Data transfers to the UK

Data transfers to the UK: European Commission launches process for two adequacy decisions

Last month, the European Commission launched the process for two adequacy decisions for data transfers to the UK – one under the GDPR and one under the Law Enforcement Directive. 

 

The European Commission recently published two draft adequacy decisions for data transfers to the UK. One of those is under the GDPR and the other under the Law Enforcement Directive or LED. This is the first step in adopting those adequacy decisions. The next steps in this process would be to obtain an opinion from the EDPB and subsequently, get approval from a committee of representatives from the EU Member States. Once this is done these decisions can be adopted.

 

Under Article 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive, the Commission has the power to decide that a non-EU country fulfills the requirements for an adequate level of protection for personal data flows with the EU. If the European Commission has deemed a country “adequate”, personal data transfers can be made between EU Member States and that country without being subject to any further conditions. Currently personal data transfers in the UK are governed by the UK GDPR and the DPA, which are very similar to the EU GDPR & the LED. 

 

The Commission feels confident that data transfers to the UK will be adequately protected under their equivalent laws. 

 

The Commission has spent several months prior to drafting these decisions, studying the UK’s laws on data transfers. From this, came the conclusion that the UK’s equivalent laws to the GDPR and LED give data transfers a similar level of protection. As a result, The Commission believes that data transfers to the UK from the EU will indeed be adequately protected under their equivalent laws. Didier Reynders, Commissioner for Justice said in a statement, “EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”

 

UK data protection regime has been heavily influenced by EU law for decades, making this a very easy adequacy process. 

 

In most adequacy decisions the systems in place are often divergent making the adequacy process one that converges the two. However, in this case the UK has had a data protection regime modeled after that of the EU for decades now. Regardless, this process is essential now that the UK is no longer under EU data protection laws. Once the draft adequacy decisions have been adopted they will remain in place for four years. After this four year period, it will be possible to renew these decisions once the level of protection for data transfers between the EU and UK have proven to be, and are likely to continue to be adequate. 

 

Personal data transfers between the UK and the EU are currently protected during this interim period by the EU-UK Trade and Cooperation Agreement. 

 

On January 1, 2021 an interim period began during which the UK, while no longer under EU law, continues to enjoy lawful and seamless  data transfers under the EU-UK Trade and Cooperation Agreement, until June 30, 2021. Now that these initial steps in adopting adequacy decisions for data transfers to the UK, the European Commission awaits the opinion of the EDPB regarding this draft decision. Once this opinion has been taken into account, the so-called comitology procedure will ensue, during which the Commission will request approval from representatives of the EU member states in order to finalize adequacy for personal data transfers to the UK. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentstransfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Fine imposed by AEPD

Fine imposed by AEPD for GDPR violations

A 6 million euro fine was recently imposed on CAIXABANK by AEPD, the Spanish DPA for various breaches of the GDPR.

 

Late last month, the EDPB reported on a fine imposed by AEPD on Spanish multinational financial services company CAIXABANK, for GDPR violations. It was found that the company unlawfully processed clients’ personal data and failed to provide adequate information regarding the processing of personal data. For the former infringement, a fine of 4 million euros was imposed and for the latter, 2 million euros, which is AEPD’s largest cumulative fine to date.

 

The total fine imposed by AEPD included a 4 million eurodollar fine for a breach of Article 6 of the GDPR. 

 

CAIXABANK was found to be in violation of Article 6 of the GDPR, by their failure to provide any mechanism to collect consent from data subjects. As a result, the data subjects’ consent did not meet with all the elements of valid consent required for processing. The AEPD found that based on the company’s legitimate interest, processing activities were not sufficiently justified, neither was the relationship between the company’s activity and the processing of personal data. As a result of this breach, the AEPD imposed an administrative fine of 4 million euros, under GDPR Article 83 (5) a. 

 

CAIXABANK was fined 2 million euros for a breach of Articles 13 and 14 of the GDPR. 

 

CAIXABANK was also found to be lacking key information in a document meant to comply with Articles 13 and 14 of the GDPR. This document did not clearly outline the categories of personal data processed, nor the purposes for this processing of personal data. In addition, the document provided did not specifically outline the legal basis for the processing specific to their company’s legitimate interest. As a result the AEPD found them in violation of the aforementioned articles of the GDPR, resulting in a fine of 2 million euros, under Article 83 (5) b. 

 

The fine imposed by AEPD was decided upon based on several key factors. 

 

In deciding on an appropriate fine for the various breaches of the GDPR, AEPD considered certain aggravating factors of the violations found. In general the AEPD considered the nature, gravity and the duration of the specific infringements as well as the negligent character of those infringements. The fact that the company is a large enterprise and the rate of its turnover also played a key role in the amount that was fined. The AEPD considered the relationship between CAIXABANK’s activity and the processing of the personal data, as well as the benefits gained from the infringement and the categories of personal data affected. Additionally, the AEPD looked at the Degree of responsibility of the controller, considering the technical and organizational measures implemented pursuant to Articles 25 and 32 of the GDPR.

CAIXABANK has been ordered to bring its operations into compliance within 6 months. 

 

In addition to the administrative fines imposed by the AEPD, the financial services company has been ordered to bring its processing operations into compliance with Articles 6,13, and 14 of the GDPR within the next 6 months. This would mean providing an adequate mechanism for collecting customers’ valid consent and ensuring that only necessary personal information which is legally justified based on the company’s legitimate interest is processed. In addition, the company will need to ensure that this information, as well as the purposes of the processing, is clearly outlined in the document intended for compliance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

UK treaty with EU

UK treaty with EU: This agreement will allow an extended period for personal data flows.

The UK government has recently announced a treaty with the EU, which essentially allows for an extension in the transitionary period, allowing free personal data flows. 

 

Last month, we reported on the impending termination of the transitionary period and the need for UK businesses to ensure compliance to data protection law by December 31st 2020. Since then, the UK government has announced a treaty with the EU allowing for personal data to flow freely from the EU (and EEA) to the UK, including law enforcement agencies. This arrangement will stand until adequacy decisions take effect, for a period no longer than six months.

 

The UK government announces the new treaty, which allows free cross-border flow of information between the UK, and the EU and EEA. 

 

The announcement made by the UK government, provides in depth details on what this would mean for digital trade. The agreement is meant to ensure that the UK and the EU will collaborate on digital trade issues in future, including emerging technologies. The agreement will prohibit requirements to store or process data in a specific location, allowing for free cross-border flow of information. This is the first time that the EU has made provisions for data in a free trade agreement. This agreement is expected to promote trust in the digital economy, and prevent the imposition of costly requirements for UK businesses.

 

This UK treaty with the EU also features a totally new provision, inspired by recent WTO discussions, allowing open government data. This encourages governments to make available non personal and anonymised data, in easily accessible and machine readable formats. It also guarantees that neither the UK nor the EU will discriminate against electronic signatures or electronic documents, solely on the basis that they are in digital form, ensuring that contracts

can be completed digitally, with very few exceptions.

 

The agreement is expected to provide greater consumer protection, as it contains special exceptions to preserve policy space for the UK or the EU to protect online users. It includes online consumer protection and anti-spam provisions. This agreement also goes on to guarantee against the forced transfer of source code, ensuring companies, and valuable intellectual property are protected. 

 

The ICO has released a statement advising UK businesses  and organisations to arrange alternative transfer mechanisms.

 

The ICO has released an updated statement, urging businesses and organisations who transfer data to EU and EEA organisations to put alternative transfer mechanisms in place, during this period, to safeguard against an interruption in their data flow. Information Commissioner, Elizabeth Denham said in this recent statement “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.” The ICO is expected to release an additional statement updating the ICO guidance on their website to reflect the extended provisions and ensure businesses know what happens next.

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.

ICO urges UK businesses

ICO urges UK businesses: ensure compliance to data protection law before the end of the UK’s transition.

ICO urges UK businesses to ensure compliance to data protection law before the end of the UK’s transition on December 31st 2020. 

 

December 31st 2020 will officially end the transitionary period for the UK, out of the EU, and the ICO is calling on UK businesses to ensure that if they are impacted by data protection law, that they should take the necessary steps to ensure continued lawful data flow from the EU. The ICO advises that any businesses receiving data from organisations in the EU or European Economic Area (EEA, which includes the EU, Iceland, Norway and Liechtenstein) will need to take action to ensure the flow of data doesn’t stop. 

 

Many SMEs depend on the flow of personal data to operate, and the ICO seeks to aid these businesses during the transition. 

Personal data applies to anything that relates to an identifiable individual whether it be information on customers or staff. HR records, customer details, payroll information and information collected through cloud services are all classified as personal data and will possibly be affected. The ICO recognises that sharing personal data is essential to running the majority of SMEs and that smaller organisations may not have dedicated data protection officers or specialists to help with the preparations. They have, as a result, published a statement advising businesses on steps they can take before January 1st to ensure continued compliance. 

The ICO urges UK businesses to maintain compliance with the DPA 2018 and the GDPR, and to double check their privacy information.

 

Businesses in the UK will need to continue to ensure compliance with the GDPR and DPA 2018. However, as it relates to the exchange of data between entities in the UK and the EU, as of January 1st 2021, businesses will need to ensure that they have safeguards in place to ensure that the continued flow of data is lawful. The ICO has gathered some guidance and resources on its website and urges businesses to make use of this to determine the actions they may need to take if they use personal data. In addition, businesses should review their privacy information and other documentation for possible changes that need to be made at the end of the transition period.

 

For most businesses and organisations, the ICO suggests Standard Contractual Clauses (SCCs) to keep data flowing on EU-approved terms. 

The ICO statement suggests that standard contractual clauses or SCCs may be the best option for businesses that use personal data and want to ensure their data transfers are EU-approved. As businesses in the UK will officially be treated as non EU processors or controllers, come January first, SCCs which have proven to be a sufficient safeguard for the transfers for data between controllers and processors within the EU and internationally, have been recommended as the best option for UK businesses to adopt post-transition. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.