July 3, 2022

Volume XII, Number 184

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis

International Personal Data Transfers: An Eventful Week

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

An updated document for transfers initiated under the UK General Data Protection Regulation (GDPR) was needed following the Schrems II decision, which occurred while the United Kingdom was still an EU member state and which the European Union fixed by adopting new versions of the SCC in June 2021 (see our alert here), but only after the United Kingdom had finalized Brexit.

The United Kingdom’s draft International Data Transfer Agreement (IDTA) and Addendum were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR.

The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the United Kingdom and the European Union will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the United Kingdom and the European Union for data exporters engaged in personal data transfers from their respective jurisdictions. 

As a reminder:

  • Transfers between the European Union and the United Kingdom do not need any specific measures as per the adequacy decision currently in place (see our alert here)

  • All data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022

  • All data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024

TRANSFER FROM THE EUROPEAN UNION TO THE UNITED STATES: EN ROUTE FOR SCHREMS III?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced an “agreement in principle” on a new EU-U.S. data sharing system, expected to replace the Privacy Shield framework invalidated under the Court of Justice of the European Union’s (CJEU) Schrems II decision in 2020 (see our alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Such transfer mechanisms notably include:

  • A transfer impact assessment, analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access

  • Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to binding corporate rules, or to a code of conduct (see our alert here)

 

Copyright 2022 K & L GatesNational Law Review, Volume XII, Number 90
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney
Partner

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

33-0-1-58-44-15-16
Noirin M. McFadden, KLGates, trade mark licensing lawyer, distribution agreements attorney
Associate

Nóirín McFadden is an associate in the firm’s London office. She concentrates her practice on Intellectual Property, Technology and Commercial matters. Nóirín has experience in data and trade mark licensing and in distribution agreements and has also worked on a range of technology matters including software licensing and online agreements. Nóirín advises on wide-ranging data protection issues, including data transfers.

44-0-20-7360-8135
Dr Thomas Nietsch Cybersecurity Attorney K&L Gates Law Firm
Associate

Thomas Nietsch is an associate in the K&L Gates Berlin office focused on IT, data protection, e-commerce and open source software law. He works with big data, block chain, cloud computing and other digital economy business models and advises clients in technology M&A transactions, negotiation of complex IT and software licensing and cooperation agreements, data protection compliance matters and data use and sharing structure.

+49 0 30.220.029.408
Keisha Phippen IP Procurement & Portfolio Management Attorney K&L Gates London, UK
Associate

Keisha Phippen is an associate in the firm’s London office where she is a member of the IP procurement and portfolio management practice group.

Professional Background

Prior to joining the firm Ms. Phippen served as a commercial lawyer at a full service law firm based in the UK where she provided specialist advice on a range of commercial matters; drafted and developed a wide variety of standard and bespoke commercial documents; and supported clients with all-party contractual negotiations through to post completion queries.

Primary Practice

  • IP...

44.(0)20.7360.8267
Advertisement
Advertisement
Advertisement