Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    European cooperation and privacy regulators
    De verwerking van persoonsgegevens stopt niet bij de grens. Om het recht op de bescherming van persoonsgegevens te bewaken, werkt de Nederlandse privacytoezichthouder Autoriteit Persoonsgegevens (AP) binnen de Europese Unie (EU) intensief samen met verschillende Europese partners.

    First fines imposed for violating tightened privacy rules

    The privacy rules on international transfers have been tightened based on the Schrems II ruling of the European Court of Justice and subsequent Recommendations of the European Data Protection Board (EDPB). In practice, it is proving complex for organizations to implement these privacy rules. However, there is no time for organizations to sit still, as several European regulators have taken enforcement action for unlawful international transfers.

    Kimberly Friesen

    October 14, 2021

    Background articles

    Background articles
     

    Rules in international transmission

    Chapter V of the AVG provides that even if personal data is transferred to countries outside the European Economic Area (EEA), these personal data must remain adequately protected. Organizations must choose an appropriate transfer instrument for each transfer. If a country is not subject to an adequacy decision, then further appropriate safeguards are required, such as, for example, implementing Binding Corporate Rules or closing Standard Contractual Clauses (SCCs) with the data importer.(1) In practice, the pass-through is often based on the SCCs. However, although the SSCs were not declared invalid in the Schrems II ruling, they have since been replaced by the European Commission. As of Sept. 27, the use of this new version of SSCs is mandatory for new pass-throughs. For existing contracts, the old SCCs must be replaced with the new standard by December 27, 2022. In addition, for transfers, even if the new SCCs are used, organizations are required to verify on a case-by-case basis that personal data is adequately protected during and after the transfer. In practice, this is usually done by a Transfer Impact Assessment (TIA) to be conducted. The purpose of the TIA is to determine the extent to which the laws and practices of the country outside the EEA provide a level of protection equivalent to the AVG. If the international transfer involves privacy risks, the same TIA is used to determine what technical, organizational and/or contractual measures should be taken and whether these measures are adequate.

    Still much unclear

    Despite the fact that the EDPB's Recommendations and the new SCCs provide guidance on how to conduct a TIA, organizations still have many questions about how to comply with the tightened privacy rules. In particular, about how to conduct a TIA. For example, it is not always clear how far a data importer's AVG obligations extend, since the data importer is based outside the EEA and does not (always) fall within the scope of the AVG. It is also difficult for organizations to determine when additional measures are necessary and whether the proposed additional measures are sufficient or not. The European Commission indicated at a meeting of the Association of Privacy Lawyers to publish a clarifying Q&A soon.

    Enforcement by European regulators

    Despite the aforementioned lack of clarity about the current rules regarding transfers, two fines have now been imposed for violating privacy rules on international transfers. For example, on September 27, 2021, the Norwegian regulator imposed a fine of EUR 496,000 on Ferde AS based on a violation of Article 44 AVG.(2) The Norwegian toll company used a processor to analyze photos of license plates that could not be read automatically. Employees of the processor analyzed the photos, and some of these employees were in China. According to the regulator, Ferde AS improperly failed to enter into a processor agreement and conduct a TIA as part of the international transfer. The Italian regulator published a fine decision on Sept. 29, 2021, fining Luigi Bocconi University EUR 200,000 for violating the obligations of Chapter V of the AVG. The university used an American online proctoring app to observe students during remote examinations. This involved the transfer of personal data under the SCCs to a processor and sub-processor in the United States. The regulator believes that the University erred in not analyzing the impact of this transfer and should have conducted a TIA. Interestingly, in calculating the amount of the fine, the Italian regulator took into account the complexity surrounding the implementation of the requirements regarding transfers to countries outside the EEA. The regulator also stressed that the legal framework surrounding international transfers is still evolving. Incidentally, this is not the first time that enforcement action has been taken. Earlier this year on March 11, 2021, the Spanish regulator fined Vodafone España a total of EUR 8,150,000.(3) Part of this fine was imposed for non-compliance with privacy rules on international transfers. Vodafone used a processor based in Peru in the context of direct marketing, but had not taken appropriate measures as required under Chapter V of the AVG.

    How to move forward?

    As recognized by the Italian regulator, complying with the tightened privacy rules is complex, in part because the legal framework is not yet fully crystallized. However, recent fining decisions show that European regulators nevertheless do not hesitate to take enforcement action against non-compliance with privacy rules on international transfers. Therefore, organizations had better not sit still and start implementing TIAs in their daily processes. Footnotes (1) https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (2) https://edpb.europa.eu/news/national-news/2021/norwegian-data-protection-authority-ferde-fined_en (3) https://edpb.europa.eu/news/national-news/2021/spanish-dpa-fines-vodafone-spain-more-8-million-euros_en
    The Data Lawyers

    Share article

    Comments

    MORE REACTIONS

    Leave a comment

    You must be logged in to post a comment.

    ARTICLES

    Lisa van Ginneken (D66): "Involve Personal Data Authority earlier in legislation"

    Background articles

    The mega fine for Meta, what's in it for us?

    Background articlesEXPERT

    European Parliament committee not enthusiastic about new transatlantic privacy shield

    Legal ArticlesEXPERT

    Avg and international transfer: what does it mean for your organization?

    Legal ArticlesEXPERT

    Last year, on June 4, 2021, the European Commission published a new model contract (in English: "Standard Contractual Clauses" or SCCs for short) for...

    These are the reactions to the EU-US data deal

    Background articlesEXPERT
    Melanie Groot

    Battle over data transfer to U.S. not settled

    Background articlesEXPERT

    An expensive ID: what does the AVG say about identification?

    ArticleEXPERT

    Hotel & Law: fine for unlawful processing of personal data

    Background articlesEXPERT

    EU and US strike important data deal: what's in it?

    Background articlesEXPERT
    Melanie Groot

    Current affairs AVG and Privacy law

    Using case law, opinions and decisions of the AP and opinions and guidelines of the EDPB, get a complete and clear picture of how further interpretation is given to the mostly open standards in the AVG and UAVG.

    Learn more

    Pseudonymization and anonymization of personal data

    When is personal data pseudonymized and when can data be considered anonymous, so that the AVG does not (no longer) apply? What is the role of different parties in the processing process (controller, processor and third party/recipient)? This course not only discusses the legal aspects of pseudonymization and anonymization but also explains the techniques used in pseudonymization and anonymization.

    Learn more

    Privacy laws and regulations in employment law

    View book

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2025 Berghauser Pont | Website created by Buro Zero