementation of the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”).
But in a closely divided June 2021 vote, Members of the European Parliament approved a resolution expressing the need for clarification on UK data protection practices. The MEP urged the European Commission to modify its draft decision and hold off on certain data transfers until these questions can be answered and individual privacy protections ensured.
There also is still a question of whether SCCs will be required in EU-UK data transfers. Currently, data transfers are allowed while a final adequacy decision is negotiated. The EU’s concerns aren’t so much current UK data privacy law, as it essentially mirrors that of the EU, but rather what the UK does moving forward.
One particular concern on the EU side would be if parties used the UK as a transfer point to move data to third party nations, including the U.S. The EU is insistent that such “onward transfers” should only be permitted where the further recipient outside the UK is subject to rules ensuring a similar level of protection guaranteed in the UK.
One lurking areas of non-compliance is EU and UK representatives. Both legal systems require the appointment of a compliance representative in the respective territory where Article 3(2) (the “targeting test”) applies to overseas operations. This “targeting test applies when the overseas organization does not have an “establishment” in the UK or EU but offers goods or services or monitors the behavior of data subjects in the UK or EU, including basic online activity.
Failure to appoint a representative is a GDPR breach that can result in a fine of up to €10 million or (if higher) 2 percent of global annual turnover. So US businesses should gauge whether or not the “targeting test” applies to their business by asking such questions as:
-
Do you offer good and services in the UK or EU, even if payment is not required?
-
What counts as monitoring behavior?
-
Does localized content/advertising count as targeting?
GDPR/UK GDPR and Emerging Technologies
Both GDPR and UK GDPR restrict profiling and solely automated decision-making in protecting personal, private data.
This raises serious questions about organizations’ ability to use “big data” to analyze and interact with customers. Can this be done under GDPR and UK GDPR? While challenging, it is possible to use automated decision-making and profiling. The key is that these operations must have some level of human involvement and oversight.
GDPR and UK GDPR also require additional protections for the transfer of “special category data,” such as health information. This raises significant practical issues for services using new and emerging technologies such as blockchain and distributed ledger.
Businesses should consider technical and practical solutions, rather than just legal and contractual issues. For example, does certain personal data have to go on the blockchain?
With GDPR-like personal data regimes in place or forthcoming in a number of other jurisdictions (India, Nigeria, Kenya, South Africa, Abu Dhabi Global Market, Dubai International Finance Center, etc.), the issue of data protection in international commerce is only going to become more complex. Eventually, the world may move toward a global set of standards, but in the interim, corporate leaders and their in-house counsel need to keep this issue at top of mind, and make every good-faith effort possible to secure private, protected information.