Tag Archives: data transfers

EU Standard Contractual Clauses – Public Consultation

This month (September 2024), the European Commission has announced that it plans to ask for public feedback on the EU Standard Contractual Clauses (SCCs) under the General Data Protection Regulation. The public consultation will take place in the fourth quarter of 2024, giving you an opportunity to have your views and opinions heard.

This is not unexpected – the GDPR’s Article 97, requires the Commission to review the GDPR’s implementation every four years (see the 2020 Evaluation Report here).  The upcoming 2024 review was expected to include an evaluation of the practical application of the SCCs.

New SCCs in 2025

According to the timeline, the public consultation is imminent and due to take place in the 4th quarter of 2024. This would be followed by a draft act, planned for Commission adoption in 2nd quarter of 2025.  You can find more information and a timeline here.

What are SCCs?

Standard contractual clauses are standardised, pre-approved model data protection clauses, which allow controllers and processors to meet their obligations under EU and / or UK data protection law. 

They are widely used as a tool for data transfers to third countries (which means those countries outside the EEA or the  UK who do not have adequacy status).  It is quite a simple matter for controllers and processors to incorporate them into their contractual arrangements.

The clauses contain data protection safeguards to make sure that personal data benefits from a high level of protection even when sent to a third country.  By adhering to the SCCs, data importers are contractually committed to abide by a set of data protection safeguards.

Can I change the text?

The core text can not be changed. If parties do change the text themselves, they will no longer have the legal certainty offered by the EU act.  If you amend the clauses, then they can no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses”

Even so, there are areas where the parties can make choices:

  • To select modules and / or specific options offered within the text
  • To complete the text where necessary (eg to specify time periods, supervisory authority and competent courts
  • To complete the Annexes
  • To include additional safeguards that increase the level of protection for the data. 

Impact on UK use of SCCs

There is not yet any indication of the potential impact on the UK’s international data transfer Agreement (IDTA) or the Addendum to the EU’s SCCs; we would expect to hear more after the EU’s public consultation.

Victoria Tuffill – 13th September 2024

If you have any questions or concerns about how and when to use SCCs, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.

Trans-Atlantic Data Privacy Framework

What’s next for data transfers between US and EU?

Agreement in principle

U.S. President Biden and the European Commission President Ursula von der Leyen have reached agreement in principle over a new trans-Atlantic Data Privacy Framework.  While this is encouraging, the process of drawing up the detail within the agreement is likely still to take several months.

The White House issued a statement. This demonstrated how the two core issues that caused previous agreements to break down have been addressed:

  • intelligence surveillance of EU personal data:  the U.S. is agreeing to limit its intelligence gathering activities to that which is necessary “to advance legitimate national security objectives”.
  • an effective remedy to address complaints raised about US authorities’ access to EU citizens data: the U.S. proposes to provide an independent Data Protection Review Court. This will include individuals from outside the US government

Whether these measures will be enough to satisfy the EU is unclear, and will depend on the detail of how these issues will be handled in practice.

What does this mean for the UK?

One of the ongoing considerations of the UK government is that of “adequacy decisions”.  UK adequacy decisions are designed to enable data transfers between the UK and countries which meet data protection standards equivalent to those in the UK.  The government has been considering implementing a number of new “adequacy” decisions, including the U.S.

However, there is always a tricky balance between UK issuing adequacy decisions, and the impact that may have on the UK adequacy decision in place with the EU. 

So from a UK perspective, an EU-US data transfer agreement will make it more straightforward for the UK and US will reach their own separate agreement to enable transfers between UK and US.  Or the UK may adopt the EU/US adequacy decision to retain parity with EU laws.  Watch this space…..

 

Victoria Tuffill

8th April 2022

 

If you need help with your data protection, have concerns over data transfers, just get in touch.  Have a look at our services.  Or call us on 01787 277742.

 

 

Safe Harbor Framework ruled “Inadequate”

Leave a reply

global transfers

What was Safe Harbour?

The Safe Harbour Framework was a cross border transfer mechanism which complied with EU data protection laws and allowed the transfer of personal data between the EU and the USA.  More details on how Safe Harbour worked can be found here.

Why was the Safe Harbour Framework invalidated?

After the recent Facebook case ruling, on 6th October, the Court of Justice of the European Union (CJEU) judged that “US Companies do not afford an adequate level of protection of personal data” and therefore the Safe Harbour Framework is now invalid.

The CJEU indicated that US legislation authorises on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbour Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.  You can read the European Court of Justice Press Release here.

There have been concerns about the Safe Harbour Framework for some time and the European Commission and the US authorities have been negotiating with a view to introducing an arrangement providing greater protection of privacy to replace the existing agreement.

How can I now transfer my data to US?

Organisations that have been using Safe Harbour will now have to review how they transfer personal data to the US and come up with alternative solutions.  However, it is worth noting that the Information Commissioner’s Office has recognised that this process will take some time.  And James Milligan at the DMA states that data already transferred to US-based companies under Safe Harbour will be unaffected.

In the meantime multi-national companies transferring data to their affiliates can look at using Binding Corporate Rules which allow the transfer of data from the EEA to be in compliance with the 8th data protection principle.

Another legal method of transferring personal data to the US is to use the Model Contract Clauses produced by the EU for transfers of personal information outside the EU.

Michelle Evans, Compliance Director at Data Compliant Ltd.

If you are planning to transfer data between the EU and the US, and would like help on how to do so in the light of this new ruling, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk