Transfer from the UK

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.

The UK’s draft International Data Transfer Agreement (IDTA) and Addendum  were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.

As a reminder:

  • Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
  • all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
  • all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.

Transfer from the EU to the US: En Route for Schrems III?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced  an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Such transfer mechanisms notably include:

  • A transfer impact assessment (TIA), analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access;
  • Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to Binding Corporate Rules, or to a Code of Conduct (see our Alert here).

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.

First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

During his January 2022 hearing before France’s National Assembly, the newly appointed chairman of the French competition authority (AdlC), Benoit Coeuré, stated that the digital sector would be one of the principal subject matters of his chairmanship (see press release here in English). 

His intention is to focus on “the emergence of new essential infrastructures such as cloud-computing” and that, in consequence, “it would be important and justified for the AdlC to rapidly undertake in-depth work on the consequences of cloud-computing in all sectors in conjunction with the relevant sectoral authorities.”

Pursuant to Article L. 462-4 of the French Commercial Code, the AdlC has therefore decided to conduct a wide analysis of the matter in order to assess the competitive situation of the cloud-computing ecosystem.

A BOOMING SECTOR

This opinion comes at a time when the cloud-computing market is booming at both the European and French level, with an average annual growth expected to exceed 25% over the next few years, with strong value-creation challenges for the economy, and allowing for a 2030 market prediction 10 times larger than in 2020.

Over the last few years, cloud computing has become a complex ecosystem of technologies, products, and services, giving rise to a wealthy economy where several cloud-computing service providers compete for an ever-increasing share of the service market. This peaking sector allows for more efficient ways of working, which has ended up being especially valuable during the COVID-19 pandemic.

This “cloud boom” also serves as the backbone of a widespread digitalization of the economy, which is supported by the French government with its new national plan to support the French cloud industry.

THE NECESSITY FOR GLOBAL ANALYSIS 

The AdlC’s purpose to conduct a broad analysis of the cloud-computing sector is pushed by both a European and international dynamic.

In this regard, the AdlC intends to provide for a definition of the relevant markets in the sector. 

This commitment can be traced back to the European Commission’s (EU Commission) early analysis of the “IT outsourcing services” market encompassing the “public cloud computing services” as one of its sub-segments.1  Concurrently and from a transatlantic perspective, the U.S. Federal Trade Commission is also pushing forward with an antitrust scrutiny in the cloud-computing business. 

The AdlC intends to study the competitive dynamics of the sector and the presence of operators in the various segments of the value chain (including their contractual relations) in a context where multiple alliances and partnerships are concluded for the provision of cloud services. 

Should the AdlC identify potential improvements, proposals may be issued for the competitive functioning of the sector.
Taking into account the variety and complexity of the cloud-computing technologies involved, the AdlC announced that, for the first time, the investigation unit will comprise lawyers, economists, and data scientists notably from the newly created Digital Economy Department.

THE NEXT STEPS

A broad public consultation will be taking place in the next few months to gather comments and suggestions from the stakeholders. Comments are to be sent to the AdlC through the following email address: avis.cloud@autoritedelaconcurrence.fr

The final opinion is expected to be issued by the beginning of 2023.

The firm’s global competition and data protection team (including the competition team and data protection team in each of our European offices) remains available to assist you in achieving the compliance of your data and antitrust matters at global levels.

First publication: K&L Gates Hub with Camille Scarparo

The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed  for lobbying purposes.

Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating  their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.

(more…)

BACKGROUND

On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.  

The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.

The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.

(more…)

Depending on whether you are an optimist or a pessimist, it will have taken the European Commission either three years and two weeks (since the entry into force of the General Data Protection Regulation (GDPR) or eleven months (since the Schrems II decision — see our Alert here) to publish its finalized revision of the most flexible tool to allow for the transfer of personal data to partners located in countries not otherwise providing an adequate level of data protection (Adequate Countries): the Standard Contractual Clauses (SCCs).

While Schrems II made headlines with its cancellation of the Privacy Shield framework, this mechanism only affected 5,000 companies in the United States. SCCs, on the other hand, remain the most widely used instrument to ensure an end-to-end sufficient level protection of personal data covered by European data protection. With their original version dating back 2001, an update was severely needed to align them with GDPR’s extensive reach and requirements.

IN A NUTSHELL:

  • The new SCCs were published on 4 June 2021:
    • Starting on 27 June 2021, companies will need to transition to the new SCCs;
    • On 27 December 2022, companies must have finalized their transition to the new SCCs.
  • Affected companies include:
    • EU-based entities sharing data with partners and providers located in countries deemed not to offer an adequate level of protection;
    • Non EU-based entities otherwise subject to GDPR’s extensive territorial reach (see our Alert here) sharing data with partners and providers located in countries deemed not to offer an adequate level of protection; and
    • Non-EU based entities receiving or processing personal data from or on behalf of EU-based partners or non-EU partners otherwise subject to GDPR.
  • Key new elements include:
    • Data exporting entities will need to assess the importing countries’ regulatory framework;
    • Where such framework cannot safeguard the transferred data subject to GDPR, additional measures must be implemented contractually, organizationally and/or technically;
    • Each and every step of the assessment, and the relevancy of the remediation measures, must be thoroughly documented; and
    • In the case of a controller/processor/sub-processor relationship, the new SCCs consolidate the requirements into a single agreement addressing the data processing requirements under Article 28 GDPR and the data transfer agreement.
  • While the new SCCs provide for a general framework, many issues are left to:
(more…)

The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.

Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA),  whose main mission is to help economic and public players in the process.

The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.

On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).

The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:

  • Governing body’s commitment;
  • Understanding the entity’s exposure to probity risks; and
  • Risk management.
(more…)

References

References
1 Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016)
2 French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).

Since the Schrems II decision of the Court of Justice of the European Union (CJEU) last year (see our alert here), companies in the European Union found themselves between a rock and a hard place, as many still rely on U.S.-based online service providers in one capacity or another, and the CJEU, in addition to totally invalidating the Privacy Shield framework, mandated additional requirements over the Standard Contractual Clauses (SCCs), the most widely used lawful transfer mechanisms.

Following this CJEU decision, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) has now effectively barred a European online magazine from using the popular U.S.-based newsletter delivery service, Mailchimp.

Companies using Mailchimp to route their newsletters must generally transfer personal data (e.g., the recipients’ email addresses) to Mailchimp’s servers in the United States. Previously certified under the late EU-U.S. Privacy Shield framework, Mailchimp had to pivot to offer its European customers an alternative transfer mechanism, i.e. the SCCs. While their general validity was left untouched by the Schrems II decision, the CJEU argued that it may be required for companies relying on the SCCs to assess whether additional safeguards should be implemented on top of the SCCs in order to effectively protect personal data.

As expressly mentioned in the Schrems II decision, transfers to cloud service providers in the United States would require such additional safeguards, due to the broad investigative powers of U.S. authorities, e.g., under Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

Until now, it had seemed that the EU supervisory authorities had granted companies an unofficial grace period to adjust to the amended legal situation, especially as new templates for SCCs taking into consideration the Schrems II decision are expected to be finalized in the coming weeks.

The action of the Bavarian Data Protection Authority shows that this restraint might have come to an end. In a recent press release concerning this investigation, the authority commented that the case was exemplary for their enforcement of the requirements of the Schrems II decision, which had already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions. 

The Bavarian Data Protection Authority based its action expressly on the fact that the European company has not assessed whether additional safeguards for transferring personal data to Mailchimp were required, in particular as Mailchimp may be subject to the Cloud Services Act. While no fine was imposed in this case and the Bavarian Data Protection Authority did not issue a formal decision, the authority still informed the company that their use of Mailchimp was (in their view) not in line with General Data Protection Regulation (GDPR) requirements. The company also promised to cease using Mailchimp in the future.

However, it should be noted that the official reason for not imposing a fine was on the one hand, the low sensitivity of the data transferred (email addresses only) and, on the other hand, the limited scope of the transmission (only two newsletters were sent). The details of the case being leaked and officially commented on by the supervisory authority could be considered as a warning to other EU companies transferring data to U.S. cloud service providers, which should probably expect less leniency from the supervisory authorities from now on. 

The current case was rather clear, as the European company in question has apparently taken no steps at all to establish and document whether additional safeguards were required and were already (because of this omission) in breach of their statutory obligations under GDPR. Future cases will probably not be as easy to decide, in particular when an EU company has documented a respective assessment or even implemented additional safeguards, and supervisory authorities and ultimately courts will have to assess what is really required to ensure adequate security of personal data in countries outside the European Union. 

Following the decision of the Bavarian Data Protection Authority, EU companies using U.S. online service providers, especially cloud services, are therefore encouraged to check the basis of their data transfers to the United States and, if necessary, adapt them to the new legal situation in order to avoid facing potentially high fines. 

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First Publication: K&L Gates with Thomas Nietsch & Martin Fokken

The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and delivery company catering to office employees (see full Decision SAN-2020-018 in French).

The CNIL highlighted various breaches of the General Data Protection Regulation (GDPR) and the ePrivacy Directive regarding the processing of prospects and clients’ personal data by the CNIL, most notably:

While the fine is rather limited in view of the maximum potential amount of EUR 20 million or four percent of the turnover (whichever the greater), this decision presents an opportunity to examine web scraping and direct marketing practices, which are rapidly developing.

(more…)

When the General Data Protection Regulation1)Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, … Continue reading came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents2)Art. 3(2)(a) and (b) GDPR..

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)