BCR Changes for Brexit

BCR Changes for Brexit: EDPB releases statement guiding enterprises.

The European Data Protection Board (EDPB) released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA).


The EDPB released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA). As shifts are made towards the official implementation of Brexit, many structural and procedural changes are being made for businesses. One such change, adopted on July 22, 2020, based on the analysis currently undertaken by the EDBP on the consequences of the CJEU judgment,  Data Protection Commissioner v Facebook Ireland, and Schrems, regarding BCRs as transfer tools. The EDPB recently released a statement outlining BCR changes for Brexit implementation, complete with a table guide regarding the criteria for a BCR Lead SA change, how and why, and referencing the legislation for each criteria. 


Procedural Changes for Authorized BCR Holders


Enterprise holders with the ICO as their competent Supervisory Authority (BCR Lead SA) will need to arrange for a new BCR Lead in the EEA, according to Article 29 Working Party, Working Document Setting Forth a Co-Operation Procedure for the approval of BCRs for controllers and processors under the GDPR, WP263 rev.01, endorsed by the EDPB. This change in BCR Lead will need to take place before the end of the Brexit transition period. For BCRs already approved under the GDPR, the new BCR Lead SA in the EEA will have to issue a new approval decision following an opinion from the EDPB. However, no approval by the new BCR Lead SA is necessary for BCRs for which the ICO acted as their BCR Lead SA under Directive 95/46/EC. 


Content Changes for Authorized BCR Holders.


Before the end of the Brexit transition period, BCR holders with the UK’s ICO as their BCR Lead SA will need to amend their BCRs, referencing the EEA legal order. Without these changes (or a new approval, where applicable), by the end of the transition period, these enterprises or groups of undertakings will no longer be able to use their BCRs for transfers of data outside the EEA beyond the transition period.


Procedural Changes for BCR Applications Before the ICO.


Any groups of undertakings of enterprises with BCRs at the review stage with the ICO are encouraged to identify a new BCR Lead SA according to the guidance of the WP263 rev.01 before the end of the Brexit transition period. They will need to contact the new SA and provide the necessary information to apply to have the SA considered as the new BCR Lead SA. The new BCR Lead SA will then take over the application process and begin the aproval procedure, subject to an opinion of the EDPB. 


Groups of undertakings or enterprises may choose to transfer their application to a new BCR Lead SA after approval by the ICO, in which case, the new BCR Lead SA will need to approve this new application before the end of the transition period, as the new competent SA, according to Article 47.1 GDPR.


Content Changes for BCR Applications Before the ICO.


Groups of undertakings or enterprises with BCRs in the process of approval by the ICO must make sure that their BCRs refer to the EEA legal order with information on expected changes, before the end of the Brexit transition period. 


General Changes for BCR Applications 


Any Supervisory Authority in the EEA, approached to act as the new BCR Lead SA, will consider whether it is indeed the appropriate SA on a case by case basis, based on the criteria of the WP263 and in collaboration with any other concerned Supervisory Authorities. The EDPB has provided a checklist of elements for Controller and Processor BCRs which need to be changed due to Brexit, as part of this statement released last month. 


Does your company have the UK ICO as their lead supervisory authority? If so, you may be required to make significant changes before the end of the Brexit transition period. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

European Commission on Transition

European Commission Released Communication on transition between EU and UK.

The European Commission released a statement detailing the implications of the transition between the EU and UK. 


As the UK comes to the end of its transitory period from the EU to the end of this year, the European Commission has released communication assessing the country’s readiness for separation from the region. The withdrawal agreement which was entered into on February 1st, 2020 secured the UK’s departure, and stated that the laws of the Union would continue to apply until the end of the transition period ending on December 31st, 2020. The UK continues to participate in Union programmes, the EU’s single market and Customs Union and to abide by Union policies and any international agreements which include the EU. All of this is due to change come January 1st, 2021 when the transition period has ended and the Withdrawal Agreement comes into effect. The transition period therefore serves as a period of continuity to ensure readiness for the implementation of all necessary measures and arrangements and to facilitate negotiation of a new partnership between the EU and the UK by January 1st, 2021. 


Negotiations pick up momentum this summer as the EU and the UK seek to reach an agreement on a future partnership before the January 1st 20201 implementation date.


While negotiations have been slow in moving during the earlier part of this year, as of June they have picked up, as the UK’s government has made a decision not to extend the transition period. The aim is to reach an agreement on an ambitious partnership covering all areas agreed with the United Kingdom in the Political Declaration by the end of 2020. The resulting agreement would create a relationship very different from the current UK participation in the EU single market and Customs Union, and in the VAT and excise duty area. It is expected that there will be resulting barriers to trade in goods and services and to cross-border mobility and exchanges. All this, compounded by the pressure that businesses are already under due to the COVID-19 pandemic, are expected to cause some disruptions as of January 1st 2021. 


Businesses are advised to revisit their existing preparedness plans which were drawn up in the event that the UK’s withdrawal from the Union happened without a withdrawal agreement. While negotiations are still underway, those preparedness plans may still be relevant for the changes at the end of the transition period.

The European Commission released information on the effects of those changes specific to various industries, and implores companies to implement actions to ensure readiness.


The European Commission communicated an outline of changes to be expected whether there is an agreement on a future partnership between the EU and the UK or not. As of 1 January 2021, the transition period allowing for the temporary participation of the United Kingdom in the EU Single Market and Customs Union will end, thereby putting a stop to the free movement of persons, goods and services. As a result there will be several automatic changes 


The European Commission, since March 2020, has been publishing notices of readiness specific to various industries. To date, there are 59 notices spanning a wide range of industries, and this list will be updated on a regular basis as new notices become available. The Commission calls on all national and European consumer, business and trade associations to ensure that their members are fully aware of the expected changes. The changes being implemented as of January 1st 2020 will be automatic, far reaching and unavoidable. Both logistical and legal changes are to be expected, the effects of which should not be underestimated. Ultimately, businesses still need to undergo their own risk assessments and implement actions to ensure their own readiness. 


What does this mean for data protection?


As we published in our blog in January, the ICO released an statement on the implications of Brexit on data protection, where they provided some guidance on this matter. That is:


During the transition period

  • The GDPR continues to apply in the UK.
  • There is no need for a European representative.
  • ICO GDPR guidance is still relevant.
  • Transfers of data from the UK to the EU and from the EU to the UK are not restricted.

After the transition period

  • The GDPR will be brought into UK law as the ‘UK GDPR’ but the UK will have the independence to keep the framework under review.
  • A European representative may be necessary from the end of the transition period.
  • The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR.
  • The DPA 2018 will continue to apply.
  • The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
  • Data transfers between the UK and the EU may be restricted and adequate safeguards may be necessary.


Does your company process  personal information in the UK or transfer personal information between the EU and the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

EU-US Privacy Shield invalidation

EU-US Privacy Shield invalidation business implications

On 16th July, the Court of Justice of the EU delivered a ruling in the case known as Schrems II by which it invalidated EU-US Privacy Shield and confirmed the validity of Standard Contractual Clauses, with caveats.

After the CJEU’s Advocate General Henrik Saugmandsgaardøe published his opinion in the so-called ‘Schrems II’ in January, now the CJEU has delivered their judgement, pursuant which Privacy Shield is declared invalid and SCC remain valid but can only be used under strict conditions.

What did the Court say?

Two important outcomes derive from the judgement issued by the CJEU:

1.The EU-US Privacy Shield is no longer a valid mechanism for international data transfers from the EU to the US.

It is important to note that it was invalidated with immediate effect. The main reason are US surveillance programmes. According to the CJEU, US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law, plus there are no effective legal remedies in the US to ensure compliance with provisions of EU law when EU data subjects’ data is used for national surveillance programs.

2.SCC but with some important caveats.

It is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC. Where this is not the case, as it happens in the US, supplementary measures and additional safeguards should be implemented in order to attain the required level of protection; otherwise the transfer should be ceased. 

National Data Protection Authorities may suspend or prohibit transfers to third country if appropriate safeguards cannot be ensured. Based on the CJEU findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US. National Data Protection Authorities responses to this decision are yet to be seen.

What does the EDPS say?

On 17th July and following the CJEU ruling, the EDPS, which together with the EDPB had previously expressed their criticisms of the Privacy Shield, released their statement where they welcomed the Court reaffirmation of the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. However, they trust that “the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court”.

What does the UK Government say?

The UK government intervened in the case, arguing in support of the validity of standard contractual clauses. In their response, they point out their commitment to ensuring “high data protection standards and supporting UK organisations on international data transfer issues”. They have announced that they are working alongside the ICO and international counterparts with the purpose of addressing the impacts of the judgment and ensuring that updated guidance on international data transfers will be provided soon.

EU Data Protection Authorities like Irish Data Protection Commissioner and three in Germany (Federal DPA, DPA of Hamburg and DPA of Rheinland-Pfalz) have also issued their statements. Other European DPAs are expected to do it soon.

What should I do now when transferring data from the EU to the US?

Where relying on the Privacy Shield:

  • Do not enter into any new agreement governed by the Privacy Shield.
  • Review all your current contracts, especially legacy ones, with your providers, clients or third-party processors and identify those that rely on the Privacy Shield. They should be amended to add SCC or any other valid safeguard covered by the GDPR for international data transfers.

Where relying on SCC:

Although the ICO and other national Data Protection Authorities are expected to produce detailed guidance soon, according to CJEU, when transferring personal data to third countries relying on SCC you should:

  • Make sure that security and technical measures which provide an adequate level of protection of personal data are actually implemented. You may need to review or at least ask for further information about the data importer’s technical and security measures plus consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
  • Reinforce your accountability processes. Do not simply sign an appendix to your contracts including SCC, rather but have a closer look at the actual security measures and other mechanisms used by the importer, plus the actual situation in the importing country, especially regarding surveillance.

What can we expect in the near future?

It is expected that guidance will be issued from the European Commission as well as the European Data Protection Board. Apart from that, the EU may decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under US surveillance laws. Likewise the US came up with the Privacy Shield ten months after the Safe Harbor was declared invalid, so one could now hope for them to put in place a new mechanism which to address the CJEU’s concerns. On another note, SCC may be updated for GDPR soon.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.

EU Digital Sovereignty

EU Digital Sovereignty: Ideas for a more resilient EU.

EU digital sovereignty is of paramount importance in the face of the rapid technological evolution currently taking place globally.


A call for EU digital sovereignty had been brought to the forefront of many conversations among policy makers, in light of growing concerns over EU citizens losing their control of their data, capacity for innovation and ability to enforce legislation in the digital world. The concept of “digital sovereignty” had recently sprung forth as a means of promoting the idea of leadership and strategic autonomy in the digital world for Europe. There has been major concern over the threat placed on EU citizens by the economic and social influence of non-EU technology companies. This has made very clear the need for Europe to be able to act independently in the digital world. 


President of the European Commission, Ursula von der Leyen has named digital policy as one of her key political priorities during her term. The increase in Chinese technological presence in the EU has become a source of concern for the EU Parliament. A need and opportunity to reduce such dependence has presented itself, especially in light of the coronavirus pandemic and its revelations on the essential role of the tech sector on the continuity of social life, businesses and administrations. A recent Commission report highlighted the fact that at times, competition from global tech-driven players disregarded European rules and values, and deeply involved data appropriation and valuation. This has compelled the need for technological sovereignty, and for advancements in developing a secure, competitive and inclusive digital economy built on ethics and with world class connectivity. There has been a call for special emphasis on issues of data security and artificial intelligence.


The present situation highlights the need for EU digital sovereignty, while presenting some concerns and opportunities for improvements in the areas of EU Data economy and innovation, privacy and data protection, cyber security, data control and online platforms’ behavior. 

EU data economy and innovation


While the EU has strong acids including a world leading AI research community and a range of innovations such as 5G, artificial intelligence,  cloud computing, and the internet of things, the region is behind the United States and China in private investment, and the rate at which AI has incorporated into the society. The two countries also surpass the EU on things like data collection, data access, patent applications and development of essential hardware like supercomputers. The potential dependence on foreign technology presents a risk to Europe’s influence in the digital field.


In response to this the EU has implemented several initiatives to narrow the investment gap. EU policy makers have also been designing tools to adapt EU industrial and technological capacity to the global competitive environment. For example, the European data strategy adopted in February of this year forges the path for the creation of European data spaces to ensure that more data becomes available for use within the European economy and society.


Privacy and data protection.


The Cambridge Analytica scandal showed how online platforms can extract personal data for Political profiling purposes. In addition, the economic model of large tech companies like Google, Apple, Facebook, Amazon and Microsoft  are largely based on the collection and exploitation of online users’ data for advertising purposes. Trends like these, are often referred to as surveillance capitalism, and are a source of concern in the EU. There is a need for EU citizens to be able to control the digital data in an online environment that is largely dominated by non EU tech companies.


To combat this, the EU has taken on a very stringent approach to privacy and data protection with the GDPR at it’s centre. The European Union is seen as a standard setter in the world of privacy and data protection. As a matter of fact, several other countries outside the EU have incorporated aspects of the GDPR into their own national legislation. While the coronavirus pandemic has added a layer of difficulty to implementing this framework, the member states are looking at adopting location tracking measures to contain the spread of the virus in conjunction with implementing technical solutions to deal with the issues presented by this crisis.


Cybersecurity, data control and online platforms’ behavior


The EU’s reliance on Chinese 5G infrastructure has proved to be a critical weakness for the region. There is also growing concern over the EU Member States’ lack of control over data produced on their territory, with the global public cloud market being largely dominated by us and Asian companies. In addition to this, issues of competition have been raised by the control that large tech companies have, making it hard for others to compete in new and innovative markets. 


The EU has taken a multifaceted approach to combating this issue. In addition to several tools adopted within recent years, for example the Network and Information Security Directive (NIS), the European cybersecurity act, and EU-wide cybersecurity certification scheme for ICT products, there have been further advancements in legislation. Following the Huawei debate, the Commission adopted recommendations for a common approach to the security of 5G networks in March of 2019 and this year published an EU tooltbox on 5G cybersecurity.


Further EU Initiatives towards EU Digital Sovereignty

Data Framework.


There are several initiatives being brought forward by the EU in order to secure digital sovereignty. For starters, the data framework could be revised to make provisions for EU based cloud storage. With non-personal data regarded as the critical, raw material of the digital economy, and cloud storage expected to overtake local device storage this year, this is seen as an important move. It is expected to not only strengthen Europe’s data sovereignty, but also address the fact that cloud storage is an industry almost dominated by non EU companies. The implications of this could potentially be to the detriment of EU citizens’ security and rights. 


In recent times, France and Germany have announced a joint, European cloud initiative; Gaia-X project. While more action could be decided upon at an EU level in order to help implement an EU-wide cloud infrastructure, this latest development is regarded as an important tool to ensure the safety of data for these European citizens, businesses and governments. The proposed EU data framework to facilitate data collection, processing and sharing has the potential to put Europe in the lead in collecting and processing data, and to secure access for innovators to data, particularly in the spheres of B2B (business-to-business) and G2C (government-to-citizens). 


There is much more that could be done with regard to investment in frontier technologies, including AI, IoT, blockchain, high performance computing and quantum technologies, which should be encouraged in order to implement the productivity breakthrough that Europe needs. The execution of the 2021-2027 multiannual financial framework currently under consideration is critical to that cause. Likewise, the Digital Europe programme, the first ever EU programme primarily dedicated to digital transformation, among others.


Trustworthy Environment.


The EU approach to digital matters has become centered around ensuring transparency and trust. There presents a challenge for the EU to introduce new standards and practices ensuring trustworthy and controllable products, whether they are of EU or foreign origin. This will require new tools in the fields of cyber security, AI and data protection. 


With regard to cybersecurity, there is a need to influence three main aspects. Changing the EU-wide certification scheme from voluntary to compulsory, especially as the framework for this programme is up for review in 2023. This would be a definite step forward in securing a safe environment, particularly for 5G networks. It could also potentially set the EU apart as a standard setter in the field of cybersecurity. In addition to this, inadequate coordination of cybersecurity is one of the main issues faced by EU policy makers. An important action to combat this would be to finalize the adoption of the Commission proposal to establish European Cybersecurity Competence Centers. 


Furthermore, there is a call for security to become an obligatory aspect in every public procurement procedure for relevant infrastructure nationally and throughout the EU. Each EU member state should create specific security requirements for application in the context of public procurement related to 5G networks. This should include mandatory cybersecurity certification requirements. 


Competition and Regulation.


In light of recent events, there has been a greater apparent need for update and adaptation regarding the EU’s competition policy and the digital regulatory framework. Recently, we reported on German competition law and Facebook’s breach of it. There are calls for a shift towards more defensive and prudential mechanisms for the entire EU, including regulation to address foreign state ownership and distortive practices by large tech companies. It is important to protect the potential of European tech start-ups and small and medium-sized enterprises. This may involve new tools for more synchronous investment screening mechanisms and for assessing takeovers in high tech EU companies. This, along with the implementation of strategic limits on foreign investment, exceptions to state aid and competition policy, could ensure coordination between EU member states on this matter. This is extremely necessary, especially when considering the swift technological evolution currently taking place. In the end, building a genuinely sovereign EU digital environment will also require addressing the insufficient coordination between regulators in this field. It will take a revamp to the current governance mechanisms both between sector specific regulators and beyond. This is critical to ensuring a coherent approach to EU digital sovereignty. 


Aphaia provides a number of services in relation to EU ICT regulatory framework compliance, including GDPR data protection impact assessments, Data Protection Officer outsourcing, telecoms regulatory consultancy, and EU AI ethics assessments. Get in touch today to find out more.