Adequacy decisions adopted

Adequacy decisions adopted for EU-UK data transfers

Adequacy decisions adopted by the European Union for the UK regarding data transfers.

 

The European Commission has recently adopted adequacy decisions for the United Kingdom. Since Brexit there has been some question as to the UK’s adequacy, or rather the level of protection afforded to data transfers between the EU and the UK. With the adoption of these adequacy decisions- one under the General Data Protection Regulation or GDPR, and the other for the Law Enforcement Directive, data transfers can now freely flow between the European Union and the United Kingdom. This data will be considered as having the equivalent level of protection that is guaranteed under EU law when being transferred to the UK.

 

The adequacy decisions adopted came after a thorough assessment process, during which data transfers occurred based on a Trade and Cooperation agreement. 

 

Since the draft adequacy decisions for the UK were published in February, the UK’s practices and laws regarding personal data protection have been carefully assessed. In April, the EDPB gave its opinion on UK adequacy, which was then followed by a comitology procedure which included a vote from EU Member States. In the absence of an adequacy decision, and while in the process of establishing one, data transfers flowed between the EU and the UK, based on a Trade and Cooperation agreement. This agreement expired on June 30, 2021, and provided that, in the absence of an adequacy decision, all data transfers carried out in the context of its implementation would comply with the GDPR and Law Enforcement Directive. 

 

UK data protection laws still very much resemble the laws under which the country operated as an EU Member State.

 

The UK, as a former EU Member State, had a data protection system which was still based on the very same rules under which UK data protection functioned while the UK was still an EU Member State. The principles, rights and obligations of the GDPR and Law Enforcement Directive have been fully incorporated into UK law. This has made, not only the Trade and Cooperation agreement, but also the adequacy decisions easier and more feasible.  The UK provides strong safeguards regarding access to personal data by public authorities. In principle, The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body. 

 

The adequacy decisions include a sunset clause which causes them to expire after four years.

 

These adequacy decisions include a ‘sunset clause’. This is the first of its kind and strictly limits the duration of the validity of these adequacy decisions. What this means is that these decisions will automatically expire in four years, after which adequacy findings may be renewed. However, this is subject to the UK continuing to ensure an adequate level of data protection. The European Commission will continue to monitor the legal situation in the UK and at any point, reserves the right to intervene if the UK deviates from the current level of data protection provided. After the four year duration of these recently adopted adequacy decisions, if the European Commission decides to renew the adequacy decisions, the adoption process would start over.

 

GDPR adequacy related to immigration control has been excluded from this decision, to be reassessed pending judgments from the England and Wales Court of Appeal.

 

Due to a recent judgment of the England and Wales Court of Appeal, data transfers for the purposes of UK immigration control have been excluded from the scope of the GDPR adequacy decision. The judgment affects the validity and interpretation of certain data protection rights related to immigration and control and therefore the Commision, once this matter has been dealt with under UK law, will reassess the necessity of this exclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Telephone marketing rules post-Brexit

Many UK businesses are planning to shift to telephone marketing. In this blog we go through the requirements that should be met in order to do it in compliance with the ePrivacy rules.

UK businesses are no longer clearly protected by ePrivacy country of origin rule when marketing directly in EU countries, so many of them are now looking for alternatives. Are the rules on telephone marketing less strict than the ones on electronic mail marketing?

What does the ePrivacy Directive say about unsolicited communications?

Pursuant to the ePrivacy Directive “Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing […] are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation”.

Accordingly, national implementation of the ePrivacy Directive in each Member State regulates the rules that apply in each country.

ePrivacy country of origin rule principle allows the sender to rely on the benefit of the own country less strict rules as long as there is single market. However, this does not apply to UK businesses anymore after Brexit, therefore the rules of the destination country should be considered before marketing directly in EU countries.

Automated calls

Automated calls are subject to stricter requirements. Pursuant to the ePrivacy Directive, the use of automated calling systems without human intervention (automatic calling machines) and facsimile machines (fax) for the purposes of direct marketing is only allowed in respect of subscribers who have given their prior consent.

General consent for marketing, or even consent for live calls, is not enough and it needs to cover automated calls specifically.

Telephone marketing from the UK through live calls

In EU countries

UK businesses that wish to market other businesses or individuals in EU countries should check national laws in order to confirm the following elements: 

  1. Whether consent is required;
  2. Where consent is not required, whether the number is listed in the national opt-out register or whether the data subject has explicitly objected to receiving calls from that particular business.

Most EU countries have implemented opt-out registers rather than the consent requirement, but this must be assessed on a case by case basis in order to ensure full compliance.

In the UK

UK businesses that wish to market other businesses or individuals in the UK should take the following steps:

  1. Check whether the number is registered with the TPS or CTPS.
  2. Check whether the data subject has objected to receiving calls from them.

In a nutshell, marketing calls can be freely made unless the person has opted-out from them or is registered with the TPS or CTPS. No marketing calls should be made to any number listed on TPS or CTPS unless that person has specifically consented to calls from the particular business. Telephone marketing is also prohibited when it is for the purpose of claims management services, unless the person has specifically consented to them.

Calls in relation to pension schemes are subject to special rules.

Additional requirements

Once determined that the call can be made in compliance with the relevant rules, a set of additional requirements should be applied, namely: 

  • Say who is calling;
  • Allow the number (or an alternative contact number) to be displayed to the person receiving the call;
  • Explain where the controller’s privacy policy can be found and 
  • Provide a contact address or freephone number if asked.

EU ePrivacy rules update

As reported in one of our latest blogs, earlier this month EU Member States agreed upon a negotiating mandate for revised ePrivacy rules, which would repeal the current ePrivacy Directive, starting to apply two years after its publication in the EU Official Journal. The ePrivacy Regulation may introduce new rules on telephone marketing, such as the obligation to present the calling line identification assigned to them or use a specific code or prefix identifying the fact that the call is a direct marketing call. 

 

Do you make telephone marketing? Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Memorandum of Understanding

Memorandum of Understanding signed between the ICO and the National Privacy Commission of the Philippines

A Memorandum of Understanding has been signed between the UK’s ICO and the Philippines’ NPC, effective January 12th 2021.

The UK’s ICO and the Philippines’ NPC have recently signed a Memorandum of Understanding in a move to strengthen their current relations. Recognizing the nature of this globalized economy, and the fact that they perform similar roles in their respective countries, the ICO and NPC decided on this memorandum, which is not legally binding, and is not applicable in circumstances which would breach either party’s legal responsibilities. Each organisation is expected to continue enforcing their respective legislations, but may collaborate on any joint enforcements, and aid in the enforcement of their respective laws, as long as it is not in contravention of national security or other relevant laws. 

 

The Memorandum of Understanding provides several opportunities for collaboration and cooperation. 

This Memorandum of Understanding signed by the ICO and NPC sets forth the intention to implement joint research projects and exchange information on best practices for data protection policies and training programmes. They will be coming together for bilateral meetings annually, or as decided. There will be no sharing of personal data, however, the ICO and NPC do intend to exchange information concerning potential or ongoing investigations, within their respective jurisdictions. The memorandum also encourages jointly investigating any cross border personal data breaches or other security incidents which involve organisations in both jurisdictions, as well as any other areas of cooperation decided on by both parties. 

 

This Memorandum does not create an obligation to share information and does not allow for the sharing of personal information. 

This agreement is not legally binding, and neither of the parties are under an obligation to cooperate or to share information, particularly information which is outside the scope of this memorandum, or which may compromise their legal responsibilities. While these parties agree to share certain information, this does not imply the transfer of ownership of, or rights to the shared information. There is no intention for the parties to share personal information, however this term is defined in each party’s domestic law. However, if the ICO or NPC wishes to share personal information and deem it necessary, as may be the case in sharing any information regarding a cross border personal data breach, this should not in any way compromise compliance with the respective parties’ own data protection laws.

 

The Memorandum of Understanding will be continuously monitored and reviewed, settling any disputes amicably through negotiations. 

The Memorandum of Understanding is regarded as a statement of intent, and it is anticipated that it will be continuously monitored, and reviewed biennially, seeking to resolve any disputes amicably, through the use of consultations and negotiations and without any legislative forum. The agreement does not imply any legally binding commitments. Therefore any issues which arise are to be handled by first notifying the point of contact for each party, and after the negotiating process, the agreement can be amended with changes agreed upon by both parties, and signed into the memorandum. The respective points of contact are expected to maintain open communication to ensure that the agreement remains effective and serves its purpose. 

 

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

UK treaty with EU

UK treaty with EU: This agreement will allow an extended period for personal data flows.

The UK government has recently announced a treaty with the EU, which essentially allows for an extension in the transitionary period, allowing free personal data flows. 

 

Last month, we reported on the impending termination of the transitionary period and the need for UK businesses to ensure compliance to data protection law by December 31st 2020. Since then, the UK government has announced a treaty with the EU allowing for personal data to flow freely from the EU (and EEA) to the UK, including law enforcement agencies. This arrangement will stand until adequacy decisions take effect, for a period no longer than six months.

 

The UK government announces the new treaty, which allows free cross-border flow of information between the UK, and the EU and EEA. 

 

The announcement made by the UK government, provides in depth details on what this would mean for digital trade. The agreement is meant to ensure that the UK and the EU will collaborate on digital trade issues in future, including emerging technologies. The agreement will prohibit requirements to store or process data in a specific location, allowing for free cross-border flow of information. This is the first time that the EU has made provisions for data in a free trade agreement. This agreement is expected to promote trust in the digital economy, and prevent the imposition of costly requirements for UK businesses.

 

This UK treaty with the EU also features a totally new provision, inspired by recent WTO discussions, allowing open government data. This encourages governments to make available non personal and anonymised data, in easily accessible and machine readable formats. It also guarantees that neither the UK nor the EU will discriminate against electronic signatures or electronic documents, solely on the basis that they are in digital form, ensuring that contracts

can be completed digitally, with very few exceptions.

 

The agreement is expected to provide greater consumer protection, as it contains special exceptions to preserve policy space for the UK or the EU to protect online users. It includes online consumer protection and anti-spam provisions. This agreement also goes on to guarantee against the forced transfer of source code, ensuring companies, and valuable intellectual property are protected. 

 

The ICO has released a statement advising UK businesses  and organisations to arrange alternative transfer mechanisms.

 

The ICO has released an updated statement, urging businesses and organisations who transfer data to EU and EEA organisations to put alternative transfer mechanisms in place, during this period, to safeguard against an interruption in their data flow. Information Commissioner, Elizabeth Denham said in this recent statement “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.” The ICO is expected to release an additional statement updating the ICO guidance on their website to reflect the extended provisions and ensure businesses know what happens next.

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.