It is safe to say that the past year has been an eventful one. So, with the GDPR’s third anniversary just around the corner, we decided to look back at the 5 most impactful changes that the past 12 months have brought to the world of data protection.
Impacts don’t get much more significant than the Schrems II ruling from back in July 2020. Huge questions were raised around the use of transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms to transfer EU residents’ personal dataInformation which relates to an identified or identifiable natural person. outside of the EU to third countriesCountries that are not part of the European Economic Area (EEA). that did not have Adequacy decisions.
It all started when Schrems II’s landmark ruling invalidated the EU-US Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework., which had previously enabled the free flow of personal data between the EU and US. The fallout of this was that organisations sharing EU residents’ personal data with the US had to find a new mechanism by which to lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. continue these transfers.
This might have been straightforward, as alternative mechanisms, namely Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs), Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and Article 49 derogations, did exist. However, Schrems II, rather inconveniently, also called into question the ability of BCRs and SCCs to ensure an adequate level of protection for personal data. This presented a much wider problem that affected not only EU-US transfers, but any transfer to a country outside of the EU (‘third country’) that did not have an Adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has....
Fortunately, things have now settled down on this front, with guidance confirming that SCCs can be used for personal data transfers, albeit with additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... required if organisations feel that the SCCs do not provide sufficient protection. The EDPB has published a guidance document for consultation on this, which is expected to be finalised later in the year, and the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). has stated it will also publish some UK-centric guidance on this in due course. Problem solved… perhaps?
Next came Brexit. Since the 1st of January 2021, the UK is no longer part of the EU. However, UK organisations that processA series of actions or steps taken in order to achieve a particular end. the personal data of EU residents must continue to comply with the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). courtesy of its extraterritorial scope. In addition to this, UK organisations that do not process the personal data of EU residents are also not off the hook. This is because the Data Protection Act (DPA) 2018 enacted the EU GDPR into UK law. Post-Brexit, the DPA 2018 now references the UK GDPR.
This means that UK organisations processing personal data must now comply with the UK GDPR, and for organisations that process both UK and EU residents’ data, both the EU GDPR and the UK GDPR must now be complied with. Whilst at present these two pieces of legislation are essentially identical, over time they will likely diverge due to case law, potentially adding further complexity.
A further impact of Brexit is that the UK is now officially a third countryA country that is not part of the European Economic Area (EEA)., meaning that for any transfers of EU residents’ personal data into the UK, an appropriate international transfer mechanism needs to be in place. To avoid the requirement for UK organisations to implement SCCs for all EU data transfers, the UK is currently in the process of gaining an Adequacy decision from the EU.
Adequacy is a status awarded by the EU Commission that confirms it is satisfied that the country’s data protection laws provide a level of protection that is ‘essentially equivalent’ to the protection provided in EU law. With countries that have received an Adequacy decision, personal data can flow freely, making it the most straightforward international data transfer mechanism.
At the time of writing, it is looking positive for the UK, with the EU Commission publishing a draft decision granting it Adequacy. However, this has yet to be formally adopted and, if it is not finalised by the end of the current bridging period (due to expire on the 30th of June 2021) additional safeguards will be required to transfer EU residents’ personal data to the UK.
In addition, under the UK GDPR, the UK can now make its own Adequacy decisions – known as Adequacy Regulations. Currently, the UK has given Adequate status to the same countries that the EU Commission has deemed Adequate under the EU GDPR. It has also granted the EU itself Adequacy, despite the EU failing to reciprocate to date.
It is impossible to talk about the past 12 months and not mention the COVID-19 pandemic which, has brought with it a whole host of data protection issues, exacerbated by the ‘special category’ nature of health data. First, there were issues around the mass shift to remote working, which occurred virtually overnight; then concerns over testing and the NHS Test & Trace AppAn application, downloaded by a user to a mobile or other device.; and now it seems that new concerns are being raised over the UK’s vaccine passport scheme announced last month. It has been determined that the NHS App used to book doctor’s appointments is going to be used to enable individuals to prove that they have been vaccinated against COVID-19 or had a negative test result before travelling internationally.
On this point, Elizabeth Denham, the UK’s Information Commissioner, has highlighted that any such scheme would face significant questions relating to its necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method., proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate., and transparency. She also went on to express concerns over the possibility that vaccine passports could create a “two-tier system” whereby those who have had the vaccine are able to enjoy more freedoms than those who have not.
Finally, and most recently, just last month the EU Commission released a proposal for a regulatory framework that aims to govern when and how AI can be used in the EU. Whilst at present it is only in the proposal stage, the Regulation will impact organisations outside of the EU if they are offering AI systems for sale in the EU or using AI in any way that would impact EU residents.
In our last blog, we discussed the proposed new Regulation and what it may mean for the UK. Of particular note was the fact that for some violations of the Regulation, organisations could be fined up to €30 million or 6% of annual global turnover, whichever is greater.
Conclusion
As we get ready to celebrate 3 years of the GDPR, it is no overstatement to say that the past year has been somewhat of a rough ride. Not only has COVID-19 completely changed the way that businesses work and, consequently, how they process personal data, it has managed also to partially draw our minds away from the uncertainty that Brexit posed.
Despite all this, it seems that as the dust settles around the UK’s departure, and we come out the other side of the pandemic, the UK’s data protection landscape is beginning to take shape as a separate entity from the EU. And, as we enter the EU GDPR’s fourth year of existence, it will be interesting to see what further developments will come our way; most notably if and how its sibling, the UK GDPR, decides to break away and forge its own regulatory path. On that, we will be sure to keep you posted.
Fill in your details below and we’ll get back to you as soon as possible