Jocelyn Paulley and Rocio de la Cruz provide an update on what you need to know about data sharing and international data transfers in these turbulent times. They talk through the latest developments in the UK and Europe and have a look at what is happening in some other areas of the world too.
David Lowe: Hello everybody and welcome to our ThinkHouse Spring Session on Data Privacy. I am David Lowe, I am one of the leaders of our ThinkHouse Programme. ThinkHouse is our programme aimed at in-house lawyers, looking to help support you in your practice, and ThinkHouse Spring is our programme of events. We started with Employment on Tuesday, we have Data Privacy today, Customs and Trade on Tuesday next week and Human Rights on Thursday.
I apologise now if there is a bit of background noise. My neighbour decided just five minutes ago to prune his trees, so please do bear with me. Thankfully, I will not be doing much of the talking today so I will be able to go on mute in a second.
So we are going to be talking about data privacy today. We are therefore joined by Jocelyn Paulley who is an IT and Data Privacy Partner and Rocio de la Cruz who is a Senior Lawyer in our Data Privacy Team. Rocio is actually dual qualified, so she can bring both an English law and a Spanish Law perspective to this, which is obviously particularly useful with data protection.
This session will last for about an hour, maybe just under an hour, finishing at 11:30. There will be plenty of time for Q&A, we will have two slots for Q&A because we are going to talk first about data sharing and then second we are going to talk about international transfers. We are touching on those two issues because they are the issues that we are getting lots of queries on. They are complicated and people want to understand how that works. They are coming across them all the time.
Between the two, we will focus more on data sharing because that is relevant to anyone. While international transfers will be only relevant to those of you trading internationally or having their international data transferred.
I am conscious having heard the rehearsal just how dense the subject of data privacy is, so there is a limit to what we can do in this 45 minutes. So if as we get to the end you are left wanting, want more - just let us know. Put it in the Q&A or in the feedback forms. We are certainly very interested in doing more in-depth data privacy talks.
Also at the end there will be a poll, our next big event would normally be in September and obviously our big decision is whether we do it like this, remotely, or whether maybe we can dip our toe in the water and do it for real. And obviously it is really difficult to tell right at the moment but we just wanted to get a sense of psychologically where people are. So, at the end of the session we will be asking you a couple of questions about how up would you be for going to the office or whether actually you would prefer to wait and see or sit it out and maybe it will not be until next year.
So, first we are going to start with Jocelyn. Jocelyn is going to talk to us about data sharing.
Jocelyn Paulley: Thanks David. Good morning everybody. So our first topic is indeed data sharing and we are going to start with the deceptively simple question "how do I share data in a privacy compliant manner?"
Rocio de la Cruz: And this is something that we have many questions from clients "what do you mean by sharing?" and "what do you mean by sharing data" is it not?
Jocelyn: Exactly. And that is one of the reasons that we want to cover this topic now. Because increasingly the work on our desks is about data sharing. I want to flag a terminology point first of all. We are seeing 'sharing' being used to cover a wider and wider range of activities. So traditionally what we would have thought of as fairly simple processing between a controller and a processor, when you have a customer/supplier relationship, and then true sharing between both independent controllers and joint controllers. And this is getting increasingly complex as we see it being used in different areas, often with multi-party data sharing, if you are working in areas like public sector or life sciences or research or anything where there is technology at the heart. So in this session we are going to look at as David said, as brief a flash to get through in the time we have, sharing between all those different sorts of parties.
So sharing is a big topic so we need to break it down in to some more basic questions and we have three steps for you to help take you through that process.
The first is around context. So when you are thinking about sharing, the first thing you need to do is the point that I just touched on - work out the capacity in which each party is acting. How are you sharing data and what is your relationship. Because that is going to drive how you approach it and the requirements of a data sharing agreement. So are you a controller? Are you interacting with other processors? Other controllers who are going to be independent? Or other controllers who are going to be joint controllers alongside you?
You always need to do a double check - am I definitely sharing personal data? It is not actually anonymised so I can step outside of the data protection regime altogether and is it pseudonymised? Which is of course good data protection practice to not share more data than you need to. But bear in mind pseudonymised data is still personal data and is still subject to GDPR regulation.
As part of that check you are also challenging your business - do we need to be sharing this as personal data? We cannot strip it back further to share simply anonymised statistics or facts and we cannot pseudonymise either, we have to share this granular level of data. So you understand exactly what is being shared and why.
It is a good idea as part of the context as well to work out if this is going to be a one-off sharing or the start of a regular process. That is going to factor into your thinking about risks and approach, and what you need as part of your documentation. You will also want to know, is this a data sharing arrangement that is really about a data flow and passing data between parties? Or is it actually linked to the provision of services.
So that will impact your documentation because you need to know whether, when you are drafting your DSA, does it need to work with and alongside the services agreement? Thinking about cross-over points like issues around termination, liability, where do my audit rights and details sit? What am I saying about subcontracting and sub-processing? So to check that you do not treat those common issues differently across different agreements but actually where it is all linked together.
What those agreements look like, is something that we will come on to look at as we go further on through the steps. So your first step is really important to get the context so you understand what data you are going to share.
Rocio: And the context has changed a lot, has it not? Because we move, we are evolving in this context of data sharing and the roles. And the quota has changed as well from the beginning, when years ago before GDPR we were broadly more focused on putting data processing clauses with just processor, to a broader scope as you are saying now, we need to focus on joint controllers, we need to understand what the joint controller is, we need to understand what data sharing is and whether or not the data sharing with an independent controller is relevant and the responsibilities and so on. So we have much more broader discussions now if you like with clients. Whereas years ago it was just business services processed as provided. I am going to assume it is a processor and here is the standard clauses that apply to everyone. It is a completely different context now.
Jocelyn: Yes, that is absolutely what we are seeing. The context is becoming so much more complex. As more data is available, companies are becoming more sophisticated in how they want to use that data, looking for ways to innovate by making use of data that is available so as Rocio says that context is no longer a given that it is a relatively simple services relationship. You have to drive behind, and often we find ourselves focussing on who is really deriving the benefit from these arrangements to work out who is acting in a controller capacity because it is quite easy to now to force people getting their hands dirty if you like and doing a lot of operational processing and those involved in the decision making.
So this fact finding and context which we talk a lot about when we talk about data protection, that is why we talk about all the data mapping early on in your GDPR compliance processes. It is so important to inform how you then analyse what you need to do and the risks involved.
So once you have established that context, the next thing you need to do is then start applying the GDPR rules. So the first thing you want to be thinking about is, why is this data being shared and therefore what is my legal ground for processing? We are all familiar with those grounds. You need to think about it for your ordinary personal data and of course any special category data if you are going to be sharing that too. Bear in mind that if you are relying on legitimate interest, this is definitely a scenario where you ought to be doing a legitimate interest assessment test as well, and recording that formally, particularly where you have multi-parties or you are doing something slightly unusual to make sure that the benefit to the organisations really does outweigh the harm it might cause to individuals and to see how you might minimise those. I just mentioned documentation so the other big question is, have you done a data protection impact assessment? And this is a question we get a lot isn't it Rocio about, how do I need to do this and how far do I need to go.
Rocio: Yes and of course we have got the requirements where under GDPR, the data protection impact assessment is mandatory and you need to carry out all the control that is expected, but on the other hand sometimes we still carry out data protection impact assessments even if it is not mandatory because it is really convenient to analyse the risks and sometimes perhaps certain data is not classified as special category of data, or premium kinds of data but it is still sensitive to the individuals. And so you need to analyse that and it is very useful as well if, in the future you have an unlikely event that there is some data breach, and unfortunately a serious data breach, what you did consider before as part of the data protection impact assessment is very useful as well to help you to help clients to react on time and to know what to do, the steps to take, so it is definitely really, really important. But we use different forms though don't we Joss depending on whether it is mandatory or whether it is voluntary, perhaps it is s shorter version.
Jocelyn:: Exactly yes. That is definitely true the way in which we use DPIAs has been evolving and is context specific, and this is something that we have been doing anyway and it is now backed up by the ICO's code of practice which came out last December. The code of practice is all around data sharing, but the really strong direction and guidance to business coming out of that code of practice is to use DPIAs. Not just in the situations where they are mandatory as in GDPR, not just in the situations flagged by the EDPB's guidance which we have had for more or less since GDPR came out actually it was one of the really early guidance. They have about nine criteria there and say, if your context hits a couple of those criteria, you ought to be doing the DPIA because those are scenarios were the regulators consider you are likely to trigger the threshold of the processing, likely to cause a high risk to rights and freedoms of individuals. But the ICO's code of practice goes a step further and is saying really you ought to be doing a DPIA for any sort of data sharing precisely because, as Rocio describes, it is a flexible risk assessment tool. So if you are doing something that is at the higher end of the scale, a major project, lots of data, doing unusual things, absolutely full on DPIA in detail. If you are somewhere further down that scale, then some form of DPIA where you gather your data flows and do a data map and understand how you are going to process that data in a privacy compliant way, that is what the regulators expect to see.
And the ICO even goes as far as to say that, even if you feel that you really do not need to do a DPIA, they still expect to see a piece of documentation somewhere that shows how you believe that this particular data sharing is GDPR compliant. So I think there is really no getting away from the fact that that documentation has to exist in one form or another.
The last thing you need to think about when you are running through your basic checks and applying a principle is, is there an international element to this data transfer? That is a question that Rocio will look at in more detail in the next part of the talk.
Rocio: There is a question that someone flagged asking whether, when we refer to GDPR right now as part of the session, whether we would refer it to European GDPR or UK GDPR. I think that for the purpose of data sharing there is no difference between UK GDPR and European GDPR so we refer to how it is implemented now in the UK.
Jocelyn: Yes thanks Rocio. So once you have got your context, you have run through your basics and you are happy that you can share this particular data in a privacy compliant way, the third step is then to consider the data sharing agreement itself. The form that that data sharing agreement takes will be driven significantly by the relationship between the different parties. Whether you have joint controllers, separate controllers or a controller and a processor. And Rocio, this area of joint controllers and data sharing is one in which I assume I think the greatest development and the greatest amount of focus at the moment.
Rocio: Definitely. So probably because of recent case law written last year that has helped to define and to see how we tend the joint controllers seem to figure which is really broad. We have for example you know about witness case in which one of the parties in the community it was not even seeing that data and it was conceded that the parties were joint controllers and because we see the development as well and what is expected, how Article 26 arrangements, the level of detail that needs to be incorporated there as I said and really defining with a granular level of responsibilities between the parties. And we see different scenarios on that because we have the simple joint controller where it is very clear that both parties are jointly taking the decision on each particular thing. We see scenarios in which one party was responsible for practically everything, because it is the only party who has direct contact with the subjects. And then we see we work on this complex research projects in which each party is individually collecting data, putting it together into another data set and then there are different accesses, different purposes and expected all purposes that are not overseen at the beginning because perhaps they maybe have seen artificial intelligence tools or matching learning tools. And therefore the Article 26 arrangements becomes under privacy notice as well because there is an impact because much more flexible and you really need to keep it up to date so it is completely different, so definitely a lot of information on this matter.
Jocelyn: Yes I think there are a few reasons for that. One is, as you say, the case law and the guidance that we now have from the regulators on what they consider to be joint controllers or as what we used to see as quite a narrow definition. It is clear now that they are interpreting that much more broadly which means we have started talking about it a lot more with the clients, it is something we need to consider because clearly the regulators believe has a broader application. But also I think because of just the prevalence of technology in today's life there is now so much more data available. But companies are looking to avail themselves of or workout how they can use that to their benefit, but it is increasingly an area of focus and I think because an area of innovation, that is why you are getting multiple parties coming together. I have never looked at so many multi-party agreements as we have around data sharing because it is where people are doing more research, or innovation or setting up some kind of joint system to benefit multiple parties you get these kinds of arrangements. So it is definitely an area in which we are seeing a lot of movement and it is really significant from a data sharing point of view because you need the contrast between whether you are dealing with joint controllers or separate controllers or controller processor will have a huge influence on how you draft your agreement. The only mandatory requirements around having joint controllers from a data sharing point of view is working out who is responsible for delivering the privacy notice to individuals and who is responsible for responding to subject rights requests.
You do now also need to consider which party, and it is obviously more complex than a multi-party scenario, is going to handle each of the GDPR principles, who is going to be responsible all those, so that is what your data sharing agreement will set out. If you contrast that though to what you would have if you simply have independent controllers acting for their own purposes. In that situation there is no legal requirement to have any kind of data sharing agreement if you look in GDPR, so you are at liberty to decide what your documentation needs to say. And we see a range of possibilities here, depending on whether you are really two quite independent parties doing separate things or you might have very light touch clauses or it is actually a customer supplier relationship but, where the nature of the suppliers serves is a role say for example like lawyers or accountants, means that they are actually independent controllers for some elements of what they do and so your clauses might look more like a customer supplier controller processor type of clause with some areas lightened. If you just pop the slide up please, and then you can do at the other end if you have controller processor clauses. Obviously there we know exactly what is required after the 28 Agreement has been around for some time now and we are quite comfortable with the requirements of those clauses. We have seen them develop significantly I think over the last three years, so now we have a sort of very basic repeating more or less that the legislation says all the way along to much more developed clauses where you have suppliers offering standard services or customers dealing with huge volumes of data with a multitude of suppliers and again want to have standard processes across their contracts. And your final piece to think about in terms of the documentation of international transfers which again we will cover in the second part of the session.
So on this next slide, I have put up a lot of practical considerations. These have come from the ICO's code of data sharing that I mentioned previously and are all things that the ICO says ought to be captured in the data sharing arrangement. But if you look at this list, a lot of it looks very operational.
Rocio: And there are a lot of clients asking us, why do we need to put all these operational things making their agreement even longer, even much more to say, is this mandatory?
Jocelyn: Indeed, that is the question that we get. And we think there is good reason for including all of this detail in those contracts. In any IT or services contract I look at and this is all the kind of thing I would expect to see in a service specification setting out exactly what one party is going to deliver to the other. This is the equivalent of a data sharing world. There are also other legal advantages to having it in your agreements. If you are the recipient of data and you actually receive in reality more data than you were expecting, if you can point to a data sharing agreement that says, I was never meant to have this it is actually another party that is at fault for giving it to me, you are then not at risk if any claims that you have obtained data where you should not have done and have no lawful ground for processing it. It also has the advantages of clarity so every party is very clear who is responsible for what element of GDPR compliance and of course you do need to know that for all of the controllers together to be compliant in a joint controller scenario as Rocio was saying earlier, it would go towards accountability, shows you have done your thinking, you have been very clear and transparent in your arrangements which is obviously at the heart of GDPR. It is also a convenient place to record things like your lawful ground for processing particularly for public sector organisations where you are going to need to identify the particular piece of legislation that gives you the power to share data so a slightly separate consideration to what private companies need to be aware of and think about. So there are lots of advantages to putting all of this in a data sharing agreement. Clients also ask us, how far do I need to go, how much of this is necessary? And that really comes back to your context. Is this a high risk situation? Are you doing unusual things? The more the answer to that is yes, the more detail ought to be included to show how you are being transparent and complying with GPDR principles.
Rocio: In a data controller processes scenario. If we look at the standard to our clauses, controller to processor not for international transfer in the controller processors scenario that have been considered or even approved by the European Commission. We see this level clauses that are meant to deal with this level of granularity. And the European Commission for example when the Danish standard contractual clauses were being approved, they said that, if you do not allow to this level of granularity it will not be compliant with Article 28 - that copying and paste what is in Article 28 is not compliant. So there is a clear necessity at the end of the day to, in certain scenarios, to get all these discussed, agreed and in the agreement.
Jocelyn: Absolutely. So once you have done all of that, is that everything you need to be doing to be sharing in a privacy compliant way. So as you know this is an ongoing obligation to keep on top of that of that data sharing as with all of privacy compliance, it does not end with the creation of the policy or the creation of the privacy notice, the signing of the documents. The first point there you have probably already achieved in the course of going through that level of granularity, you will have evidence of confidence, the parties are engaging with are capable of being GDPR compliant. But then you need to turn to your other documentation to make sure that any updates are necessary to privacy notices or records of processing or, if you have a broader internal data map, that they reflect any new arrangements. Over time you need to monitor for changes particularly as Rocio was saying before in areas where thinking is developing or parties are testing the waters to see what is possible if the sharing changes in any way, that needs reflecting in the data sharing agreement and you might even go back to a DPIA as a more fundamental change. And finally, thinking about auditing as you would do in any processor arrangement designed over time, what are the appropriate checks and balances to have in place to see that the other parties are doing what they said they would under your contract.
So we are just going to pause there because that is the end of our piece on data sharing to see if we have any questions and I can see there are some in the Q&A there which we can look at now before we move on to international transfers. So I am just looking down the list of questions. Rocio were there any you wanted to pull out?
Rocio: Well there are some questions about the clauses that we will cover perhaps in the second half of this session.
Jocelyn: So I will take maybe the first one I can see about, how prescriptive can two independent controllers be on each other in a data sharing arrangement. I think if you are independent controllers that is one area where you have the maximum flexibility. So because GDPR does not require any minimum level of clauses or documentation you do not have to be prescriptive at all I think is the answer to the question. You might want to be more prescriptive as a risk management and protection from your own point of view depending on the context of the relationship. So sometimes we have merely a sentence in an agreement between independent controllers saying we are both controllers we will comply with all of our GDPR obligations. Sometimes you back that up with a mutual indemnity depending on the risk that each party perceives of the other not complying with their obligations.
Sometimes if there is a reputational impact. If one party is more of the public face of the relationship and they are concerned that if there is a breach by the other party it will be them who is impacted more, then we might have clauses requiring one party to notify the other if there is a breach, to share information so that that public response and image can be maintained and dealt with appropriately. So you really do have maximum flexibility in that scenario as to what needs to go in your data sharing agreement.
I can see a question about AI. What effects do we think AI will have on all this data sharing? That is an area where Rocio and I have been doing a fair bit of work because if what has prompted the question is, well there is a lot of AI and that is quite complex then absolutely we have been working with our internal AI team on using personal data as training data instead of dummy sets and actual models. Thinking about what you need to put in your privacy notices, because obviously transparency is not easy and there are hundreds of pages of guidance from the ICO on explainability and how to put in your privacy notices what the impact of having AI used is on you as an individual.
So I think AI will probably increase the amount of data sharing that we see and will make organisations want to be able to receive data, which obviously means somebody else needs to be able to give it to them. So I do think we will see more frameworks put in place to facilitate data sharing. The UK was at one stage looking at concepts like data custodians or data guardians, so sort of independent middlemen whose purpose is to hold data and ensure fair access to data. Because for access, a competition and monopoly issues are increasingly arising as well, to ensure that companies have equal opportunities to innovate by having access to the underlying data.
Rocio: So this is a question about whether GDPR will still continually apply in the UK after 2022. Because after the appeal of the extra year transition for trade imports and exports etc. We think we will because the GDPR is integrated now into UK law, and because the UK wants to facilitate the international transfer of data between countries it aims to be adequate. So the GDPR regime is meant to stay in the UK as it is now with some variations in future perhaps but the essential rules we will be extremely surprised if they are changed. And GDPR is now UK law so we will explain that later as well but yes, it applies.
There is another question about indemnities. That is something that Joss and I discuss a lot and we are waiting to have more case law to confirm how this will look at in specific scenarios. But all of this what Joss was saying about setting out the responsibilities being writing in our agreements help to assess the level of responsibilities. When you talk about Article 82 and 83 of the GDPR and thinking of the fines, what we see is that sometimes the regulator most likely will issue a fine against one party or the other depending who is responsible for what. So there might be a narrow context in which one party can claim back because they have been fined for what a processor did because, if the regulator has decided that it is the controller who was responsible, you can challenge that decision but claiming back is going to be more difficult. So perhaps a lot more relax in that way in terms of claiming from compensations brought by data subjects. Article 82.4 also allows you to claim back for responsibilities if you end up, for example if you are joint controller and your supplier is a joint controller, and you end up paying for something that it was very clear that it was their responsibility because to the data subjects you would have the same responsibility, you would be jointly responsible and liable but then you can claim back. So it depends very much on the context. Sometimes suppliers push back and it is not a concern or such a concern so you can accept or in other times, other circumstances, do we really need to perhaps, do you want that indemnity and because that is a joint controller scenario but that is why this is so important all the points that Joss has been covering in terms of this level of detail that, even if it does not mandatory, it is recommended in the sharing.
Jocelyn: Absolutely. Thank you for the questions we will come back to some more at the end. But I think we should move on to the second part of the talk. So over to you Rocio for international transfers.
Rocio: Like David said before, what we are covering here is just an overview of the mechanisms we have now in the UK, particularly after Brexit when it comes into transferring data internationally. We are not going to have time to cover every single mechanism with detail and seeing that there are more questions about modern clauses so Joss and I will discuss modern clauses a bit more but perhaps not with the all level of granularity and detail -t we will need a whole session or two sessions or maybe three for that, but of course we welcome any questions after and we can follow up to respond to all of the questions that we do not have time to respond or like David said, yes if you want more content and more detail we can organise and arrange another webinar covering just international transfers.
So focusing on the questions that clients, or we have been discussing with clients, Joss I think the main question would say is about Brexit isn't it.
Jocelyn: Exactly. The main question is, what do I need to think about in the context of international transfers now that the UK is no longer part of the EEA?
Rocio: Yes. So to keep that simple, because we have been advising clients from two years ago getting ready for Brexit and thinking about international transfers about the situation right is as follows.
So if we think about what happens when we receive data from another country to the UK. When that other country is an EEA country. Now we are not part of the European Union the main question or the main requirement to look at is, is the UK adequate. Now the current position is that we are in the process of getting adequacy and we are in a bridge timeline that ends up, I mean it is a four month timeline that can be extended and we expect that it is going to be extended up until the end of June. So during these six months the transfer of data is allowed from the EEA country to the UK and this process is not, I mean we have had published and we see the draft I think the decision by the European Commission but this is in process like, I said we still need to complete two more steps.
The second step we are expecting to happen around April, the last step we are expecting to have by beginning of June but because it is not warranted that this is going to happen although we really expect and it is a high expectation that this will happen and we will be adequate, what the ICO is recommending is that keeping an eye on it, do your risk assessment, map your international transfers of data, identify what data you have got coming from the EEA to the UK, particularly if it is high risk, and keep an eye on it and check what is the position by the end of April.
So if by end of April you are reading news that there has been some concerns, complications with the adequacy process, then you may need to start thinking of what other safeguards you may consider to put in place. Or if it is going well, maybe you can wait a month more or even until the beginning of June to see the position and hopefully we will be adequate by then. Fingers crossed that is what we expect. So that is from the EEA to the UK.
Jocelyn: I think we also increasingly are thinking about what about when we in the UK receive data from other parts of the world. Because as we work with our international offices particularly in places like Dubai and China, Dubai have very recently passed a new data protection law, China's was not so long ago either. Increasingly there are restrictions from those other countries about what they have to do when transferring data into the UK. So as part of the mapping that Rocio is talking about we would encourage organisations to look back at their maps that flag where you receive data from other parts of the world because their requirements are all changing too.
Within other parts of the world so Pan-Asia they have an adequacy type area just like there is over the EU, so there are developments there as well. But this is another area where we think organisations do need to be on top of understanding where is data coming to and from because there are increasing numbers of international restrictions beyond what we are worrying about just post-Brexit.
Rocio: Yes that is something I see a lot in my role here in your team Joss, as lead lawyer of global data protection compliance. The tendency I see when we oversee a jurisdiction is that many countries have implemented data protection legal regimes or are in the process of approving data protection legal regimes, they have some clauses, some articles, stating that to transfer data out of their countries there must be at least a similar level of protection. That is something I see a lot in many different jurisdictions. And there are countries like for example Brazil that we were looking at the other day, that they have a similar level of protection as well, and in addition the new legislation is mirroring practically the GDPR and it will have its own standard contractual clauses or cause of conducts and certificates that seem to level up but they are there and their regulators are working on that.
So we are coming into our context in which this is becoming relevant looking at it globally in particular of the high risk areas, so do not panic. It is very difficult and it is a challenge to look country by country all the jurisdictions when you are working for a global enterprise and you are responsible for compliance with data protection, but that is why it is so important to map these international transfers to analyse the risk and to focus at least at the beginning on the high risk scenarios and higher risk jurisdictions as well.
Jocelyn: Absolutely and I think also just to add on to the end of that, we are aware that the US is looking at pan-United States privacy law for the first time. So California made headlines when they introduced their GDPR-esque legislation a few years ago and we have seen that in privacy notices that we review and transfers. So if the US do that as a whole that will be another big impact on international data flows, just as we are now battling with Schrems, after a battle with data coming the other way into the UK from the US.
Rocio: And that is actually an important point if we move on to the other angle from which we can look at these international transfers which is transfers of data out of the UK, what is the regime, what that is look right now, what are we discussing with clients now. One of the one things is that of course the same mechanisms that you may know from the GDPR remains the same in themselves, these are the mechanisms but now they are going to be integrated and applied by the UK government.
So what we have clarified now is that any transfer of data from the UK to the EEA countries are having declared as adequate, as allowed. There are some territories expressly mentioned just for the avoidance of doubt, for example Gibraltar is still a territory to which you can transfer data without any other arrangements. To other countries, any country that is already granted with the adequacy decision by the European Commission is not a restricted transfer and it is admitted by the UK government as well. So it is quite similar at the moment in that sense.
But then we have that the UK government may, and we expect that they do, perhaps other adequacy decisions we already have our adequacy decision framework, and that it is important to see because there may be some countries that are not yet declared adequate by the European Commission that the UK government takes the decision that actually we think that it is essentially equivalent regime and will be adequate or perhaps with a little bit more flexibility and of course focusing on maintaining the adequacy for us from the European Commission so we will still want to be adequate to the European Commission's eyes.
But the UK can indeed be a little bit more flexible so that is something to watch out and I would not be surprised if in the next weeks we start seeing some developments from the UK government informing of how this will look, which is a very exciting thing to see. Indeed and with latest developments in the US as well like you said it seems a lot of them even for the Schrems II case. When the European Court of Justice ruled on the strength of the case it was considered in how the review was in 2016, because this is what it was asked for to be reviewed within the case, but if the legal regime is changing even with regards to how intelligence access data, there are many more flexibility to consider how transferring data to the US would be adequate, so we will see. It will be a very interesting thing to watch. Hopefully we will have a broader regime there and still be safe and essentially equivalent of course.
But if not we need to look at other appropriate safeguards. It is very important I think to consider and I have seen some questions on that. How European standard contractual clauses will be applied now in the UK.
So the first thing to consider I would say is that, to use the standard contractual clauses in the UK it is allowed to amend the clauses only on the terms as you would know you cannot amend any other thing. You can add content but not amend. But you can change the names of the references to the European directive because the standard contractual clauses as you know were approved under the previous directive before GDPR to mentioning and defining the UK GDPR from lead supervisory authority to the ICO from European Commission to Secretary of State and you can do that and converted into UK standard contractual clauses until we have our own.
By any case there is a question that we have been discussing with clients ... kind of nightmare. In terms of the supplementary measures that you need to incorporate if you need to, to the standard contractual clauses if there is a risk and this is as following this ruling on the Schrems II case.
Jocelyn: Absolutely yes, this has obviously been a key concern for a lot of clients transferring data both to the US and other countries. When transferring to the United States part of the assessment that the court requires has actually been done for us in the Schrems II case, we know what legislation it is, that the European Commission fine does not offer essentially equivalent protection in the GDPR. The challenge of course is how to overcome that. So when advising clients we have been looking much harder I think than we have ever look before about other options for transferring data to see if there is different ways it could be done, rather than using standard contractual clauses and Rocio is going to look at some of those to remind us all of other options that are available. I think we have also been focusing a lot on the overall risk profile. Is there a way we can show or argue that actually this transfer is low risk. We might not be able to overcome the issues of the US legislation that is in place it is what it is. But is there a reason that actually this could be done in a way that is de-risked or is just less risky in the first instance. I know Rocio you have been talking to people about some of the more practical measures as well around things like encryption.
Rocio: Yes. So when we were thinking of supplementary measures, in particular the transfer of data to the United States. We found some challenges there because primarily we were only trying to keep transfers of data that we identify as low risk. So data that is less likely to cause harm to individuals, like when you have a supplier and the only data transfer is email addresses for example, or data that is highly unlikely, although that is something that they say, 'do not look a likelihood but highly unlikely that it is going to be intercepted or of interest of intelligence in general in particular in the US' and then thinking of encrypting the data for example onsite and in transit. With the onsite encryption of data we have had some challenges as well. So it is not that easy and we do not know what the UK government opinion would be in the extent to which the supplementary measures needs to be looked at, because definitely you have a high risk you need to make sure that it is essentially an equivalent regime. You may even need to stop that transfer and take a different view and a different approach if you can afford it, which is all the things that we have done as well with clients. Storing the data in the EEA because migrating the data or stop sharing the data because it is much easier and they could afford it and it was doable in certain cases.
So this is sort of the thing that requires much more qualification and again it is kind of ... here are our recommendations but it is up to you. Do you need to do the assessment, do you need to consider the risks and if it is really low risk, we have been including these operational arrangements to the possible extent and we think that this should suffice but of course there is a lot of discussion from this point so we will see. The standard contractual clauses like we say we can talk forever about this and the many different options and clauses processor to sub-processor, we hope to cover some of this in the Q&A session but let me just move onto very quickly reminding you of all the mechanisms that are in the GDPR, that still remain in the UK.
Binding corporate rules is something that requires your attention if you are one these organisations having binding corporate rules. The good news is that it is easier to amend binding corporate rules when they were approved under the previous directive and most of the UK entities that have binding corporate rules under the previous directive which is good. But in very short, you can have UK binding corporate rules and EU binding corporate rules. So if you have binding corporate approved by the ICO, you now need to take steps to appoint a lead supervisory authority and to convert those ones into UK binding corporate rules. If you have binding corporate rules approved by a European lead supervisory authority then you need to do the same, you need create a standalone binding corporate rules telling the ICO, these were approved by this lead supervisory authority and taking the steps to convert those ones into UK. So that is a very short version.
Jocelyn: And it seemed to us to make sense if you do need to go through that exercise to do it sooner rather later, before UK and EU laws diverge which of course there is the possibility that could happen. So before you have to deal with those complexities it would seem to be a good idea to stop that process of getting your BCR's approved by either the ICO or the EU whichever is the one that you need to go to before any of those divergences occur.
Rocio: Yes and definitely before the end of June this year that is a good recommendation. You can find all the information that you need on the ICO's website as to the steps you need to follow if your company has implemented binding corporate rules or if they are in process of being implemented just still look at this.
And then just a quick reminder we have other options still in process but remains the same in the UK now totally under the control of the UK government and ICO and this would be codes of conducts separate codes of conducts and certifications under the approved certificate in the scheme that the ICO is progressing, it is still in progress. You can also have your own contractual clauses as long as you send it to the ICO and they approve them. So that is something that for example in Spain we used to do a lot, it was mandatory anyway to inform of that international arrangements, you send it to the regulators, they review it, if they are happy with it, makes sense they should approve it. The same similar type of arrangement for private sector, and then we have all the options for public sector in terms of this legally binding enforceable instrument between different public operators based in different countries and of course with Article 49 exceptions which you need to be careful because it is an exception but it is still applicable if you have the context and individual requirements. So that is something that it is also recommended to look at.
That is all I think we should cover today and probably moving onto the questions.
Jocelyn: OK, I have been looking up and down the questions. There are a few which I will take together broadly about, do we need to and update existing agreements that are already in place that refer to EU GDPR with the UK references? Yes, we have been carrying out that exercise. You should think about, do I still want to include references to EU GDPR and also introduce UK GDPR, again depending on your context. If you are two UK entities only dealing with personal data of people in the UK then it would seem to make sense to confine your definitions to UK GDPR. But if you are a company where actually you might be selling goods and services over to the EU, then obviously the EU extra territorial effect will apply and you might want to think about retaining references to EU GDPR. But certainly yes, we are making those distinctions in our agreements to be clear for everybody's sake about which legislation applies because right now it does not make too much difference because we are on a par with the EU but looking forwards there is every possibility that different regulators, different governments might decide different things, particularly as Rocio was flagging for example around adequacy decisions for transferring data to other jurisdictions.
Rocio: Now other questions that we actually discuss a lot with clients is the processor to sub-processor on-going data transfers. So when you have the controller exporter and processor importing and then the processor sends the data out as well to a sub-processor, we do not have currently in place approved processor to sub-processor clauses. You can agree on a mandate from your controller that you are allowed to get into controller to processor for this processor on behalf of the controller. When you have that approval agreed in a contract, we recommend that this is with detail and the list of processors is approved and so on as with any processor for international transfer as well. But the new draft model clauses by the European Commission that we hope to be approved soon are much more flexible and they have one model that is meant to be put in place for transfers between processor, exporter and sub-processor importer. So the processor would be able to put that arrangement with the sub-processor who is located in a third country. But at the moment we are taking that approach as well. That for the processor to put in place model clauses on behalf of the controller with the sub-processor. We have considered other approaches but that is the one that you need to have in place standard contractual clauses is what we are doing as well.
Jocelyn: I was just going to take a question on going back to data sharing briefly about, is it advisable to put a data sharing agreement in an annexe in contracts with clients? I think the most appropriate way to document your data sharing will depend on the context to some extent. If it is a services agreement but it happens to be that you are both controllers, then it would seem logical it integrate it with the agreement to avoid some of those issues I mentioned earlier about conflicting termination clauses, liability, sub-contracting, sub-processing, etc. In other instances though, it makes that agreement either unwieldy or just due to admin, different teams and different organisation want to have their own document so you then end up with a separate data sharing agreement. It is a little bit form over substance so there is no legal requirement for it to be standalone or integrated it is very much whatever works well in your particular context.
I wondered if you wanted to take one, it might be our last question Rocio, about thinking about data subjects giving consent in relation to international transfers. We had a question asking about, should we look at that as a ground for international transfers.
Rocio: It is allowed, it is in Article 49. I have to say so far practically all the context in which we have considered that option we found out that it would not be fair or it would be a total burden for the client to put in place. But having said that, if you manage to be clear for the consent to be GDPR compliant, for the data subject to really understand all the risks and benefits as well because of course you need to be commercial as well as convince them, but be very clear on all the risk associated to that transfer and the type of data that is involved etc. then it is definitely one of the exceptions allowed. But in practice I have to say all the times that we have considered that, we have not put in place yet with any of our clients for the reasons I just flagged.
David: Right I am going to butt in now. It is coming up to 11:30 and I committed that we would finish this within an hour. I mean we have been overwhelmed by your questions, I think we had more than 30 questions and I think we have dealt with about ten of those, so sorry to those of you that we have not got to. We will after this, work out how we can respond to those of you we have not come back to already. This session is going to be circulated to you all as a recorded version, so if you really want to watch you can watch it again or more importantly perhaps share it with a colleague that you think would be interested and also the slides will be available as well so that you can review those and indeed share those as you want.
I mentioned at the beginning that we are going to be running this poll as this comes to an end and I imagine Suzy will be popping up shortly asking what you think about a physical event in the Autumn and obviously also there will be our usual request for feedback. Your feedback is really important to us in terms of what we cover in these sessions. We obviously want to do what you are interested in rather than what we are interested in so, do fill in the feedback forms to tell us what you would like to see done. I mean it strikes me for example that having an opportunity to have more of a discussion and Q&A on data protection, many of the questions you have been raising of the day to day hassle of data protection compliance and advice would be an area for example and I am sure there are other areas.
Next week we have customs is on Tuesday, customs international trade post-Brexit to those of you who are trading across the UK/EU border, dealing with the challenges of exporting to Ireland and indeed transferring to Northern Ireland with the realities of that trade. That session will be on Tuesday. And then on Thursday we have a session on human rights. Human rights is obviously something that we all as human beings I think is important but it is becoming more and more important legally for companies if you or your subsidiary or your supplier fails to comply with some kind of human rights somewhere around the world. Currently that is a reputational issue but it is becoming more and more of a legal issue and we are going to be exploring that, discussing that next Thursday.
So thank you very much. Fantastic how many of you hung on right to the end there so really appreciate that and we will end this seminar there. Thank you.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.