SCCs and Privacy Shield

SCCs and Privacy Shield replacement updates, what can we expect?

SCCs and Privacy Shield replacement are both of paramount importance to trans-Atlantic data flows, however, right now the focus may be more on new SCCs. 


 Almost one year since the CJEU “Schrems II” decision, a new EU-US privacy shield may still be far off. However, with Standard Contractual Clauses being upheld and used quite frequently to facilitate cross border data flows, new SCCs can be expected soon. According to this IAPP article, new SCCs may be here within a matter of weeks. Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission said “We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy”.


The new Standard Contractual Clauses are expected to be here in short order, and the Commission considers the feedback received on the draft SCCs. 


Since the Schrems II decision, SCCs have been upheld, but with a few caveats. They have been put to use to facilitate data flows between the EU and the US, however this has not been without incidence. While privacy professionals wait for conclusive information regarding data flows across the Atlantic, there have been some recent developments. Bruno Gencarelli, during IAPP’s Global Privacy Summit Online, said that the new Standard Contractual Clauses will soon be adopted. Gencarelli, based on the feedback the European Commission received, called the draft SCCs an “enormous success”, with the Commission taking this feedback very seriously. The ongoing process is intended to modernize the SCCs to better suit the current digital climate’s size and complexity. 


“This is a much awaited step forward which once in place will help to unify the dissimilar criterion that EU Supervisory Authorities have been applying since Schrems II when it comes to international data transfers, as we have recently seen with the Bavarian and French DPAs decisions” comments Cristina Contero Almagro, Aphaia’s Partner.


Privacy Shield replacement negotiation is intensifying, but a privacy shield replacement may still be far off. 


While there is a willingness on each side to make a deal on a replacement for Privacy Shield, it is a balancing act between privacy and national security, making this a delicate, and complex situation. As we have seen since Schrems II, SCCs, while very useful, may not always be enough. As each side seeks to create a durable replacement for Privacy Shield, one that can stand up to legal challenges and political scrutiny, talks are underway for a solution that will meet the needs of both parties with regards to both privacy and national security.  


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Data transfers to the UK

Data transfers to the UK: European Commission launches process for two adequacy decisions

Last month, the European Commission launched the process for two adequacy decisions for data transfers to the UK – one under the GDPR and one under the Law Enforcement Directive. 


The European Commission recently published two draft adequacy decisions for data transfers to the UK. One of those is under the GDPR and the other under the Law Enforcement Directive or LED. This is the first step in adopting those adequacy decisions. The next steps in this process would be to obtain an opinion from the EDPB and subsequently, get approval from a committee of representatives from the EU Member States. Once this is done these decisions can be adopted.


Under Article 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive, the Commission has the power to decide that a non-EU country fulfills the requirements for an adequate level of protection for personal data flows with the EU. If the European Commission has deemed a country “adequate”, personal data transfers can be made between EU Member States and that country without being subject to any further conditions. Currently personal data transfers in the UK are governed by the UK GDPR and the DPA, which are very similar to the EU GDPR & the LED. 


The Commission feels confident that data transfers to the UK will be adequately protected under their equivalent laws. 


The Commission has spent several months prior to drafting these decisions, studying the UK’s laws on data transfers. From this, came the conclusion that the UK’s equivalent laws to the GDPR and LED give data transfers a similar level of protection. As a result, The Commission believes that data transfers to the UK from the EU will indeed be adequately protected under their equivalent laws. Didier Reynders, Commissioner for Justice said in a statement, “EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”


UK data protection regime has been heavily influenced by EU law for decades, making this a very easy adequacy process. 


In most adequacy decisions the systems in place are often divergent making the adequacy process one that converges the two. However, in this case the UK has had a data protection regime modeled after that of the EU for decades now. Regardless, this process is essential now that the UK is no longer under EU data protection laws. Once the draft adequacy decisions have been adopted they will remain in place for four years. After this four year period, it will be possible to renew these decisions once the level of protection for data transfers between the EU and UK have proven to be, and are likely to continue to be adequate. 


Personal data transfers between the UK and the EU are currently protected during this interim period by the EU-UK Trade and Cooperation Agreement. 


On January 1, 2021 an interim period began during which the UK, while no longer under EU law, continues to enjoy lawful and seamless  data transfers under the EU-UK Trade and Cooperation Agreement, until June 30, 2021. Now that these initial steps in adopting adequacy decisions for data transfers to the UK, the European Commission awaits the opinion of the EDPB regarding this draft decision. Once this opinion has been taken into account, the so-called comitology procedure will ensue, during which the Commission will request approval from representatives of the EU member states in order to finalize adequacy for personal data transfers to the UK. 


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentstransfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Fine imposed by AEPD

Fine imposed by AEPD for GDPR violations

A 6 million euro fine was recently imposed on CAIXABANK by AEPD, the Spanish DPA for various breaches of the GDPR.


Late last month, the EDPB reported on a fine imposed by AEPD on Spanish multinational financial services company CAIXABANK, for GDPR violations. It was found that the company unlawfully processed clients’ personal data and failed to provide adequate information regarding the processing of personal data. For the former infringement, a fine of 4 million euros was imposed and for the latter, 2 million euros, which is AEPD’s largest cumulative fine to date.


The total fine imposed by AEPD included a 4 million eurodollar fine for a breach of Article 6 of the GDPR. 


CAIXABANK was found to be in violation of Article 6 of the GDPR, by their failure to provide any mechanism to collect consent from data subjects. As a result, the data subjects’ consent did not meet with all the elements of valid consent required for processing. The AEPD found that based on the company’s legitimate interest, processing activities were not sufficiently justified, neither was the relationship between the company’s activity and the processing of personal data. As a result of this breach, the AEPD imposed an administrative fine of 4 million euros, under GDPR Article 83 (5) a. 


CAIXABANK was fined 2 million euros for a breach of Articles 13 and 14 of the GDPR. 


CAIXABANK was also found to be lacking key information in a document meant to comply with Articles 13 and 14 of the GDPR. This document did not clearly outline the categories of personal data processed, nor the purposes for this processing of personal data. In addition, the document provided did not specifically outline the legal basis for the processing specific to their company’s legitimate interest. As a result the AEPD found them in violation of the aforementioned articles of the GDPR, resulting in a fine of 2 million euros, under Article 83 (5) b. 


The fine imposed by AEPD was decided upon based on several key factors. 


In deciding on an appropriate fine for the various breaches of the GDPR, AEPD considered certain aggravating factors of the violations found. In general the AEPD considered the nature, gravity and the duration of the specific infringements as well as the negligent character of those infringements. The fact that the company is a large enterprise and the rate of its turnover also played a key role in the amount that was fined. The AEPD considered the relationship between CAIXABANK’s activity and the processing of the personal data, as well as the benefits gained from the infringement and the categories of personal data affected. Additionally, the AEPD looked at the Degree of responsibility of the controller, considering the technical and organizational measures implemented pursuant to Articles 25 and 32 of the GDPR.

CAIXABANK has been ordered to bring its operations into compliance within 6 months. 


In addition to the administrative fines imposed by the AEPD, the financial services company has been ordered to bring its processing operations into compliance with Articles 6,13, and 14 of the GDPR within the next 6 months. This would mean providing an adequate mechanism for collecting customers’ valid consent and ensuring that only necessary personal information which is legally justified based on the company’s legitimate interest is processed. In addition, the company will need to ensure that this information, as well as the purposes of the processing, is clearly outlined in the document intended for compliance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

UK treaty with EU

UK treaty with EU: This agreement will allow an extended period for personal data flows.

The UK government has recently announced a treaty with the EU, which essentially allows for an extension in the transitionary period, allowing free personal data flows. 


Last month, we reported on the impending termination of the transitionary period and the need for UK businesses to ensure compliance to data protection law by December 31st 2020. Since then, the UK government has announced a treaty with the EU allowing for personal data to flow freely from the EU (and EEA) to the UK, including law enforcement agencies. This arrangement will stand until adequacy decisions take effect, for a period no longer than six months.


The UK government announces the new treaty, which allows free cross-border flow of information between the UK, and the EU and EEA. 


The announcement made by the UK government, provides in depth details on what this would mean for digital trade. The agreement is meant to ensure that the UK and the EU will collaborate on digital trade issues in future, including emerging technologies. The agreement will prohibit requirements to store or process data in a specific location, allowing for free cross-border flow of information. This is the first time that the EU has made provisions for data in a free trade agreement. This agreement is expected to promote trust in the digital economy, and prevent the imposition of costly requirements for UK businesses.


This UK treaty with the EU also features a totally new provision, inspired by recent WTO discussions, allowing open government data. This encourages governments to make available non personal and anonymised data, in easily accessible and machine readable formats. It also guarantees that neither the UK nor the EU will discriminate against electronic signatures or electronic documents, solely on the basis that they are in digital form, ensuring that contracts

can be completed digitally, with very few exceptions.


The agreement is expected to provide greater consumer protection, as it contains special exceptions to preserve policy space for the UK or the EU to protect online users. It includes online consumer protection and anti-spam provisions. This agreement also goes on to guarantee against the forced transfer of source code, ensuring companies, and valuable intellectual property are protected. 


The ICO has released a statement advising UK businesses  and organisations to arrange alternative transfer mechanisms.


The ICO has released an updated statement, urging businesses and organisations who transfer data to EU and EEA organisations to put alternative transfer mechanisms in place, during this period, to safeguard against an interruption in their data flow. Information Commissioner, Elizabeth Denham said in this recent statement “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.” The ICO is expected to release an additional statement updating the ICO guidance on their website to reflect the extended provisions and ensure businesses know what happens next.


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.