Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different. The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.
Amid the constitutional and political uncertainties surrounding the Brexit process, the UK Government has provided welcome assurance on the data protection front. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) confirms how UK data protection law will work in the event the UK leaves the EU without a deal. Whilst the Government still regards a No Deal Brexit as “unlikely”, given the extremely severe implications of that scenario for transfers of personal data into and out of the UK, the DCMS confirmation is hugely helpful in terms of the preparations needed for that eventuality.
The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.
Ever since the first draft of the EU-US Privacy Shield framework was published in early 2016, groups opposed to the idea have indicated their intent to challenge the legality of the framework under EU law. Recently, the privacy advocacy group Digital Rights Ireland made good on that promise. Following the filing of a formal complaint on 15 September asking for an annulment of the framework by the Court of Justice of the European Union, DRI has now made public the details of its complaint.
500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know,” in which we explored how companies demonstrate compliance with the Privacy Shield principles, what it takes to move from Safe Harbor to Privacy Shield, and more. A copy of the slide deck and recorded webinar are now available on our blog.
Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.
Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. The European Parliament adopted a resolution on May 26, 2016 praising the progress made, but highlighting shortcomings in the Privacy Shield as presented in February 2016. Now that the Irish Data Protection Controller has referred another data transfer mechanism known as Standard Contractual Clauses to the courts for review of their adequacy, greater focus will be placed on whether the criticisms of Privacy Shield are well founded.
From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be. Earlier this week, on 13th April, the Working Party provided their initial opinion. On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield.
The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.
On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally. Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.
On 29 December, 2014, Hong Kong’s Privacy Commissioner for Personal Data published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance, which would restrict the export of personal data from Hong Kong. In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office explore the Commissioner’s understanding of how section 33 would be implemented, including some important nuances that are particularly relevant to multi-national businesses operating in Hong Kong and the wider region.
The Spanish Data Protection Authority (SDPA) has established new procedures that allow data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries that are not deemed to have an adequate level of protection for personal data. In addition, data processors can enter into Standard Contractual Clauses with their sub-processors. Previously in Spain, data controllers had to enter into Standard Contractual Clauses with each of their data processors’ sub-processors in Third Countries and data controllers had to obtain authorizations from the SDPA for such transfers.
On August 19, 2009, the French Official Journal published the French Data Protection Authority’s (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The […]