Data transfers after Schrems II and the Brexit: what's the status now? (part 2)

EDPB Recommendations

Previously, the EDPB published draft recommendations on post-Schrems II transfers of personal data. I discussed those draft recommendations in an earlier contribution. Many of the recommendations remain unchanged from the draft recommendations, but there are some notable differences, which I would like to briefly touch upon here:

• The assessment of whether the protection of the personal data transferred is broadly equivalent ("essentialy equivalent") to the level of protection within the EEA must be done on the basis of the final recommendations both after and during the transfer of the personal data.(1)

• The final recommendations place stronger emphasis on the fact that when conducting the transfer impact assessment, practices in force in the third country should be assessed in addition to the relevant legislation, even if that legislation in the third country formally meets EU standards. If incompatible practices exist in the third country (regardless of the legal regime in that third country), additional measures will have to be taken.(2)

• If the transfer impact assessment of the law of the third country shows that the relevant law in that country is or may be incompatible with EU standards, organizations may decide to proceed with the transfer without having to take additional measures if they consider that the relevant law will not be applied in practice to the specific transfer and/or the relevant data importer based on the experience of that data importer. Organizations will have to demonstrate and document in detail the existence of such a situation in such cases.(3) Here, the list of possible sources for the assessment of a third country, contained in Annex 3 of the Final Recommendations, can be used.

• The draft recommendations seemed to consider that subjective factors, such as the likelihood of harm to the data subject, could not be considered when conducting a transfer impact assessment. However, under the Final Recommendations, data exporters can consider "documented practical experience of the data importer with relevant previous cases of requests for access received from public authorities in the third country" when conducting a transfer impact assessment. This leaves room for consideration of some subjective factors, however, with limitations:

  • The data exporter can use the experience of the data importer as an additional source of information only if the laws in the third country do not prevent it from disclosing such information. This seems to exclude some countries. Indeed, in the U.S., so-called"tipping off" is prohibited.

  • The relevant and documented experience of the data importer should be confirmed by relevant, objective, reliable, verifiable and publicly available or otherwise accessible information on the practical application of the relevant legislation.

  • The fact that the data importer has not previously received requests cannot by itself be considered a decisive factor in allowing a data transfer to proceed without additional measures. This information can only be considered together with other types of information obtained as part of the overall transfer impact assessment.

• The final recommendations also provide additional guidance on how to assess the strength of encryption algorithms(4) and how cryptographic algorithms can be used to pseudonymize personal data (see footnote 83 of the recommendations)(5).

Adequacy Decree United Kingdom

As is well known, the Brexit caused the UK to withdraw from the EU on Jan. 31, 2020. Based on the withdrawal agreement ratified by both the EU and the UK, a transition period during which EU law continued to apply in the UK ended on Dec. 31, 2020, which also affected the AVG and secondary legislation. However, from Jan. 1, 2021, transfers of personal data to the UK were covered by the EU-UK Trade and Cooperation Agreement. The trade and cooperation agreement provided for a bridging clause that ensured full continuity of data flows between the EU and the UK, without requiring organizations to implement an AVG transfer instrument. However, this solution only applied for a maximum period of six months. After this period expired, the UK would be considered a third country by the EU in terms of data protection rules.

Two days before the bridging clause was due to expire, on June 28, 2021, the EC adopted an adequacy decision under the AVG.(6) This decision means that organizations in the EU can continue to transfer personal data to organizations in the UK without restrictions, without the need for additional safeguards (such as entering into the Model Contracts discussed above).

After careful examination, the EC concludes that the UK's data protection system is based on the same rules that applied when the UK was an EU member state. The UK has fully incorporated the principles, rights and obligations of the AVG and the Law Enforcement Directive into its (post-Brexit) legal system. Furthermore, the EC considers that in terms of access to personal data by public authorities in the UK, the UK system provides strong safeguards. In particular, the collection of data by intelligence agencies requires, in principle, prior permission from an independent judicial authority. In addition, anyone who believes they have been the victim of unlawful surveillance can bring a case before the Investigatory Powers Tribunal. The EC also considers that the United Kingdom also falls under the jurisdiction of the European Court of Human Rights and must comply with the European Convention on Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. These international conventions are an essential part of the legal framework assessed in the adequacy decision and thus found adequate by the EC.

Noteworthy in the adequacy decision is that for the first time it contains a so-called"sunset clause." This means that the decision will automatically expire four years after it comes into force. After that period, however, the decision can be extended, but only if the UK continues (still) to ensure an adequate level of data protection. During these four years, the EC will continue to monitor the legal situation in the UK and can furthermore intervene at any time should the UK decide to deviate from the current level of protection.

Conclusion

Many companies will have their hands full replacing their "old" model contracts with the set of new Model Contracts, which should be completed before the end of 2022 (as discussed in my earlier post). This will logically take a lot of time, especially considering that transfer impact assessments will also need to be made in line with the final EDPB Recommendations discussed above. Fortunately, organizations transferring personal data to the UK will be spared this time (for now), as the adequacy decision allows them to continue to transfer personal data to organizations in the UK without restrictions or additional actions.

Footnotes

(1) E.g., peripheral number 2 of the final recommendations.
(2) Peripheral number 30 of the final recommendations.
(3) Reference is made to the information framework on page 4 of the recommendations.
(4) See footnotes 80 and 81 of the Final Recommendations.
(5) See footnote 83 of the Final Recommendations.
(6) Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (Law Enforcement Directive).