Data Protection Hot Topics - Thinkhouse (Video)

• Published date: 04 October 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: Gowling WLG
• Author: Ms Jocelyn S. Paulley and Helen Davenport

Our data protection experts, Jocelyn Paulley and Helen Davenport, look at the latest hot areas and developments of data protection, including international transfers, recent cases and updated guidance from the ICO.

self

Transcript

Helen Davenport: Good morning everyone and welcome to the first of our series of Autumn 2021 Thinkhouse Webinars developed specifically for in-house counsel. Thank you very much for joining us today. I am Helen Davenport, a partner in the commercial litigation team at Gowling WLG and leader of the contentious data protection and cyber security practice at Gowling WLG in the UK. I will be co-presenting the data protection update session we have for you today with Jocelyn Paulley also a partner at Gowling WLG.

In terms of housekeeping, before we begin, we are very pleased to take questions as we go so please do put any questions as they occur to you in the Q&A box and we will also aim to pick up any remaining questions in the time that we have got at the end. I confirm that the session will be recorded and available after the event and it will also be circulated to attendees with the rest of the series of these seminars. Those details covered, I will hand over to Jocelyn.

Jocelyn Paulley: Good morning everyone. Pleased to have you with us today. I will just briefly outline our agenda for this morning because today we are going to take a look at some of what is hot and what is happening in the world of data protection and there has been a lot going on over the course of the year as Helen and I were looking back and preparing for the session.

So first of all, I am going to take a look at what has been going on around international transfers and there has of course been an awful lot going on since the UK left the European Union over the course of the summer and then particularly in the last month as we start to get a flavour of what might lie on the road ahead. I will then hand back to Helen and she is going to have a look at some recent UK cases and enforcement action and see what trends and patterns we can start to see emerging there and then I will take us back for a quick reminder of the latest guidance we have seen come from ICO that are most likely to be significant for you and a bit of horizon scanning to see what else is out there that you might need to be aware of in your day to day.

So firstly let us have a look at international transfers. I am going to break this down and do this by transfer to transfer so first of all we will look at EU to UK transfers. Now this might not seem immediately apparent to some of you here today if you work within a UK Based business, but I am conscious that lots of you will actually have group companies spread across Europe and even if you are within the UK, you are going to be on the receiving end of transfers out of the European Union so still helpful to know the context in which the Europeans are operating. So following the UK's departure from the European Union we are now of course seen as a third country in terms of international transfers which would mean that transfers from the EU have to have an appropriate safeguard to be able to get the data to the UK. It came down very close to the wire for the European Commission to decide to give the UK adequacy which we did finally get on 28 June just before the transitional arrangements were due to expire at the end of June so good news for a regulatory point of view for now in that transfers from the EU to the UK do not need any additional level so protection because we have adequacy but unfortunately that is not the end of the story in terms of an EU finding of adequacy for the UK. This adequacy decision for the first time ever has what has become known as a sunset clause which says that if at any time in the future, the European Commission deems that the UK practices have moved away from the standard they were when the decision was given and that the UK is no longer offering an adequate level of protection, the European Commission could withdraw that finding of adequacy and in any event even if that was not there the adequacy decision will automatically expire in four years' time so we there will definitely be a review at that point. So I am afraid this is still an area that we will have to watch and be aware of and in terms of your day to day, it means that the data mapping that we always talk about at these sessions is ever important so that you know and understand have a view of your organisation's data transfers now including as between the EU and the UK which we did not used to look at when we were all within the EU so that if this changes in the future you have got a really clear picture of which transfers that is going to affect within your organisations or its supplier relationships or customer relationships and what steps you will have to take.

So moving on then to look at EU to other third country transfers. Again we have seen some significant action here so over the course of the summer we saw the European Commission publish a new version as standard contractual clause to replace the previous ones. These will be mandatory for any new data transfers happening from next Monday and for current data transfers that are based on the old version of the SCCs, the EU want to see that all of those repapered and put on to the new SCCs by December next year, so it gives a period of time but not a huge period as we know from doing GDPR update exercises. This kind of repapering if you have a large customer base or supplier basis is quite a significant effort. Why has the European Commission done this? It is not just to add more paperwork to our lives, there was a recognition that the clauses that we currently approved or if the European Commission has previously approved only deal with a limited number of scenarios we only had controller to controller or controller to processor and in today's world of data transfers the clauses need more options and more variables for different transfer relationships so clauses also now cover processor to a sub-processor or a processor in the EU back to a controller outside of the EU so there are now four varieties of combinations you can use the clauses for. There is also an optional docking clause to allow more than just two parties to sign SCCs which was again another difficulty previously recognising that data transfers are now often not just bio-lateral but they go many ways between groups of organisations, and as you might expect the clauses also now cater for the impact of the Schrems II decision from last summer so there are clauses saying that the parties have looked at the laws of the country to which the data is being imported and that the parties have done an assessment and have put in place any additional measures that are necessary to ensure the transfer is adequately protected so they are a really significant departure from the clauses that we had previously. Still cannot be negotiated by a party, still in that set form, still have appendices that need to have the specific details of the personal data being processed entered into but the content of the clauses is really quite different and also just a reminder that over the summer the EU issued what they called somewhat unhelpfully SCCs but it was actually template controller to processor set of clauses, nothing to do with international transfers just for day to day processing within a jurisdiction so there are now two sorts of SCCs out there, one in an international context and one in a pure just day to day processing context.

So now let us witch and look at what is happening within the UK because of course we are outside of the EU, we look outside to all other countries as third parties and have our own rules around transfers. So we have known since last year sometime in the autumn that transfers from the UK to the EU would have adequacy, the Government came out early on and said we are not going to require additional paperwork for transfers from the UK to the EU. But what about the countries which had adequacy from the European Commission prior to the UK's departure. Well the UK Government also said we will honour those findings of adequacy and so transfers from the UK to countries who had findings of adequacy previously those can still go ahead and will still be adequate.

The big news and where this starts to get interesting, and now increasingly political, is about what does the UK do next around potentially finding other countries can have adequacy so we do not need to put in place any other measures. Within the last month the Government has come out and said that it has a primary list of countries which are the ones on the slide there to which the UK is going to look at their regimes to see if they can give a finding of adequacy and there was actually a secondary phase of countries as well behind those listed on the slide covering India, Brazil, Kenya and Indonesia. This has become political because the power to grant these findings of adequacy now lies with the Government, the Secretaries of State rather than with the ICO. The ICO will still have a consultation role to play and has signed a memorandum of understanding with the Government around how the ICO will work with the Government and review and assessments and be involved in the findings of adequacy but this is no longer the Regulator's decision. So the Government has published this mission statement called international data transfers building trust, delivering growth and firing up innovation. As you can quite clearly see there the link that the Government is emphasising between the ability to pass data and the ability to trade and this mission statement talks about the value of trade with the countries where the UK is looking to find adequacy for over '80...