NEWSLETTER N° 29 // Thursday 30 September 2021
|
|
|
|
INTERNATIONAL TRANSFERS OF PERSONAL DATA: THE NEW LEGAL FRAMEWORK OF THE UPCOMING WORK YEAR!
|
|
|
|
This month, our newsletter “La Lettre du DPO” has decided to interview Myriam Quéméner (lawyer at the Economic and Financial Investigation Division of the Paris Court of Appeal, Ph.D. in Law and author of numerous books and articles on digital law) and Lauren Webb (partner at the law firm Browne Jacobson, specializing in new technologies law). They share with us their experiences and practical insights, in particular on the matter of international transfers of personal data, a very topical subject in the upcoming work year 2021.
International transfers of personal data are regulated by a very restrictive legislation which is still too little known or ignored. Although information has always circulated across borders, information technology and especially the advent of Internet have exacerbated the flow of information representing a turning point in this area. Aware of the risks incurred for the privacy of individuals, but also for the assets and security of organizations, the European legislator had prohibited, since 1995, the export of personal data outside the European Union (EU). The only exception was for certain countries recognized (by decision of the European Commission) as providing an "adequate" level of protection. However, aware of the economic importance of these exchanges, the same legislator had provided for certain adaptations (that have been adopted by the GDPR and among which there is the signing of standard transfer clauses), whose fragility has been constantly recalled by the case law of recent years. In other words: the simple signing of a data transfer contract is no longer enough! Even nowadays, there are still too few organizations that handle this matter properly, by assuming, very often wrongly, that they do not transfer data outside the EU.
“Transfer” is a very broad concept. Contrary to common belief, a transfer does not only include the sending of data, but also a remote access from a non-EU country. With the globalization of economic relations, many companies make use of outsourcing, maintenance or even business services (payroll management, email hosting, etc.) provided by service providers established abroad, which undoubtedly constitute "transfers".
What's new in the upcoming work year: Brexit and new standard clauses imposed by the European Commission. Two news items characterize the upcoming work year. Firstly, with the EU-UK Trade and Cooperation Agreement signed on 30th December 2020, the United Kingdom obtained the continued application of the GDPR until 1st July 2021. This agreement has generated concerns about data transfers between the Old Continent and the British island, which are significant given the intense economic exchanges between these two areas. A legal framework was therefore required to ensure that the British departure did not turn into a digital blockade. This result has now been achieved thanks to the two adequacy decisions adopted on 28th June 2021 by the European Commission. But be careful, because this recognition is only valid for a period of 4 years and is, in any case, precarious: the Commission can withdraw it at any time, if it considers that the United Kingdom is no longer able to ensure an adequate level of protection. Companies transferring data across the English Channel should therefore continue to monitor the developments in UK law closely. Secondly, new standard contractual clauses have been published by the European Commission on 4th June 2021 in order to regulate transfers of personal data to non-EU countries. It is mandatory to adopt these clauses from 27th September 2021 for contracts concluded after this date, while an additional period of 15 months is allowed for current contracts, but the time will pass very quickly. A good reason to pay attention to the matter, without delay...
Enjoy your read!
Matthieu Bourgeois and Laurent Badiane, partners in charge of the Intellectual Property and Digital Law Team.
To subscribe, click here
|
|
|
|
"The transfer of personal data is an important and very complex issue for companies (...) all the parties concerned should become familiar with this matter".
|
|
|
|
| Myriam QUEMENER is a magistrate of the judicial order with a doctorate in law, works as an expert for the Ministry of Justice in the fight against cybercrime and is currently lawyer at the Economic and Financial Investigation Division of the Paris Court of Appeal. Myriam QUEMENER agreed to answer questions from our newsletter “La Lettre du DPO”.
1/- What were the key steps in your career that led you to become interested in digital technology?
I have been a magistrate since 1986. After two years as a Deputy Prosecutor (procureur adjoint) at the High Court of Créteil, I was appointed as an Advocate General (avocat general) at the Versailles Court of Appeal in December 2013. Digital technology was initially a personal passion that I developed after having carried out some work on the topic "Minors and Internet" in the early 2000s, at the Directorate for Criminal Matters of the Ministry of Justice. From that time, I observed that Internet could be a perfect vector to facilitate the offenders’ actions. In September 2015, I joined the Ministry of Internal Affairs as legal advisor for the Prefect, where I was responsible for the fight against cyber threats, and then for the Ministerial Delegate for Security Industries and the Fight against Cyber Threats (DMISC) at the Ministry of Internal Affairs. I am also an expert on cybercrime at the Council of Europe and the author of a thesis on economic and financial crime in the digital age, published in 2015, as well as of several books and articles on digital technology and cybercrime.
|
|
2/- What are your current responsibilities and future projects in digital law?
I am currently Advocate General at the Economic and Financial Investigation Division of the Paris Court of Appeal, which increasingly deals with cybercrime cases. In this capacity, I handle in particular requests for annulment of proceedings, based for example on the conditions of access to data and the fragility of digital evidence. Digital evidence is often a determining factor in the fight against cybercrime and its cross-border implications, but also against all forms of organized and financial crime that increasingly use the ever-changing mysteries of digital technology. I also handle appeal cases in relation to seizures of crypto-assets. Finally, I am a member of various working groups. I participated in the drafting of the report "Criminal law facing cyber-attacks", published by the think tank Le Club des Juristes in April 2021.
3/- What is your vision for the future of digital law and data transfers?
The transfer of personal data is an important and very complex issue for companies. It means that companies have to hire expert lawyers and DPOs. Although the CNIL, the French data protection authority, is doing a very important educational work, all the parties concerned should become familiar with this matter. In this respect, the Commission has a leading role to play. Even if we are experiencing a blurring of the boundaries between the different legal fields, the provisions of the GDPR are quite unknown to the magistrates of the judicial order. However, the CJEU's decision of 16th July 2020 (Schrems II case), which invalidated the Privacy Shield and declared the inadequacy of standard contractual clauses to regulate transfers from Europe to the United States, is a victory for the GDPR and an opportunity for a real European digital sovereignty.
|
|
|
|
“In practice, personal data can be transferred between the EU and the UK without further safeguards being required”
|
|
|
|
Following the recent adequacy decision for the UK and with a UK government minister’s recent comments that Brexit will allow the UK to take steps towards ‘reforming our own data laws so that they are based on common sense, not box-ticking’, this month La Lettre du DPO has decided to interview Lauren Webb, a partner from the law firm Browne Jacobson located in UK and member of the Pangea Net network as klein•wenner. She provided us with key practical issued fir cross border businesses dealing in the UK in a post Brexit Wold.
To discover the complete interview, click here.
A combined application of the EU GDPR and the UK GDPR
“In practice, the organisations in the EU that operate in both the UK and the EU will be required to comply with the UK GDPR, in addition to the EU GDPR, where those businesses (i) have an ‘establishment’ (i.e. an employee, branch or office) in the UK and process personal data in the context of that establishment; (ii) monitor the behaviour of individuals in the UK – such as via cookies on a website aimed at UK consumers; or (iii) offer goods and services to individuals in the UK. Even if there are no substantial changes are made to UK law in the near future, interpretation of the law by the Information Commissioner’s Office (ICO- the supervisory authority in the UK) can lead to significant differences in how those laws are applied in practice. Businesses could be in the difficult position of being required to comply with different and possibly conflicting laws when dealing with personal data from EU and UK data subjects.”
Cross-border businesses: data transfer allowed without further safeguard for the moment.
“At the end of June 2021, the UK government and the European Commission agreed an adequacy arrangment for the UK. This means that, in practice, there is nothing further for cross-border businesses to do in respect of those issues. There are however other practical steps required as a result of Brexit for cross-border businesses: (i) map your data flows; (ii) update your contracts, notices and policies; and (iii) consider whether you are required to appoint a representative in the UK: Unusually however, the adequacy agreement between the EU and the UK included a ‘sunset clause’ which provides that the decision will automatically expire after 4 years unless renewed. Any divergence of the UK government from the current position- either as a result of a change to law or interpretation of that law – could mean that in 2025 the UK is no longer deemed adequate. In this respect, the UK government’s recent comments suggest a move away from the EU data protection position…”
|
|
|
|
Cookies: fines and formal notices of summer 2021 |
|
|
|
Global compliance plan: a second campaign of formal notices. On 19th July 2021, the president of the CNIL, the French data protection authority, sent a formal notice to approximately forty organizations that still did not allow Internet users to refuse cookies as easily as to accept them. As a reminder, the organizations concerned could comply with the instructions contained in the formal notice until 6th September.
50.000 euros fine for advertising cookies without consent. In a decision of 27th July 2021, the CNIL sanctioned the company SOCIÉTÉ DU FIGARO which, as publisher of the website lefigaro.fr, should have ensured that its partners did not set advertising cookies before users had chosen to accept them. Following this decision, the fact that cookies are set by partners does not exempt from its own responsibility the publisher of the site, insofar as it has control over its site and its servers.
|
|
|
|
The application of the GDPR in the United Kingdom ended on 1st July 2021: stay alert!
|
|
|
|
British people have, once again, lived up to their reputation as skilled negotiators by obtaining, 72 hours before the deadline, the status of country recognized as having an "adequate level of protection", following two adequacy decisions adopted by the European Commission on 28th June 2021 in accordance with the GDPR and the directive 2016-680 of the European Parliament and of the Council dated 27th April 2016 (Police-Justice directive). The Commission has analyzed the British legal system in detail, particularly with regard to the legislative provisions allowing the authorities to access certain data in the context of their power to investigate. However, these two decisions, which are aimed to continue to ensure the fluidity of data flow and the fight against crime, should be treated with caution, since the Commission has introduced an "automatic sunset" clause for a period of four years. Companies transferring data across the English Channel should therefore continue to monitor the developments in UK law closely, in order to be sure that the rights, which are granted notably to public authorities, do not exceed the scope of access provided for by the GDPR.
For more information click here
|
|
|
|
The new "processor SCCs": a clear desire to provide a better legal framework for contracts between controllers and their processors
|
|
|
|
With a double-acting operation, on 4th June 2021, the European Commission adopted not only new standard contractual clauses (SCCs) for the transfer of personal data, but also processor SCCs (which are required by Article 28 of the GDPR) by implementing decision (EU 2021/915), which entered into force on 27th June 2021, in compliance with the requirements of Article 28 of the GDPR. These clauses, aiming to provide exhaustive and detailed information, contain a docking or accession clause for any new party wishing to accede to the SCCs after agreement and must include the specific security measures that have been implemented. With these clauses, Europe is significantly strengthening its control and seems to want to limit any risk and deviation.
For more information, click here
|
|
|
|
CNIL AIR2021 - sharing data whilst protecting data: what ethics for open data?
|
|
|
|
The CNIL, the French data protection authority, is pursuing its ethical mission inherited from the Loi pour une République numérique, a French IT law voted on 7th October 2016. On 8th November 2021, the CNIL will host a forum where politicians and scientists will attempt to strike a balance between Open data aiming to promote innovation and transparency in the general interest and the individual protection of everyone's data. The conference will focus, among other things, on the challenges relating to open data for everyone in an era where protecting them is of utmost importance.
For more information, click here
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the IT Law and Intellectual Property team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all the issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of KGA Avocats which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
