Commercial law specialist Liz Gillingham provides a snapshot summary of developments in data protection law you should be aware of
Data protection remains a major compliance issue in terms of both risk and everyday practicalities. Get it wrong, and it’s not just your reputation that will take a hit: if you need an incentive to get it right, consider the potential to incur fines of up to €20 million or 4% of global turnover as a powerful motivator.
We regularly find that data protection is a key issue in buyer due diligence and can provide a major stumbling block, particularly with many businesses not having reviewed their compliance since 2018 when the GDPR came into force. Data protection does not, however, stand still and the regulatory landscape has changed significantly in that time. Have your policies kept pace?
Here are the key developments you should be aware of:
1 UK/EU adequacy decision
The European Commission adopted an “adequacy decision” at the end of June confirming that personal data can continue to flow freely between the UK and the EU after Brexit. Good news – and a great relief – for companies whose operations span the UK and the EU; the alternative would have required extensive changes to privacy documentation.
2 New rules on international data transfers
The EU-US Privacy Shield was deemed invalid by the Court of Justice for the European Union (CJEU) last year and can no longer be relied on to validate transfers of personal data from the EU to the US.
The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and that
supplementary measures might be required. The European Data Protection Board subsequently published draft recommendations on the measures needed to ensure compliance with the EU level of protection of personal data.
The bottom line is that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer, and whether any additional measures are necessary.
3 Requirement to appoint an EU representative
The GDPR applies to organisations outside the EU where they carry out business in the EU and requires those businesses (with a few exceptions) to appoint a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
Post-Brexit, UK businesses carrying on business in the EU have to appoint a representative in the EU for data protection purposes, and EU businesses carrying on business in the UK have to appoint a representative in the UK. That requirement works both ways: any company not established in but offering goods or services to the UK must appoint a representative in the UK.
Here, you need to remember that what seems like an administrative nicety can come with a hefty price: just a few months ago, the Dutch Data Protection Authority fined a non-EU website provider €525,000 for failing to appoint an EU representative. To reinforce the point, the authority also set a 12-week deadline for the business to remedy the situation – imposing continuing fines of €20,000 for every two weeks that it remained in breach (up to €120,000).
4 New EU Standard Contractual Clauses
In June 2021, the European Commission published new SCCs (the New Clauses).
Businesses which operate in the EU and rely on the old SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by December 27th 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from September 27th 2021.
The New Clauses are not currently valid under UK law and cannot be used to legitimise the transfer of personal data out of the UK, but UK businesses dealing with EU customers and suppliers may be asked to enter into them and so need to be aware of the change.
You can find more detail on this particular area on our website by clicking this link – New rules for international data transfers.
5 New EU processor clauses
Finally, the EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR. These are not mandatory, but you may find them useful when engaging a processor.
The world is increasingly interconnected and reliant on the transfer of data, particularly cross-border. As a result, data protection law is continually changing and the penalties for non-compliance remain high. We recommend that you carry out regular checks every couple of years to ensure that your compliance measures are up to date and have kept pace with the changing regulatory environment.
Liz Gillingham is a Senior Associate in DMH Stallard’s Corporate and Commercial team and can be contacted on 01483 467430 or by email at firstname.lastname@example.org