EU/UK Data Transfer Developments: ln-House Counsel FAQ

Privacy & Cybersecurity Update

Date: May 16, 2022

One of the more challenging aspects of the European Union (EU) General Data Protection Regulation (GDPR) and its equivalent in the United Kingdom (UK GDPR) is complying with international data transfer rules. There have been several high-profile developments governing this area of law, including new standard contractual clauses (SCCs), tentative agreements to create a new Privacy Shield framework, and regulatory actions over the use of Google Analytics and similar website cookies. The following are answers to some frequently asked questions from in-house counsel regarding these new developments.

Can organizations still transfer personal data outside the EU/UK? Yes, provided they implement proper transfer mechanisms. The EU/UK restricts organizations from transferring personal data to foreign jurisdictions, unless the importer is within a country or territory that has an adequacy finding or if the exporter and importer implement other safeguards, such as using approved binding corporate rules, agreeing to the EU/UK SCCs, or adhering to a new Privacy Shield framework (if adopted).

What is a “transfer” of personal data? The European Data Protection Board (EDPB) recently clarified the circumstances when a personal data “transfer” occurs (and therefore implicates an organization’s need to implement a transfer mechanism). In short, the EDPB identified three data processing activities as constituting a transfer: (i) the controller or processor is subject to the GDPR, (ii) the controller or processor discloses or otherwise makes personal data available to another controller, processor, or joint controller, and (iii) the organization importing the data is located outside the EU. Importantly, the EDPB noted that these factors apply regardless of whether the GDPR applies (or does not apply) to the data importer.

Do I need a data transfer mechanism to collect personal data directly from a data subject? No, the EDPB clarified that a data “transfer” does not occur when a data subject, upon their own initiative, discloses their personal data to the controller or processor.

What are the SCCs? The EU/UK SCCs are preapproved model contract clauses that organizations generally may rely upon to transfer personal data outside the EU/UK because they impose certain requirements on organizations that import and export such data that are analogous to the EU/UK GDPR. On June 4, 2021, the European Commission issued updated SCCs for the transfer of personal data from the EU (EU SCCs). As of March 21, 2022, organizations may rely upon a new UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs to transfer personal data from the UK.

When do I have to implement the EU SCCs? Organizations have until December 27, 2022 to adopt the new EU SCCs or otherwise comply with another EU-approved data transfer mechanism.

When do I have to implement the IDTA or UK Addendum? Organizations have until March 21, 2024 to adopt the IDTA or the UK Addendum or otherwise comply with another transfer mechanism. However, given the substantial overlap between the EU SCCs and the IDTA and UK Addendum, many organizations are seeking to ratify both by December 2022 (i.e., the EU SCC deadline) to avoid duplicating contracting efforts.

What are transfer impact assessments? The new SCCs (and other EU opinions) and the IDTA require data exporters and importers to assess local law where personal data will be transferred to ensure that such legal frameworks do not (in light of the data safeguards implemented by the parties) limit their ability to comply with their contractual obligations or otherwise abrogate third-party data subject rights. This exercise is often referred to as a personal data transfer impact assessment.

Have the U.S. and EU/UK agreed to a new Privacy Shield framework? Not yet, but they are getting closer. On March 25, 2022, the U.S. and European Commission jointly announced that they have tentatively agreed to replace the former Privacy Shield framework. The new Privacy Shield, if adopted, likely will retain a requirement that organizations “self-certify” to U.S. regulatory authorities that they agree to certain data protection principles that are analogous to the EU/UK GDPR.

How would the Privacy Shield differ from the previous framework? The U.S. and EU/UK have noted that the new Privacy Shield framework will address the issues and concerns that led the Court of Justice of the European Union (CJEU) to invalidate the framework in 2020. These issues focus on the U.S. government updating its intelligence collection practices and oversight processes and creating new redress mechanisms for EU/UK-based data subjects.

Will the new Privacy Shield framework withstand legal challenges? Because the U.S. and EU/UK have not yet published the text of a new transfer framework, we cannot analyze its text and scope at this time. However, privacy advocates have already raised concerns over the proposed arrangement and will likely bring legal challenges if it is enacted. There is widespread concern that a new Privacy Shield framework will suffer the fate of its two predecessors (and be invalidated by the CJEU) and therefore, businesses are likely going to take a cautious approach to joining the framework.

Is de-identified analytical data derived from website cookies considered personal data? Most likely, yes. As background, Google Analytics and similar website tools collect and process certain de-identified data (e.g., IP addresses, timestamps) to help organizations operate their websites and better understand their end users. EU regulatory authorities have ruled that this cookie-derived data is considered personal data “even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection.” In other words, determining whether cookie data equates to personal data is not contingent on whether it can immediately be associated with a particularly named individual.

Have EU supervisory authorities banned organizations from using Google Analytics? Some (but not yet all) EU regulatory authorities have ruled that the collection and processing of website “analytical” data by Google Analytics constitutes “personal data” for purposes of the GDPR and that the transfer and storage of such data by Google in the U.S. violates the GDPR’s international transfer rules, notwithstanding the use of previously approved SCCs.

My organization wants to keep using Google Analytics and similar cookies. How can I mitigate the risk of regulatory action? In addition to the EU/UK GDPR, the Privacy and Electronic Communications Regulations (PECR) also apply to the use of cookies and similar technologies. There are several measures your organization may take to better ensure compliance with the EU/UK GDPR and PECR when implementing cookies and similar online tools. First, seek to activate any “anonymization” features to limit the scope and breadth of the personal data the tools may collect. Next, ensure your website’s cookie banner clearly and conspicuously informs end users of the use of tracking and analytical tools, including the presence of restricted data transfers, and ensure the end user’s consent is properly obtained and documented. Similarly, ensure your organization’s privacy statement and cookie policy comply with any third-party contractual requirements regarding notice and consent. Last, undertake appropriate data protection impact assessments, and potentially transfer impact assessments, and ensure all data processing activities are documented in a record of processing.

FOR MORE INFORMATION

For more information, please contact:

Steven G. Stransky
216.566.5646
202.263.4126
Steve.Stransky@ThompsonHine.com
Certified Information Privacy Professional/Government (CIPP/G)
Certified Information Privacy Professional/United States (CIPP/US)

Thomas F. Zych
216.566.5605
Tom.Zych@ThompsonHine.com

Lucy Pegler
+44 (0) 117.902.7728
Lucy.Pegler@Burges-Salmon.com

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

© 2022 THOMPSON HINE LLP. ALL RIGHTS RESERVED.