June is already proving to be an important month in the continuing development of data protection laws as applied to the transfer of personal data from territories that, in GDPR terms, have "adequate" data protection laws and the steps that the data controller needs to take, where the personal data it controls may pass into territories that do not meet an adequacy test.
Why is this briefing important to me?
With the ever-increasing adoption of software as a service and cloud-based storage of data, more and more situations are arising in which personal data is transferred across international borders. The EU is modernising its GDPR based approach to international transfers, which includes requiring some very specific actions from data processors involved in the chain of processing activity that arises in such circumstances. The detail is contained in two decisions of the European Commission published on June 4th.
What is meant by adequate?
The concept originates from within the EU and involves a formal assessment of the data protection laws of a non-EU or EEA territory in order to determine whether there are appropriate safeguards for personal data, with rights enforceable by the data subject supported by the existence of legal remedies.
Within the UK post Brexit we are applying the same approach. Understandably, the UK has formally declared that the laws applicable in the EU/EEA member states provide adequate protection for the personal data of UK subjects.
We say that June is an important month because, as part of the arrangements that led to the UK exit from the European Union, it was agreed that the EU would, likewise, make their adequacy determination related to UK data protection laws. That decision is required to be in place by the end of June, failing which the UK will, in data protection terms, be regarded as a third country. Time is running out but the process is well underway with no suggestion that a positive outcome will not be achieved by the end of the month.
Why is the EU decision important to our business?
First and foremost, if your business does not involve the processing by you of personal data, which is being transferred to you from the EU it will not be of significance to you. However, from the point at which you are acquiring a customer within the EU it will become applicable. But this briefing will still be a good read as the UK is expected to adopt the same rules and methodologies as the EU.
For businesses that already sell their products and services into the EU, you will be affected by the new requirements, whether or not an adequacy decision is forthcoming, if your existing contract terms do not satisfy the requirements of Article 28 of the EU GDPR.
For businesses that operate with software as a service application that stores personal data in the cloud and that involves onward transfers from the UK, there are further important new requirements to be aware of.
OK, so I do have EU customers and I do receive personal data. What do I need to know?
Your EU customers are likely to be more vigilant around the legal terms and conditions under which they transfer data to you. It may well be that your business has already taken account of EU GDPR and have accepted the necessary requirements - or your own terms and conditions may already incorporate these which are to be found in Article 28 of GDPR.
In any event, the good news is that the process of providing the necessary assurances to your customer have been simplified, with the EU having published a standard form document that may be adopted, integrated with your terms and conditions of business or into a customer specific contract. These Standard Contractual Clauses (SCCs) are available to refer to here.
Keep in mind that these requirements also apply if you have an EU subsidiary from which personal data is transferred - a data sharing agreement incorporating these requirements is essential.
What if I hold personal data of my EU customers in software as a service applications such as accounting and CRM applications?
There are further considerations that you will need to take into account. If you have seen our previous briefing following a European Court of Justice decision (known as Schrems II), available here. You will know that the EU is now focusing on the use of SCCs as its key protection measure for personal data passing out of EU member states into third countries.
SCCs have existed for some time but predate EU GDPR. A commitment to revisit these model clauses was given immediately following the Schrems II decision, with a consultation exercise following. The outcome of that exercise is now known, with new SCCs covering international transfers of data also published on June 4th and available here.
As part of the modernisation process, the EU has adopted a modular approach to the SCCs allowing their use relevantly across various scenarios including controller to processor, processor to processor (relevant to sub-contracting) and to cover data sharing arrangements.
The new SCCs do, however, bring into play greater due diligence requirements for both the data exporter and data importer around the transfer of data to third countries. A local law assessment will be necessary, with this documented and available to regulators, the customer (in the case of the data importer's assessment) and data subjects affected by the transfer.
Are the EU requirements explained in this briefing directly applicable to my UK business?
The answer is clearly no. We have left the EU and now simply look to our domestic regulator - the Information Commissioner's Office. But customers in the EU will have concerns if they cannot demonstrate full compliance with requirements equivalent to EU GDPR, down the chain of data transmission. ICO has been following developments in this area and have already announced an intention to set out their own SCCs which will become a requirement under UK GDPR. This has not yet happened and will undoubtedly involve a consultation exercise. So the UK SCCs may not be in effect for some time.
The position is likely to be rather messy for some time to come. The main focus of this note is software as a service. What we can expect to see is a recognition amongst those service providers of the new EU requirements and, in due course, UK equivalent measures that are similar in scope. Service providers will be concerned about the local law assessment requirements which, in theory, will lead to many of their customers initiating due diligence. We are sure there will be ways of addressing that however.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.