Not all data protection regulators are the same. Each of the European Union’s 27 General Data Protection Regulation (GDPR) regulators have different approaches to enforcement. It is important to understand the key differences in their powers, priorities, procedures and ways of working. Together, they form the European Data Protection Board (EDPB). However, their differing approaches strongly influences the nature, tone and substance of the EDPB’s output. We call this group of GDPR regulators “Europe’s Big Six” because of their enforcement output, capabilities, consistency, size and influence.  These regulators help to set the agenda for GDPR, data protection and information security, in Europe and around the world. They have become bellwethers. Analysing these regulators can help companies and organisations navigate the enforcement landscape, understand regulatory risks and decide on how to effectively engage with them. The Big Six Regulators are the European Data Protection Board (EDPB), France’s CNIL, Spain’s AEPD, Germany’s Hamburg and Baden-Württemberg regulators (together), Italy’s Garante and the Netherlands’ AP.

EU: European Data Protection Board (EDPB)

The EDPB is the EU’s data protection super-regulator, bringing together all 27 GDPR regulators, EFTA EEA authorities and the European Data Protection Supervisor (EDPS). Its powers are distinct from each country’s regulator, but it has formidable convening powers. The EDPB helps to resolve EU cross-border cases. The Dispute Resolution mechanism is a very powerful system allowing a decision by one GDPR regulator to be reassessed and fines or penalties increased, because of interventions by other EU GDPR regulators. EDPB’s Opinions are highly regarded and help to shape EU data protection interpretation and good practice. The EDPB also publishes Guidelines, Recommendations and Best Practice. The Board can use its Urgency Procedure to assist a GDPR regulator to adopt an urgent measure needed to protect the rights and freedoms of individuals. The EDPB can, on its own initiative, intervene to monitor the correct application of the GDPR, advise the European Commission, answer questions on GDPR application, give Opinions on Codes of Practice and Certifications, give opinions on data protection adequacy, promote co-operation, exchange information and facilitate shared investigations. The EDPB’s Strategy and Work Programme, Annual Report 2021, Vienna Statement on Enforcement Co-operation 2022 and Selection Criteria for Cases of Strategic Importance 2022, show an intent to increase future cooperation and effectiveness.

France: Commission Nationale de l’informatique et des Libertés (The CNIL)

The CNIL, based in Paris, was established in 1978, before European data protection law was comprehensively set out.  It is one of the larger GDPR regulators, with an established heritage in privacy and data protection. It has a long history of enforcement, which has been bolstered by the GDPR. In 2019, the CNIL fined Google €50 million for numerous GDPR breaches on transparency and consent. In 2022, it published a decision about Google Analytics’ non-compliance with GDPR, which sent reverberations across the EU and the world. The CNIL’s Strategic Plan 2022-2024 focuses on promoting the control and respect of individuals’ rights, promoting the GDPR as a trusted asset for organisations and prioritising targeted regulatory actions for high-stakes privacy issues. The high-stakes areas of focus include smart cameras, data transfers in the cloud and smartphone data collection.

Spain: Agencia Española de Protección de Datos (AEPD)

The AEPD, based in Madrid, is Spain’s national data protection regulator, established in 1993. Spain also has three regional data protection regulators in Andalusia, the Basque Country and Catalonia. The AEPD is known for its opinions, guidance and tools on emerging technologies such as Big Data, the Right to be forgotten, wifi data collection (Google Street View), cookies, data breach and Data Protection Impact Assessments (DPIAs).  The Agency is one of the most frequent issuers of GDPR fines in the EU. These penalties are often relatively modest (below €200,000), but are spread over a wide range of sectors, industries, public bodies and size of organisations. Its in-country regulatory reach is one of the EU’s broadest and it has adjudicated and enforced in many sectors and technologies. Its largest fines have included Vodaphone Spain (€8.5 million), BBVA (€5 million) and CaixaBank (€9 million and €3 million). Its Annual Report 2021 (in Spanish) shows an active and engaged organisation.

Germany: Hamburg and Baden-Württemberg

Germany has a two-tier data protection regulatory system. The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Datenschutz und Informationsfreiheit – ‘BfDI’) represents Germany at the EDPB. Germany has about 19 different federal and regional data protection authorities responsible for monitoring data protection implementation throughout Germany. To ensure consistency, members of all German regulators for the public and the private sectors form the Data Protection Conference (Datenschutzkonferenz – ‘DSK’). This arrangement mirrors the consistency mechanism set out in the GDPR, practiced by EDPB. German data protection enforcement is best understood by reviewing the output of these regional GDPR regulators.

Two of the most active and vocal German regulators are Hamburg (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit –  HmbBfDI) and Baden-Württemberg (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg – LfDI). The Hamburg GDPR Regulator fined Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of Swedish fashion and textile company H&M, €35 million, for GDPR breaches. The Regulator imposed a fine of €51,000 on Facebook Germany GmbH for failing to notify their Data Protection Officer in Germany. The regulator questioned and investigated the GDPR compliance of Zoom and Google Analytics. In the early months of GDPR coming fully into force, the Baden-Württemberg GDPR regulator imposed a fine of €20,000 on a social media provider for breaching GDPR’s data security obligations. In 2022, the regulator published a detailed Frequently Asked Questions (FAQs) on cookies and similar technologies.

Italy: Garante per la protezione dei dati personali (The Garante)

The Garante, based in Rome, is Italy’s national data protection regulator, established in 1997. The Garante appears to be very selective about the large scale interventions and enforcement actions it takes. However, many of these actions address the most important GDPR principles, target key sectors and focus on new and emerging technologies. It has been involved in some of the largest and most high profile GDPR enforcement cases and fines such as TIM SpA (€27.8 million), Enel Energia (€26.5 million) and Clearview AI (€20 million). The Garante is permitted to keep 50% of the fines it collects for its own operations. The other half goes to the Italian Government’s central funds. The Garante has agreed with the French, Danish and Austrian GDPR regulators that Google Analytics’ personal data collection and transfers from the EU to the USA, breaches GDPR. The Garante’s Annual Report 2021 (in Italian) shows a bold and confident regulator.

Netherlands: Autoriteit Persoonsgegevens (AP)

Autoriteit Persoonsgegevens (AP), based in Den Haag (The Hague), was originally called the Registratiekamer, and later, the College bescherming persoonsgegevens (CBP). AP, in its current form, was established in 2016. AP has a statutory duty to assess whether organisations, including government bodies, comply with Dutch Data Protection law. The AP’s Strategy Focus Areas for 2020-2023 has deliberately prioritised three digital society themes. These are data trading, digital government in central and local authorities as well as artificial intelligence and algorithms. AP fined the Netherlands Tax Administration (Belastingdienst) €3.7 million for misusing their Fraud Signalling Facility blacklist and breaching the GDPR, causing loss and damage to Dutch families.  AP has also taken enforcement action against the Dutch Ministry of Finance (€2.7 million), TikTok (€750,000) and investigated Microsoft’s services. AP’s Annual Report 2021 (in Dutch) shows a confident, minimalist regulator, with a reputation for applying strict interpretations of GDPR.

Other Related Developments and Trends

The UK’s Information Commissioner’s Office (ICO) and Data Protection Commission Ireland (DPC Ireland), together form the largest native speaking English data protection and GDPR regulatory block in Western Europe.  The ICO remains large, influential and relatively well staffed and resourced. However, the UK’s departure from the EU (Brexit) means that it is no longer an EU GDPR regulator and a European Big Six contender. It is likely to increasingly diverge from the family of EU GDPR regulators. The ICO’s future is still to be decided, over time. DPC Ireland is growing in capability and influence and is one to watch in the next 2-5 years. The EDPB’s Dispute Resolution mechanism is being used by the Big Six regulators, and others, to internally challenge DPC Ireland’s draft decisions to expand its GDPR analysis and the size of its GDPR fines and penalties.

Other key data protection regulators to watch are Denmark, Poland,  Austria and Norway. For the future, significant enforcement action can come from any of the EU’s  27 GDPR regulators, at any time, acting alone, acting together or acting in co-ordination with the EDPB. Therefore, EU data protection regulators and their enforcement activities remain a dynamic and fast-moving environment.

For help with EU/EEA/UK GDPR compliance, data protection regulatory investigations, GDPR enforcement support, data breach response, Data Protection Officer (DPO) services, EU Data Protection Representative services and our Legal & Regulatory Support services, contact PrivacySolved:

Telephone:  +353 1 960 9370 (Dublin)

Telephone:  +44 (0) 207 175 9771 (London)

Email: contact@privacysolved.com

PS102022

When a person publishes their image online, many might think that the public image can be widely re-used by others, for new and unrelated purposes. It is true that there are very few privacy and confidentiality rights that protect these published images. Intellectual property rights, such as copyright, may sometimes be relevant. However, other important rights such as contractual rights, fair use rights and data protection rights must always be fully considered.

Clearview AI Inc has been fined by data protection regulators in the UK, Greece, Italy, France and Australia for misusing images and key technologies. In the USA, it has faced class action lawsuits.  This techAnalysis examines data scraping, web scraping, facial recognition technology, artificial intelligence and the complexities of re-using the online images of individuals.

Data Scraping, Facial Recognition Technology and Artificial Intelligence

Data scraping is the process of allowing a computer programme to extract data from the output generated from another programme. Web scraping is a popular form of data scraping in which a computer application is used to extract valuable information from a website, including copying the images of individuals.

Facial Recognition Technologies are technical methods used to identify an individual from a digital image. These technologies rely on personal data and biometric data to identify individuals. In the EU and UK, the General Data Protection Regulation (GDPR) defines biometric data as personal data relating to the physical, physiological or behavioural characteristics of a person that is used to confirm their identify.  Biometric data is included in the list of special categories of personal data in the GDPR. These are some of the most sensitive forms of personal data. The collection and use of these data are high risk processing and requires extra care, attention and often, explicit consent. Other special categories data include race or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, health, sex life and sexual orientation. Data about criminal convictions and offences also attract similar special treatment.

Artificial Intelligence (AI) is the ability of a computer or computer-controlled robot to perform tasks and analysis in ways that are like those carried out by intelligent human beings. AI includes several techniques such as machine learning and deep learning. AI is often applied to achieve a variety of outcomes including problem-solving, reasoning, knowledge representation, natural language processing, learning, planning, perception, motion and manipulation, social intelligence and general intelligence.

The Story of Clearview AI

Clearview AI is an identity intelligence solutions company that boasts about the superiority of the accuracy and reliability of its facial recognition technology, which is powered by artificial intelligence.  The company’s customers include the police, banks, transportation and governments.  Clearview’s customers could upload a person’s image to the company’s application interface which then checks for a match against the millions of images in the database. In order to provide its services, the company collected more than 20 billion images of people and data from publicly available information from the internet and social media platforms globally for its online facial recognition database. This was done without the knowledge or consent of the individuals or the companies that published the facial images online.

Clearview AI have been fined £7.4 million (€8.75 million) by the UK Information Commissioner’s Office and £16.91 million (€20 million) by both the Greek and Italian data protection regulators for using images of people on its online database in breach of data protection laws.  The company has also been ordered to stop collecting and using the personal data it had unlawfully gathered and to delete this information from its systems. Clearview AI breached various laws around the world. Large technology companies and social media businesses have started to investigate these practices and take legal action against companies that scrape their data and copy their online information. Often these practices are in breach of the target business’ terms and conditions and fair use policies.

Five reasons why collecting and using images and data collected online breaches data protection laws

  1. Failure to collect and use personal data in a fair and transparent way

Data protection laws require the collection and use of personal data to be fair and processed in the ways that individuals expect. The use of personal data should not lead to unjustified and adverse effects on individuals. It is important to consider lawfulness and fairness of personal data use before data processing starts. Transparent data collection and use requires clarity, openness and honesty to the individuals involved and to ensure that they are properly informed, and where necessary, give their explicit consent.

2. Failure to have a lawful reason for collecting people’s online personal data

It is very important that those who collect and use personal data know and communicate the legal reason for processing data. Gaining the consent of users or those affected is one way of legally processing a person’s information, but there are other acceptable legal routes for data collection, such as:

  • Collecting or using personal data to fulfil a contract;
  • Collecting or using personal data to fulfil a legal obligation;
  • Collecting or processing personal data for public interest tasks or an official function;
  • Collecting or processing personal data for a legitimate personal or business interest or the interests of a third party;
  • Collecting or processing personal data to protect life or a vital interest

3. Failure to have a process in place so that information is not held indefinitely

If there are no processes in place to establish the length of time for retaining personal data, a data protection regulator could find a breach of data protection law. Data retention is important. Personal data should not be kept for longer than necessary.

4. Failure to meet the higher data protection standards for biometric data

When collecting biometric data, or any other form of special categories personal data or sensitive information, all parties must ensure that they meet the higher standards for processing these data. Collecting and using these data is called high risk processing because the potential harm to individuals affected by data misuse could be substantial and severe.

5. Making the process hard for those who wish to object to their information and images being used

If a person wishes to find out whether their image is being used or stored, they should have access to a user-friendly and accessible process. Individuals should be allowed to exercise their data protection rights at any time and at little or no expense.

Advisory: Collecting and Using Online Images of Individuals

There are many issues to consider before collecting images of people from the internet:

  • Ensure that there is compliance with the data protection principles in the EU and UK or similar data privacy legal requirements around the world. A clearly identified  lawful basis for data collection should be one of the first steps. This includes ensuring that all data extraction or copying is in line with the website or platform’s terms and conditions. One solution could be to get permission form the website owner. Though, individuals may still object to the copying and use of their image. Objections by individuals affected should be fully considered and actioned.
  • Users affected should be properly informed about how their personal data will be used and allow them to exercise their right to access, rectify or delete the information, as necessary.
  • Working with a Data Protection Officer (DPO) or Data Protection Adviser to complete a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA) is crucial.  All parties should apply Privacy and Data Protection by Design techniques to reduce data protection risks. If the DPIA identifies risks that cannot be resolved, then businesses and organisations may need to consult with their data protection regulators, before starting to collect images from the internet.

Conclusion

Care and attention are needed to collect and use images from the internet for any new purpose and especially for facial recognition and artificial intelligence activities.  Full legal awareness, proper processes and procedures are very important, or regulators could impose fines and order data to be deleted. This would reduce trust, limit business opportunities, curb innovation, be costly and severely damage reputations.

This techAnalysis is produced in association with Johnson May.

PrivacySolved has years of expertise in UK, EU and global data protection and has worked with the key regulators. We also advise on new technology and artificial intelligence compliance. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS082022

Briefing

The UK’s future data protection framework and laws are likely to significantly differ from the European Union’s General Data Protection Regulation (GDPR). The changes set out in the UK’s Data Protection and Digital Information Bill, published in July 2022, are a mixture of significant legal changes and superficial adjustments. In other places, long established legal concepts have been renamed and redefined so that past and future EU legal and regulatory interpretation can no longer influence the emerging UK data protection regime.  These updated definitions and new concepts will allow UK regulators and UK courts to interpret and develop these laws and rules, in ways that are more UK-centric. The UK’s exit from the European Union (Brexit) automatically ended UK residents’ specific right to data protection set out in the EU Charter of Fundamental Rights. The legal fact of Brexit narrowed the scope of data protection in the UK, by default, and detaches it from the EU institutions, courts, systems and mechanisms that have previously operationalised data protection. There are also plans in the UK to narrow the scope of the UK’s Human Right Act 1998. This will further limit UK data protection. The UK is left with the UK Data Protection Act 2018, a truncated UK GDPR and a complex web of other laws to synthesize and interpret. These are all derivative laws, which together are more complex than the EU legal framework yet retain key unifying elements. UK data protection is now less stable. New uncertainties abound and a period of re-learning will begin. It is unclear whether the UK will retain EU data protection adequacy, over time.

Headline Changes

The definition of Personal Data has been narrowed. The new definition splits the link between personal data that can identify an individual directly and indirectly. The legal test for identifiability has also been restricted. This means that the scope and reach of UK data protection is more limited for individuals, controllers and processors.  While the new definition may appear technical, it will have practical effects on digital data, databases, cloud services, security strategies and risk profiles. The change in the law also automatically creates new pools of non-personal data, which fall outside the scope and reach of UK data protection.

The Purpose Limitation Principle has been expanded with legal tests to judge compatibility with new personal data uses. There are also new rules for assessing that secondary uses are compatible with original purposes. This creates new pathways for personal data re-use and secondary uses.

The Legal Bases for Processing Personal data have been broadened. Legitimate interest has been given a new prominence. A new list of data processing activities that automatically meet the legitimate interest balancing test has been introduced. This includes crime prevention, safeguarding the vulnerable, emergencies and democratic engagement. These new rules will encourage data sharing, especially by the government and the public services. The new rules also limit the scope for objection or refusal.

The Information Commissioner’s Office (ICO), the UK’s Data Protection Regulator, will be abolished in its current form. This reform appears to be an attempt to remove the UK regulator from the orbit, influence and its history as part of the European Data Protection Board (EDPB). The Commission will come under more direct UK government control and supervision. The Commission will be less independent.  The Commission will have two distinct additional powers. The first, is to require a controller or processor to prepare a report at their own expense. The second, is an Interview Notice, requiring a person to attend a place to answer questions.

UK International Data Transfers have been removed from the EU GDPR framework. The EU’s restrictive data transfer default position has been replaced by a slightly more permissive UK approach. Data transfers can now proceed via UK Adequacy Regulations, UK Standard Contractual Clauses (SCCs), UK Binding Corporate Rules (BCRs) or UK Derogations for Special Situations. A new Data Protection Test has been introduced to guide the evaluation of UK data protection adequacy and the UK data protection equivalence of third-party countries.

Data Subject Rights have become more complicated and restrictive than in the GDPR. Requests can be refused if Controllers decide that these are vexatious or excessive. This means requests made in bad faith, those intended to cause distress and those which are an abuse of process. Requests must be answered within 30 days, but at any time during this period the controller can extend the response time by a further two months (around 60 days) because of the complexity of the request or the number of requests. The data subject notice rules in GDPR Articles 13 and 14 have been restricted. No notice is required for collecting personal data for further processing (and re-use) for scientific or historical research, archiving in the public interest or statistical purposes, with appropriate safeguards and not if providing that information is impossible or would be a disproportionate effort.

A definition of Direct Marketing will be added to UK law in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), which is called UK PECR.  Direct marketing means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.” The scope for using cookies without consent has increased and the definition of strictly necessary cookies has also been widened. New opt-outs have been introduced for unreceived messages and direct marking for democratic engagement.   There is a new duty to inform the regulator about unlawful direct marketing. UK PECR penalties have been increased.

A More Limited UK Data Protection Governance System

The Information Commissioners Office will be abolished, and a new organisation called the Information Commission will take its place and replicate most of its existing powers. The Information Commission will be more dependent on the involvement of a UK Government Secretary of State for objectives and direction. The Commission will be expected to do more reporting and outreach. The Commission will have a duty to encourage economic growth and innovation. The Commission will be given new powers to refuse to act on certain complaints such as those that have been made prematurely or are vexatious or excessive.

The legal duty to appoint a Data Protection Officer (DPO) has been removed. The role of Senior Responsible Individual (SRI) has been created for public bodies and those that carry out high risk data processing. There is no legal duty for the SRI to be independent, instead the organisation can direct and give instructions to the SRI about their work. The SRI must be a member of senior management.

The legal duty for foreign-based organisations to appoint UK Data Protection Representatives has been removed. The Information Commissioner and individual data subjects based in the UK will not have a formal legal route to engage with foreign-based companies that offer goods and services and target or monitor UK individuals.

The legal duty to have a Register of Processing Activities (ROPA) has been retained but it has been renamed Records of Processing of Personal Data. The contents of these Records are similar and serve a similar function. The new Register requirement does not apply to data controllers or processors that employ less than 250 individuals unless they carry out data processing that is likely to result in a high risk to the rights and freedoms of individuals.

Data Protection Impact Assessments (DPIAs) have been removed and renamed Assessments of High Risk Processing. The scope of the new Assessment is more limited and the Senior Responsible Individual’s (SRI) direct involvement is not legally required.

The Office of the Commissioner for the Retention and Use of Biometric Material will be abolished, and its powers transferred to the Investigatory Powers Commissioner. The Office of Surveillance Camera Commissioner will also be abolished. The functions of the National DNA Database Strategy Board will be transferred to a new Forensic Information Database Strategy Board.

Changes to UK Privacy and Electronic Regulations (UK PECR)

UK PECR has been amended to allow a range of new exceptions to the historical restrictions placed on cookies and similar technologies storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user. This means that there will be a greater scope to use and deploy cookies, web beacons and similar technologies in the UK. It is unclear how this will work in practice, especially for website services that target the UK, EU/EEA and the rest of the world. However, these legal provisions may lead to novel technical solutions and innovations.

New Ideas to Support Online Identification and Innovation

The proposed law contains new provisions to make Digital Verification Services (DVS) more reliable by initiating a trust framework, a register, an information gateway and a trust mark. UK Government Secretaries of State or the organisations they nominate will have new powers to request access to information secured by DVS. New definitions of business data, customer data, data holders, decision-makers, enforcers have been introduced. The new rules state that the UK Government will have power to regulate these actors and their activities. The new rules also include powers to encourage information technology that enables consent to be given, or to allow automatic objections.

The new law recognises European Union conformity assessment bodies under the EU eIDAS Regulation (trust services) and other overseas trust products and services.

The Future

The UK’s Data Protection and Digital Information Bill is a mixed picture. There is an attempt at data protection de-regulation. UK GDPR will be narrower in key areas, including the long-established definition of personal data. Importantly, UK data protection governance structures have been significantly scaled back, notably the new rules governing the Information Commissioner’s Office, Data Protection Officers and UK Data Protection Representatives. However, some of the new rules appear to be market-making for new technologies. Many of the legal changes substantially benefit the UK government, public services data sharing and their service providers. Nine senior Ministers have sponsored and support the new law. The sponsoring Secretaries of State has reserved sweeping and controlling powers to themselves. Companies and organisations will find that UK data protection is much more complex than EU GDPR, for what is a much smaller market. Further, UK data protection law can now change at any time in the future through easy to adopt regulations and direct government interventions.

PrivacySolved has years of expertise in UK, EU and global data protection and work with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS072022

Briefing

Countries in the Middle East have bold plans for economic growth, new technologies, innovation and urban development in the next ten to twenty years. The United Arab Emirates (UAE) is at the forefront of this high ambition. Bahrain, Qatar and Oman are smaller still, but are resource-rich and intend to diversify to meet a changing world. Saudi Arabia is a sleeping giant with confident plans for urbanisation and diversification of its economy. Israel stands slightly apart with its efforts to update its long existing data protection laws. The nation is highly regarded for technology, security, unicorn companies and start-ups, with a successful history of technology exports.  All of these countries are adopting new data protection laws, maturing existing rules or expanding the scope of technology regulation. These policy shifts seek to protect individual rights, build trust in new technologies and increase international and regional data flows. Data protection is trending in the Middle East, because the region is investing heavily in data, technology, automation, smart cities and scientific innovation.  Turkey is a notable regional neighbour; most fully aligned to international data protection and EU standards. Turkey serves as a reference point for the wider region. The overall regional picture is not uniform. There are different approaches, differing levels of data protection maturity, variable enforcement, many timelines and a range of expectations.

United Arab Emirates (UAE)

The UAE is made up of seven emirates. These are Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. The country has three international-facing data protection regulatory systems. The most recent is UAE Data Protection Law of 2021. It is wide-ranging but does not apply to the UAE government or government organisations. The UAE Data Office, the data protection regulator, is still being fully set up. Rules, regulations and guidance will be published soon to clarify and expand the law. These updates and clarification could be announced at relatively short notice, so companies and organisation must watch developments closely.

The other two laws relate to the UAE’s Free Zones that focus on international financial services, fintech, cryptocurrencies and sectors adjacent to these services. Abu Dhabi Global Market (ADGM) data protection laws were updated in 2021, adding elements that mirror the EU’s General Data Protection Regulation (GDPR). Dubai International Financial Centre (DIFC) data protection rules were updated in 2020 and adopted several matching principles and elements of the GDPR. The DIFC law is now more interoperable with the GDPR. DIFC has been taking steps to grant data protection adequacy to the EU, UK and Singapore. There is an ongoing appetite to establish data flows with other trusted countries and regions.

For further information and analysis, please read PrivacySolved’s detailed briefings on:

Abu Dhabi Global Market (ADGM) Data Protection

Dubai International Financial Centre (DIFC) Data Protection

UAE Data Protection Law

Bahrain

Bahrain’s Personal Data Protection Law (PDPL) came into force in August 2019. The key definitions largely mirror the definitions in the EU’s GDPR. Independent Data Protection Guardians, who are like GDPR Data Protection Officers, are to be appointed. Penalties range from 100 to 20, 00 dinars and could also include a year in prison. The regulator is the Ministry of Justice and Islamic Affairs (MOJ), who carry out the duties of the Bahrain Personal Data Protection Authority.

Qatar

Qatar’s Protecting Personal Data Privacy Law (PPDP) was enacted in 2016. The definitions in the law are similar to those in the EU’s GDPR and incorporate key international data protection principles. The Qatar Financial Centre (QFC), a Free Zone in Doha, also has its own data protection rules for businesses and organisations that are registered and licensed by the Centre. The Qatar Financial Centre Authority updated the QFC’s 2005 data protection regulations in December 2021 with new regulations and rules aligned with GDPR.

Saudi Arabia

The Kingdom of Saudi Arabia introduced its first Personal Data Protection Law (PDPL) by royal decree in September 2021. This was followed by a draft Executive Regulation in March 2022 to interpret and extend the PDPL. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA). The PDPL comes into force on 17 March 2023 (postponed from 22 March 2022). The law reflects key elements of international data protection principles, EU GDPR and mirrors various data protection laws in the Middle East.

Israel

Israel’s data protection law was introduced 1981. Data Security Regulations followed in 2017. These include the concepts of personal data, sensitive data, database, database owner, database holder and database manager.  The main law is the Protection of Privacy Law and the regulator is the Privacy Protection Authority (PPA), which is part of the Ministry of Justice. Israel’s data protection landscape is a mix of law, regulations and formal guidelines issued by the PPA. The European Commission granted Israel data protection adequacy in 2011, under the EU Data Protection Directive 1995, and remains the only country in the Middle East to have received an EU adequacy decision. Further legal alignment with the EU’s GDPR may be required going forward. In 2021, the Ministry of Justice announced proposals to update its data protection laws to improve the regulatory scope, key definitions and increase the PPA’s enforcement powers.

Other Countries in the Middle East

Turkey, a near neighbour to the Middle East with enduring historical and trade links, introduced a comprehensive data protection law, the Protection of Personal Data Law of 2016. Turkey also ratified the Council of Europe Convention 108 in 2016. The Turkish Personal Data Protection Authority, Kişisel Verileri Koruma Kurumu (KVKK), is the regulator. Turkey’s data protection regulatory landscape reflects international data protection principles and is substantially similar to the EU’s GDPR.

Egypt introduced a Law on the Protection of Personal Data in 2020. The law includes principles, definitions, rights and duties that mirror EU GDPR. The Minister of Communications and Technology is tasked with publishing Executive Regulations for the law. The regulator is the Data Protection Centre, but this organisation has not been fully established. Lebanon has a basic data protection law in the form of the  Electronic Transactions and Personal Data Law of October 2018. There is no independent data protection regulator.  Oman published a Personal Data Protection Law in February 2022, with plans to bring it into force in February 2023.

Jordan published a draft data protection law in 2021. Iraq, Iran, Kuwait, Palestine, Syria and Yemen do not have a comprehensive national or international facing data protection laws.

Other Future Trends to Watch

The UAE and Saudi Arabia are moving quickly to expand their national artificial intelligence capabilities and introduce regulatory frameworks for new technologies. Fintech will continue to grow and mature in most countries. The emergence of Middle Eastern data protection regulators with distinct voices, regulatory approaches and ways of operating is a noticeable trend. The Turkish Personal Data Protection Authority (KVKK), ADGM Office of Data Protection (Commissioner for Data Protection) and the DIFC Commissioner of Data Protection are creating notable blueprints. In the longer term, Chinese investment in the Middle East coupled with the strengthening of historic ties with India, will impact the regulatory environment in the Middle East. China’s recent data protection and data security laws, as well as India’s impending comprehensive data protection law will also shape data protection, cybersecurity, data flows, trade and the market adoption of new technologies and innovation.

For help, support and advice with data protection, data breach response, cybersecurity strategy, new technology projects and artificial intelligence data risks in the Middle East, especially the UAE, Turkey, Israel, Saudi Arabia, Bahrain and Qatar, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS052022

On 21 March 2022, the UK formally adopted a new UK General Data Protection Regulation (UK GDPR) Standard Contractual Clauses (SCCs) regime.  After the UK’s exit from the European Union (Brexit), this represents a necessary divergence from the EU approach, because the UK became a “third country.” The UK has now declared data protection adequacy for most of the countries that shared data protection adequacy before Brexit. However, as a third country, with GDPR imbedded into its laws, it needed to put in place appropriate safeguards for personal data transfers to the rest of the world. This is the main purpose of the UK’s new data protection SCCs.

Countries that have UK Data Protection Adequacy

The UK Government has granted data protection adequacy status to the twenty-seven (27) member states of the European Union (EU) and member countries of the European Economic Area (EEA), plus Gibraltar. The EU’s and EEA’s institutions, bodies, offices and agencies also have UK adequacy. The UK has also approved the countries the EU has declared adequate. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate data protection.

The UK has published plans to actively pursue data protection adequacy agreements with key foreign countries. These high priority countries are Australia, Brazil, Colombia, the Dubai International Financial Centre Free Zone in the United Arab Emirates, India, Indonesia, Kenya, the Republic of Korea (South Korea); Singapore and the United States of America.

All the countries that have been declared adequate by the UK, escape the complexities of putting in place wide-ranging appropriate safeguards, including the UK’s new SCCs, to facilitate international personal data transfers. The UK GDPR SCCs will govern international personal data transfers to non-EU, non-EEA and non-adequate countries, in the rest of the world.

Understanding the new UK Standard Contractual Clauses Documents

Important Dates: The clauses become effective on 21 March 2022. By 21 September 2022, companies and organisations must start to use the new IDTA or UK Addendum for all new international personal data transfer arrangements governed by UK GDPR.  Contracts signed before this date using the old EU SCCs will continue to be valid until 21 March 2024, if the data transfers remain unchanged during this period.  By 21 March 2024, all data transfers under UK GDPR must use the new clauses. All historical UK GDPR international personal data transfers based on the old EU SCCs must be updated by that date.

The International Data Transfer Agreement (IDTA) is the UK’s new standaloneSCC document. The main users will be UK-only based companies and organisations seeking to sign a stand-alone document to facilitate the data transfer. The IDTA could also be added as a self-contained schedule to another contract. It cannot be used by organisations that are seeking to cover personal data leaving both the EU and the UK. The IDTA is an alternative to the UK Addendum. The IDTA reflects the EU’s new SCCs, but not the modular approach seen in it. A wider range of parties such as Data Controllers, Data Processors and Sub-Processors can use the agreement and can list any supplementary measures that apply to the data transfer.

The UK Addendum is the UK Addendum to the EU’s SCCs for international personal data transfers. It is an alternative to the IDTA.  The main users will be companies and organisations that carry out EU to non-EU/EEA international personal data transfers and who also seek to add similar provisions for UK personal data that will be transferred outside the UK, EEA and the list of countries declared adequate both by the EU and the UK.

Transfer Risk Assessments (TRAs) must be completed when the IDTA or the UK Addendum are used, in order to assess the transfer risks and levels of compliance for the international personal data transfer. TRAs must be reviewed regularly. If the TRA indicates that the destination of the personal data transfer is not adequate, the company or organisation sending the personal data must put in place supplementary measures. It is likely that the UK Information Commissioner’s Office (ICO) will published a UK GDPR TRA template or model for companies and organisations to use.

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

The United Arab Emirates (UAE) is a nation in the Middle East made up of the seven emirates of Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. On 27 November 2021, the UAE Cabinet Office announced the new national data protection law (UAE DP Law). The UAE DP Law protects personal data held and processed by organisations that are registered in the UAE and processes personal data of individuals inside or outside the UAE. It also applies to any organisation that is established outside the UAE that process personal data of individuals inside the UAE, and external organisations with personal data links to the UAE. The law encourages data processing controls which includes lawfulness, fairness, transparency, using personal data for specific and clear purposes, accuracy, personal data security and responsible data retention. Individuals have rights to receive information, request a transfer of their personal data (data portability), correction, erasure, restrict processing, the right to object to types of processing like direct marketing and the right to object to automated processing. The UAE Data Office will be the regulator, established under a separate law. The UAE DP Law comes into force 1 January 2022. Further regulations will also follow, allowing time for compliance after these regulations are published. The UAE Data Office will also publish rules and guidance.

  1. What types or organisations are covered by UAE DP Law?

The law applies to businesses and organisations, both controllers and processors, that are registered in the UAE and that process personal data or sensitive personal data. It also applies to businesses and organisations based outside the UAE that process personal data of individuals who are in the UAE.  Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Controllers are those that decide the method, criteria and purpose for processing personal data. Processors collect use and store personal data on behalf of, under the direction of and in accordance with the instructions of the controller. Data processors must follow the instructions of controllers and agree personal data processing contracts setting out the scope, purpose and types of data processing.

The UAE DP Law does not apply to government data, government organisations that control or process personal data, personal data held by security and judicial authorities and personal data used for personal purposes by individuals. Health personal data regulated by the ICT Healthcare Law of 2019 are excluded. Banking personal data regulated by other laws are also out of scope. Companies and organisations registered in UAE free zones that have their own specific free zone data protection laws are excluded. The Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) have their own separate data protection laws.

2. What types of data or information are covered by UAE DP Law?

The UAE DP Law protects personal data, which is defined as any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data. The definition includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. Sensitive personal data are also covered by the UAE DP Law. This category is defined as data that directly or indirectly reveals the family or ethnic origin of a natural person, political or philosophical opinions or religious beliefs, criminal record, biometric data and any data relating to an individual’s health.

3. What are the main UAE DP Law obligations for businesses?

UAE registered businesses and foreign based organisations should:

(a) Create a UAE (or Middle East and Africa) data protection framework with data processing controls and apply the law’s data protection principles, such as transparency (notices), fairness, lawfulness, accuracy and responsible data retention.

(b) Businesses and organisations acting as controllers and processors should establish and maintain a Special Record for Personal Data (SRPD). This should be available to the UAE Data Office, if requested. This appears to be like the GDPR’s Record of Processing Activities (ROPA).

(c) Establish opt-in consent mechanisms and ensure that each consent transaction is specific, clear, unambiguous and forms a clear positive statement or action.

(d) Appoint a sufficiently skilled and knowledgeable Data Protection Officer (DPO), as an employee or via an external service provider based inside or outside of the UAE. A DPO is legally required where personal data processing creates a high risk to the privacy of the personal data because of the adoption of new technologies or the volume of personal data processed. Also, where processing involves the assessment of sensitive personal data as part of profiling or automated processing.  Or, where large volumes of sensitive personal data are processed.

(e) Report personal data breaches and data leakages to the UAE Data Office and to individuals affected, where necessary, as soon as they become aware of these incidents.

(f) Complete Data Protection Impact Assessments (DPIAs) when using any modern technologies that pose a high risk to the privacy and confidentiality of individuals.

(g) Create appropriate policies for processing sensitive personal data.

(h) Put in place appropriate technical and organisational measures to protect personal data and manage automatic processing to remain limited to the intended purpose, including anonymisation and pseudonymisation.

(i) Set up accessible systems and processes to allow individuals to exercise their data protection rights, free of charge.

(j) Prepare for the new UAE DP Law international data transfer regime. There will be rules for countries that the UAE deem to have an adequate level of data protection and those that are treated differently by mandating contractual clauses, assessments and personal data transfer mechanisms.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), UAE ADGM DP Law or UAE DIFC DP Law will they automatically comply with UAE DP Law?

Yes, to a certain extent, but not completely. GDPR, UAE free zone data protection laws and UAE DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. UAE DP Law was enacted to include provisions that largely reflect the EU’s GDPR requirements. GDPR data mapping and Records of Processing Activities logs can help to identify UAE DP Law-impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist UAE DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. The UAE DP Law also contains broad sector and data exclusions from government data, government bodies, health bodies, judicial and security bodies and some banking related personal data. UAE DP Law will also be supported by a range of further regulations in the coming months and years that will expand, specify and interpret the law.

5. Does the UAE DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in UAE and process personal data in the UAE or elsewhere, then the UAE DP Law will apply. The law also applies to foreign based businesses that process personal data on behalf of organisations registered in the UAE as well as foreign based businesses that externally process personal data about individuals who live, work or are otherwise in the UAE.

The UAE DP Law has not yet published the penalties that will apply. These will appear in future regulations and output from the UAE Data Office.

Resources

UAE Government Data Protection Pages

PrivacySolved Data Protection Officer Services

PrivacySolved Consulting and Strategy Services

PS122021

Briefing

The People’s Republic of China’s Personal Information Protection Law (China PIPL) is the country’s new data protection law. The law was adopted in August 2021 and came into force on 1 November 2021. PIPL protects the personal information held and processed by organisations operating in China and those established outside China. PIPL’s data protection principles include lawfulness, necessity, good faith, purpose limitation and data minimisation, transparency, accuracy and accountability and security accountability. Individuals have rights to be informed, access, copies, deletion, rectification, portability and rights to respond to automated decision-making. Businesses and organisations must be more accountable and act in good faith when collecting, using and storing personal information. China does not have an Independent data protection regulator. China’s PIPL enforcement is decentralised and the main government departments responsible for enforcement are the Cyberspace Administration of China (CAC) and the Ministry of Public Security. Each of these bodies has state-level and local organisations that can have rulemaking and enforcement powers. Enforcement starts on 1 November 2021, after a short implementation period.

  1. What types or organisations are covered by China PIPL?

The law applies to businesses and organisations, which PIPL calls Personal Information Processors. The term is very similar to Controllers in the European Union’s General Data Protection Regulation (GDPR). The law covers businesses that are based in China and those based outside China that collect, use and store personal information about individuals in China. Companies and organisations based outside of China fall within the scope of PIPL is they provide goods and services to people in China, analyse or assess the behaviour of people in China and where other Chinese laws and regulations specify. Entrusted Parties are organisations that process personal information on behalf of and under the instruction of Personal Information Processors. This role is similar to the function of Processors in GDPR, but there are less explicit legal responsibilities, under PIPL.

2. What types of data or information are covered by China PIPL?

China’s PIPL protects personal information. This is defined very broadly as all information related to identified and identifiable natural persons. Anonymised data are not personal information, if these cannot be used to identify specific natural persons and the personal information cannot be restored after processing. The law recognises sensitive personal information as that which disclosure or illegal use can easily lead to the infringement of an individual’s personal dignity or harm their person or property. Examples of these information includes biometrics, religious beliefs, specific identity information, medical health, financial accounts, individual location tracking / geolocation and any personal information about children under 14 years old. Processing sensitive personal information attracts actional requirements including clear and specific purpose, necessity, strict protective measures, additional consent, greater transparency measures and Personal Information Impact Assessments (PIIAs).

3. What are the main obligations from China PIPL for businesses?

Businesses registered in China and international businesses and organisations with supply chains and links to China that fall within China PIPL’s scope must:

(a) Conduct regular China PIPL compliance audits.

(b) Formulate operating rules, internal management, data classification, data processing records and information management systems.

(c) Respond efficiently to personal information breaches with immediate remedies and notify Chinese authorities and affected individuals.

(d) Appoint a representative in China or create a specific legal entity in China to comply with PIPL’s requirements.

(e) Set up processes and tools to carry out Personal Information Impact Assessments (PIIAs) for international personal information transfers outside of China, using third parties to process personal information (such as other Personal Information Processors or Entrusted Parties) or when disclosing information.

(f) Allow individuals to easily give and withdraw consent.

(g) Follow the strict rules of personal information international transfers. Either, by passing a security assessment from the State Cybersecurity and Informationization Department (if critical information infrastructure, transferring a lot of personal information), gain a personal information protection certification from a specialised body authorised by the Sate Cybersecurity and Informationization department, agree a contract with the foreign receiving party based on the standard contractual clauses issued by the Cyberspace and Informationization department  or other methods specifies by Chinese law, administrative regulations or the State Cybersecurity and Informatization department.

(h) Appoint a Personal Information Protection Officer (PIPO), if required to do so by the State Cyberspace and Informationization department, to supervise data processing, register with the authorities and identify themselves to individuals whose personal information are being processed.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with China PIPL?

Yes, in large part, but not completely. GDPR and China PIPL have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. China PIPL was enacted to include provisions that mirror some of the EU’s GDPR requirements. GDPR data mapping and records of processing activities can help to identify personal information impacted by China PIPL. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist China PIPL compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Chinese-speaking Data Protection Officers (Personal Information Protection Officers) and Representatives based in China are also important.

For fuller Chinese compliance, companies and organisation should also comply with other Chinese laws which are closely associated or aligned with China’s PIPL. These include:

China Cybersecurity Law (CSL) of 7 November 2016, in force 1 June 2017

China Data Security Law (DSL) of 10 June 2021, in force 1 September 2021

China Civil Code of 28 May 2020, in force 1 January 2021

5. Does China PIPL apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in China and process personal information in China, then China PIPL will apply. The law also applies to foreign-based businesses that provide goods and services to people in China and support China-based businesses and organisations. Foreign-based companies and organisations that analyse or assess the behaviour of people in China also fall within PIPL’s scope. China PIPL could also be extended by other Chinese laws and regulations at the national, regional, state or local level. This means that organisations must constantly review the scope and application of PIPL.

Enforcement of China PIPL is multifaceted. There are criminal penalties, including imprisonment, if a violation of PIPL amounts to a breach of public security administration and criminal liability is proven. There are civil liability penalties for breaches of China’s Civil Code, including consumer law. Chinese state or regional consumer organisations can also conduct public interest litigation on behalf of a large group of people affected by breaches of PIPL. It is important to note that the burden of proof lies with the Personal Information Processor to demonstrate that no breach of China PIPL has taken place, because Personal Information Processor fault is presumed at the outset.

PIPL also has a system of administrative penalties, falling into two types of cases. In general cases, Personal Information Processors and Individuals can be given warnings, orders to rectify, confiscation of illegal gains and orders to suspend / terminate services that unlawfully process personal information. Failure to make corrections could result in fines up to £1 million RMB. Responsible Persons could receive fines from 10,000 RMB. In severe cases, Personal Information Processors and Individuals can be given, orders to rectify, confiscation of illegal gains, orders to suspend / terminate services, cessation of business for rectification or revocation of business licences or permits. Fines of up to 50 million RMB or 5% of annual turnover from the previous year could also be given. For Responsible Persons, fines ranging from 100,000 to 1 million RMB could be levied. Responsible Persons could also be prohibited from holding director, supervisor, senior manager or Personal Information Protection Officer positions, for a period of time.

China Resources

National People’s Congress of China, PIPL Official Chinese Translation

National People’s Congress of China, PIPL Official English Translation

National People’s Congress of China, DSL Official English Translation

Stanford University Cyber Policy Center: DigiChina

National Information Security Standardisation Technical Committee of China Guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information (June 2022) – In Chinese

Cyberspace Administration of China (CAC) Data Protection PIPL Standard Contractual Clauses (SCCs) for International Data Transfers (June 2022) – Draft for Consultation, In Chinese

CAC Outbound Data Transfer Security Assessment Measures, effective 1 September 2022 (July 2022) – In Chinese

CAC Outbound Data Transfer Security Assessment Measures, effective 1 September 2022 (July 2022) – DigiChina English Translation

PS072022

The United Kingdom’s departure from the European Union and the Coronavirus Covid-19 Pandemic have been dramatic episodes. There is now a clear political push to create “Global Britain,” to excel economically and to be a pioneer in innovation. The UK is starting to rethink its future path. A new National Data Strategy and an Artificial Intelligence Strategy have set the tone. An EU/UK Data Protection Adequacy Agreement, a consultation on UK International Data Transfers, new ideas for UK Standard Contractual Clauses (SCCs) and proposed reform of the UK General Data Protection Regulation (GDPR), the regulator, enforcement and regulatory priorities all strongly suggest significant future divergence. This is major change; with more to come.  Some changes will take place, while others, will fall away or transform into other outcomes. Change in UK data, GDPR, innovation, artificial intelligence strategy and regulation, is the only constant.

Companies and Organisations will need to track proposals, examine the details, participate in consultations, review legal developments and update their data governance outlook. Strategy and risk should also be reviewed and recalibrated. This resources page provides a dashboard of the most important changes to the UK landscape. It will be updated, as things develop, and as the bigger picture becomes clearer.

UK National Data Strategy (December 2020)

Information Commissioner’s Office (ICO) Public Consultation on UK International Data Transfers (August 2021)

Department for Digital, Culture, Media and Sport (DCMS) Public Consultation on the UK Data Reforms “Data: A New Direction” (September 2021)

UK National Artificial Intelligence Strategy (September 2021)

ICO Response to DCMS Consultation “Data: A New Direction” (October 2021)

UK HMG Algorithmic Transparency Standard – Public Sector (November 2021)

UK National Cyber Strategy 2022 (December 2021)

New UK GDPR International Personal Data Transfers Scheme and Documents (February / March 2022)

The Queen’s Speech 2022, delivered by Prince Charles, and the UK Government’s Background Briefing Notes (May 2022)

UK Digital Strategy (June 2022)

UK DCMS Response to the Submissions received by the “Data: A New Direction” Public Consultation (June 2022)

ICO’s Statement to DCMS’ Response to the “Data: A New Direction” Submissions (June 2022)

UK DCMS AI Action Plan (July 2022)

UK Data Protection and Digital Information Bill [Updates UK GDPR] (July 2022)

UK ICO New Guidance, Forms and Documents for UK GDPR Binding Corporate Rules [BCRs] (July 2022)

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

Briefing

On 4 June 2021, the European Commission published its new data protection Standard Contractual Clauses (SCCs) for General Data Protection Regulation (GDPR) international data transfer compliance. These clauses replace the pre-GDPR clauses published in 2010 and 2014. The new clauses are more fully aligned with the GDPR and the Court of Justice of the European Union’s decision in the Schrems II case of 2020. The clauses came into force on 27 June 2021. From 27 September 2021, all new data protection international transfer arrangements must use the new SCCs. By the end of December 2022, all contracts that transfer the personal data of individuals based in the EU must be updated to reflect the new SCCs. This means that comprehensive data protection updating will be required across a wide range of supply chains.

Key Things to Know about the New SCCs

The key purpose of the new SCCs is to imbed GDPR-compliant and legally binding contractual terms into supply chains and value chains, around the world. The key definitions to understand are Data Exporters (based in the EU) and Data Importers (based outside of the EU). The SCCs are organised into four modules: (a) Controller to Controller, (b) Controller to Processor, (c) Processor to Processor and (d) Processor to Controller.  Each module can be used as a stand-alone contract or the modules can be used together to form a more comprehensive agreement.

The new SCCs have a so-called docking clause, that allows Data Exporters and Data Importers to be added to the clauses over time. This allows maximum flexibility. There are clauses in the SCCs that limit and manage onward data transfers and ensure holistic data protection compliance. Another innovation is the need for Transfer Impact Assessments (TIAs), which must be performed and recorded for all personal data transfers from the EU to countries outside of the EU (third countries).

The UK is in a special position because of Brexit, its departure from the European Union. It is now a third country and so the new SCCs do not apply to it. All data transfers from the UK to third countries may still rely on the EU’s old SCCs and the additional requirement of TIAs. In the longer term, the UK will formulate its own guidance and standard clauses for international transfers.

Inside the Standard Contractual Clauses (SCCs) Project

For the largest companies and organisations, similar contract remediation projects took place in 2010, 2014 and between 2015 and 2016 after the Schrems I case invalidated EU/US Safe Harbor.  Work may also have been done in the lead up to May 2018, when GDPR fully came into force. Lessons from these previous efforts can inform current and future SCC projects. However, current SCC implementation projects will be more complicated because of the detailed requirements of GDPR, more complex supply chains, modern cloud computing services, the presence of big data stores and the use of modern pseudonymisation, hashing and anonymisation techniques.

For SCC projects, here is the Insider’s Guide to effective planning and delivery:

  • The Data Strategy

Companies and organisations should adopt a clear strategy position about their data and international data flows. The new EU SCCs should not be implemented only as a “papering exercise.” The work should complement the strategy and seek savings, economies of scale and innovation. Supply chains could be simplified, international data flows trimmed and data processors audited and removed, if necessary.

  • Data Flows, Risks and Records of Processing Activities (ROPA)

Adopting the new SCCs could also allow organisations to put their global data protection compliance credentials to the test. It is an opportunity to mature Records of Processing Activities under Article 30 of the GDPR. Transfer Impact Assessments can be used to risk assess countries, sectors and organisations as a way of identifying, managing and reducing risks. The risk-based approach should be comprehensive and cover political, economic, human rights, regulatory, international sanctions and information security risks. With this information, companies and organisations could then seek to add contractual, organisational or technical safeguards to respond to these risks.

  • The Project Plan and The Multidisciplinary Team

Effective SCC implementation requires a clear project plan and resources, including a realistic and flexible financial budget. Even more important, is a multidisciplinary team including the Data Protection Office (or Data Protection Professionals), Information Security, procurement, the legal team, the service managers, audit and compliance teams. The combined knowledge of these teams, when well organised, can add detail and precision to the work. Service managers and procurement teams often know most about contracting partners, because of their day to day experience and often long-established relationships. External advisors and technology solutions may help to expand the expertise and improve benchmarking.

  • Communication, Patience and Dynamism

It is important to remember that the EU SCCs will test supply chains and the relationships between Data Exporters and Data Importers. Communication at every level within each organisation and between the contracting parties is vital. A recognition that each party may prioritise and timetable contractual changes differently, is important. The SCC project can also become a place where other important issues are contested. This includes existing contract performance issues, contractual warranties, indemnities, information security schedules, key performance indicators, insurance, price and audit rights. Patience is required and the ability to remember the key reasons for the data sharing and data transfers. Timetables may slip, but each party should retain enthusiasm and dynamism to gain the required signatures and move to contract performance.

For assistance with EU/UK Standard Contractual Clauses Projects, Legal and Regulatory support, EU GDPR compliance, adopting data privacy certifications and Codes of Practice, contact  PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS082021

The Abu Dhabi Global Market (ADGM) Data Protection Law 2021 (DP Law) applies to the ADGM international financial centre free zone in Abu Dhabi, United Arab Emirates. The law was adopted on 14 February 2021. The new law updates and replaces the 2015 law. The ADGM DP Law protects the personal data held and processed by organisations that are registered in the ADGM as well as linked external organisations. New data protection principles include lawfulness, fairness, transparency and accountability. Individuals have new rights relating to data portability, automated decision-making and profiling. Businesses must be accountable and demonstrate compliance with expanded data protection principles. The ADGM Office of Data Protection, Commissioner of Data Protection, is the regulator. Enforcement starts on 14 August 2021, for organisations that registered at ADGM after 14 February 2021. ADGM organisations that were registered before 14 February 2021, must comply with the new law by 14 February 2022.

  1. What types or organisations are covered by ADGM DP Law?

The law applies to businesses (controllers) that are registered in the ADGM and that process personal data or sensitive personal data. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Personal data used and stored outside of ADGM, but concerning ADGM registered organisations are covered by the law. Processors registered in ADGM who process personal data for controllers outside the ADGM are also covered by the law, to a limited extent.

2. What types of data or information are covered by ADGM DP Law?

The ADGM DP Law protects personal data, which is defined as any data relating to an identified natural person or identifiable natural person. This also includes data containing opinions and intentions about identified or identifiable individuals. The ADGM DP law also applies to sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), data about health, data about a person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures.

3. What are the main ADGM DP Law obligations for businesses?

ADGM registered businesses must:

  • Register as a Data Controller with ADGM Office of Data Protection ($300 USD) and renew the registration every year ($100 USD)
  • Apply for permits to process sensitive personal data ($100 USD), apply to transfer personal data ($100 USD) and to register data processors.
  • Comply with the ADGM DP Law data protection principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
  • Appoint a Data Protection Officer (DPO), if high risk data processing takes place on a systematic or regular basis.
  • Report personal data breaches to the Office of Data Protection within 72 hours of becoming aware of it
  • Complete Data Protection Impact Assessments (DPIAs) for high risk data processing and report these to the ADGM Office of Data Protection. Put in place an appropriate policy for processing sensitive personal data.
  • Respond to the exercise of data protection rights from individuals within 2 months of receiving these requests.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with ADGM DP Law?

Yes, in large part, but not completely. GDPR and ADGM DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. ADGM DP Law was enacted to include provisions that largely mirror the EU’s GDPR requirements. GDPR data mapping and records of processing activity logs can help to identify ADGM DP Law impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist ADGM DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. ADGM has published its own data protection standard contractual clauses, for personal data transfers outside of the ADGM.

5. Does the ADGM DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in ADGM and process personal data in the ADGM then the ADGM DP Law will apply. The law also applies to foreign businesses that process data on behalf of organisations registered in the ADGM. The ADGM Commissioner of Data Protection can impose administrative fines of up to $28 million (USD).

Client Success Stories: What Our Partners Say

Our clients’ testimonials are the performance indicators PrivacySolved values most. These keep us focused on excellent delivery, while never losing sight of the evolutionary nature of our clients’ needs, our expertise and the need for continuous improvement.

Partnerships &
Memberships 2024

Take the next step

PrivacySolved can empower your real-time response to Data Breaches or Cyber Attacks globally, around the clock and across time zones. At any time, you also can activate our global data privacy expertise, DPOs, vCISOs, cybersecurity strategy and responsible AI services.

Click below to start the most important conversation you’ll have this year.

© Copyright 2024 PrivacySolved. All rights reserved. Website by Jerboa.