Adequacy decisions adopted

Adequacy decisions adopted for EU-UK data transfers

Adequacy decisions adopted by the European Union for the UK regarding data transfers.

 

The European Commission has recently adopted adequacy decisions for the United Kingdom. Since Brexit there has been some question as to the UK’s adequacy, or rather the level of protection afforded to data transfers between the EU and the UK. With the adoption of these adequacy decisions- one under the General Data Protection Regulation or GDPR, and the other for the Law Enforcement Directive, data transfers can now freely flow between the European Union and the United Kingdom. This data will be considered as having the equivalent level of protection that is guaranteed under EU law when being transferred to the UK.

 

The adequacy decisions adopted came after a thorough assessment process, during which data transfers occurred based on a Trade and Cooperation agreement. 

 

Since the draft adequacy decisions for the UK were published in February, the UK’s practices and laws regarding personal data protection have been carefully assessed. In April, the EDPB gave its opinion on UK adequacy, which was then followed by a comitology procedure which included a vote from EU Member States. In the absence of an adequacy decision, and while in the process of establishing one, data transfers flowed between the EU and the UK, based on a Trade and Cooperation agreement. This agreement expired on June 30, 2021, and provided that, in the absence of an adequacy decision, all data transfers carried out in the context of its implementation would comply with the GDPR and Law Enforcement Directive. 

 

UK data protection laws still very much resemble the laws under which the country operated as an EU Member State.

 

The UK, as a former EU Member State, had a data protection system which was still based on the very same rules under which UK data protection functioned while the UK was still an EU Member State. The principles, rights and obligations of the GDPR and Law Enforcement Directive have been fully incorporated into UK law. This has made, not only the Trade and Cooperation agreement, but also the adequacy decisions easier and more feasible.  The UK provides strong safeguards regarding access to personal data by public authorities. In principle, The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body. 

 

The adequacy decisions include a sunset clause which causes them to expire after four years.

 

These adequacy decisions include a ‘sunset clause’. This is the first of its kind and strictly limits the duration of the validity of these adequacy decisions. What this means is that these decisions will automatically expire in four years, after which adequacy findings may be renewed. However, this is subject to the UK continuing to ensure an adequate level of data protection. The European Commission will continue to monitor the legal situation in the UK and at any point, reserves the right to intervene if the UK deviates from the current level of data protection provided. After the four year duration of these recently adopted adequacy decisions, if the European Commission decides to renew the adequacy decisions, the adoption process would start over.

 

GDPR adequacy related to immigration control has been excluded from this decision, to be reassessed pending judgments from the England and Wales Court of Appeal.

 

Due to a recent judgment of the England and Wales Court of Appeal, data transfers for the purposes of UK immigration control have been excluded from the scope of the GDPR adequacy decision. The judgment affects the validity and interpretation of certain data protection rights related to immigration and control and therefore the Commision, once this matter has been dealt with under UK law, will reassess the necessity of this exclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Telephone marketing rules post-Brexit

Many UK businesses are planning to shift to telephone marketing. In this blog we go through the requirements that should be met in order to do it in compliance with the ePrivacy rules.

UK businesses are no longer clearly protected by ePrivacy country of origin rule when marketing directly in EU countries, so many of them are now looking for alternatives. Are the rules on telephone marketing less strict than the ones on electronic mail marketing?

What does the ePrivacy Directive say about unsolicited communications?

Pursuant to the ePrivacy Directive “Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing […] are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation”.

Accordingly, national implementation of the ePrivacy Directive in each Member State regulates the rules that apply in each country.

ePrivacy country of origin rule principle allows the sender to rely on the benefit of the own country less strict rules as long as there is single market. However, this does not apply to UK businesses anymore after Brexit, therefore the rules of the destination country should be considered before marketing directly in EU countries.

Automated calls

Automated calls are subject to stricter requirements. Pursuant to the ePrivacy Directive, the use of automated calling systems without human intervention (automatic calling machines) and facsimile machines (fax) for the purposes of direct marketing is only allowed in respect of subscribers who have given their prior consent.

General consent for marketing, or even consent for live calls, is not enough and it needs to cover automated calls specifically.

Telephone marketing from the UK through live calls

In EU countries

UK businesses that wish to market other businesses or individuals in EU countries should check national laws in order to confirm the following elements: 

  1. Whether consent is required;
  2. Where consent is not required, whether the number is listed in the national opt-out register or whether the data subject has explicitly objected to receiving calls from that particular business.

Most EU countries have implemented opt-out registers rather than the consent requirement, but this must be assessed on a case by case basis in order to ensure full compliance.

In the UK

UK businesses that wish to market other businesses or individuals in the UK should take the following steps:

  1. Check whether the number is registered with the TPS or CTPS.
  2. Check whether the data subject has objected to receiving calls from them.

In a nutshell, marketing calls can be freely made unless the person has opted-out from them or is registered with the TPS or CTPS. No marketing calls should be made to any number listed on TPS or CTPS unless that person has specifically consented to calls from the particular business. Telephone marketing is also prohibited when it is for the purpose of claims management services, unless the person has specifically consented to them.

Calls in relation to pension schemes are subject to special rules.

Additional requirements

Once determined that the call can be made in compliance with the relevant rules, a set of additional requirements should be applied, namely: 

  • Say who is calling;
  • Allow the number (or an alternative contact number) to be displayed to the person receiving the call;
  • Explain where the controller’s privacy policy can be found and 
  • Provide a contact address or freephone number if asked.

EU ePrivacy rules update

As reported in one of our latest blogs, earlier this month EU Member States agreed upon a negotiating mandate for revised ePrivacy rules, which would repeal the current ePrivacy Directive, starting to apply two years after its publication in the EU Official Journal. The ePrivacy Regulation may introduce new rules on telephone marketing, such as the obligation to present the calling line identification assigned to them or use a specific code or prefix identifying the fact that the call is a direct marketing call. 

 

Do you make telephone marketing? Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

BCR Changes for Brexit

BCR Changes for Brexit: EDPB releases statement guiding enterprises.

The European Data Protection Board (EDPB) released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA).

 

The EDPB released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA). As shifts are made towards the official implementation of Brexit, many structural and procedural changes are being made for businesses. One such change, adopted on July 22, 2020, based on the analysis currently undertaken by the EDBP on the consequences of the CJEU judgment,  Data Protection Commissioner v Facebook Ireland, and Schrems, regarding BCRs as transfer tools. The EDPB recently released a statement outlining BCR changes for Brexit implementation, complete with a table guide regarding the criteria for a BCR Lead SA change, how and why, and referencing the legislation for each criteria. 

 

Procedural Changes for Authorized BCR Holders

 

Enterprise holders with the ICO as their competent Supervisory Authority (BCR Lead SA) will need to arrange for a new BCR Lead in the EEA, according to Article 29 Working Party, Working Document Setting Forth a Co-Operation Procedure for the approval of BCRs for controllers and processors under the GDPR, WP263 rev.01, endorsed by the EDPB. This change in BCR Lead will need to take place before the end of the Brexit transition period. For BCRs already approved under the GDPR, the new BCR Lead SA in the EEA will have to issue a new approval decision following an opinion from the EDPB. However, no approval by the new BCR Lead SA is necessary for BCRs for which the ICO acted as their BCR Lead SA under Directive 95/46/EC. 

 

Content Changes for Authorized BCR Holders.

 

Before the end of the Brexit transition period, BCR holders with the UK’s ICO as their BCR Lead SA will need to amend their BCRs, referencing the EEA legal order. Without these changes (or a new approval, where applicable), by the end of the transition period, these enterprises or groups of undertakings will no longer be able to use their BCRs for transfers of data outside the EEA beyond the transition period.

 

Procedural Changes for BCR Applications Before the ICO.

 

Any groups of undertakings of enterprises with BCRs at the review stage with the ICO are encouraged to identify a new BCR Lead SA according to the guidance of the WP263 rev.01 before the end of the Brexit transition period. They will need to contact the new SA and provide the necessary information to apply to have the SA considered as the new BCR Lead SA. The new BCR Lead SA will then take over the application process and begin the aproval procedure, subject to an opinion of the EDPB. 

 

Groups of undertakings or enterprises may choose to transfer their application to a new BCR Lead SA after approval by the ICO, in which case, the new BCR Lead SA will need to approve this new application before the end of the transition period, as the new competent SA, according to Article 47.1 GDPR.

 

Content Changes for BCR Applications Before the ICO.

 

Groups of undertakings or enterprises with BCRs in the process of approval by the ICO must make sure that their BCRs refer to the EEA legal order with information on expected changes, before the end of the Brexit transition period. 

 

General Changes for BCR Applications 

 

Any Supervisory Authority in the EEA, approached to act as the new BCR Lead SA, will consider whether it is indeed the appropriate SA on a case by case basis, based on the criteria of the WP263 and in collaboration with any other concerned Supervisory Authorities. The EDPB has provided a checklist of elements for Controller and Processor BCRs which need to be changed due to Brexit, as part of this statement released last month. 

 

Does your company have the UK ICO as their lead supervisory authority? If so, you may be required to make significant changes before the end of the Brexit transition period. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

European Commission on Transition

European Commission Released Communication on transition between EU and UK.

The European Commission released a statement detailing the implications of the transition between the EU and UK. 

 

As the UK comes to the end of its transitory period from the EU to the end of this year, the European Commission has released communication assessing the country’s readiness for separation from the region. The withdrawal agreement which was entered into on February 1st, 2020 secured the UK’s departure, and stated that the laws of the Union would continue to apply until the end of the transition period ending on December 31st, 2020. The UK continues to participate in Union programmes, the EU’s single market and Customs Union and to abide by Union policies and any international agreements which include the EU. All of this is due to change come January 1st, 2021 when the transition period has ended and the Withdrawal Agreement comes into effect. The transition period therefore serves as a period of continuity to ensure readiness for the implementation of all necessary measures and arrangements and to facilitate negotiation of a new partnership between the EU and the UK by January 1st, 2021. 

 

Negotiations pick up momentum this summer as the EU and the UK seek to reach an agreement on a future partnership before the January 1st 20201 implementation date.

 

While negotiations have been slow in moving during the earlier part of this year, as of June they have picked up, as the UK’s government has made a decision not to extend the transition period. The aim is to reach an agreement on an ambitious partnership covering all areas agreed with the United Kingdom in the Political Declaration by the end of 2020. The resulting agreement would create a relationship very different from the current UK participation in the EU single market and Customs Union, and in the VAT and excise duty area. It is expected that there will be resulting barriers to trade in goods and services and to cross-border mobility and exchanges. All this, compounded by the pressure that businesses are already under due to the COVID-19 pandemic, are expected to cause some disruptions as of January 1st 2021. 

 

Businesses are advised to revisit their existing preparedness plans which were drawn up in the event that the UK’s withdrawal from the Union happened without a withdrawal agreement. While negotiations are still underway, those preparedness plans may still be relevant for the changes at the end of the transition period.

The European Commission released information on the effects of those changes specific to various industries, and implores companies to implement actions to ensure readiness.

 

The European Commission communicated an outline of changes to be expected whether there is an agreement on a future partnership between the EU and the UK or not. As of 1 January 2021, the transition period allowing for the temporary participation of the United Kingdom in the EU Single Market and Customs Union will end, thereby putting a stop to the free movement of persons, goods and services. As a result there will be several automatic changes 

 

The European Commission, since March 2020, has been publishing notices of readiness specific to various industries. To date, there are 59 notices spanning a wide range of industries, and this list will be updated on a regular basis as new notices become available. The Commission calls on all national and European consumer, business and trade associations to ensure that their members are fully aware of the expected changes. The changes being implemented as of January 1st 2020 will be automatic, far reaching and unavoidable. Both logistical and legal changes are to be expected, the effects of which should not be underestimated. Ultimately, businesses still need to undergo their own risk assessments and implement actions to ensure their own readiness. 

 

What does this mean for data protection?

 

As we published in our blog in January, the ICO released an statement on the implications of Brexit on data protection, where they provided some guidance on this matter. That is:

 

During the transition period

  • The GDPR continues to apply in the UK.
  • There is no need for a European representative.
  • ICO GDPR guidance is still relevant.
  • Transfers of data from the UK to the EU and from the EU to the UK are not restricted.

After the transition period

  • The GDPR will be brought into UK law as the ‘UK GDPR’ but the UK will have the independence to keep the framework under review.
  • A European representative may be necessary from the end of the transition period.
  • The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR.
  • The DPA 2018 will continue to apply.
  • The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
  • Data transfers between the UK and the EU may be restricted and adequate safeguards may be necessary.

 

Does your company process  personal information in the UK or transfer personal information between the EU and the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.