Calculating Future EU GDPR Fines

Briefing

The European Union’s data protection regulators have decided to significantly increase General Data Protection Regulation (GDPR) enforcement cooperation. In April 2022, the regulators published the Vienna Statement on Enforcement Cooperation. In May 2022, the European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines under the GDPR. The EDPB opened a period of consultation.  Since GDPR came into force in 2018, EU GDPR regulators have developed their own enforcement strategies, investigation thresholds and methodologies for calculating and imposing fines. Many of these were unpublished. As GDPR regulators began to deal with cross-border investigations and complaints, differences in approach began to strain co-operation.  Greater unity and clarity on fines and calculation methods will create more transparency for data controllers, processors, supply chains and individuals. It also helps EU GDPR regulators to practically deal with the same cases in similar ways, which builds trust and confidence.

EU GDPR Fine Rules and New EDPB Guidelines 2022       

The GDPR is clear that the calculation of fines is left to the discretion of each EU GDPR regulator, in line with the law. Each fine must be effective, proportionate and dissuasive. Data protection regulators must consider the circumstances relevant to the infringement, such as its seriousness or consider the character of the perpetrator. The level of the fine should not exceed the maximum amounts listed in the GDPR of €10,000,000 or 2% of worldwide annual turnover (whichever is higher) and €20,000,000 or 4% of worldwide annual turnover (whichever is higher). Each fine must be specific to that case and be calculated according to the elements set out in the GDPR.

In May 2022, the EDPB published the following five-step methodology for calculating GDPR fines. It aims to build on the GDPR’s rules but also expand the types and levels of analysis to improve transparency, accountability and enforcement cooperation between the EU’s data protection regulators. The Guidelines cover EU cross border cases and non-cross border cases.

Step 1Identify the processing operations in the case and evaluate the application of GDPR Article 83(3).
Step 2Find the starting point for further calculation based on an evaluation of:
a) the classification in GDPR Article 83(4)–(6);
b) the seriousness of the infringement based on GDPR Article 83(2)(a), (b) and (g);
c) the turnover of the organisation as one relevant element to take into consideration in order to impose an effective, dissuasive and proportionate fine, in line with GDPR Article 83(1).  
Step 3Evaluate aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increase or decrease the fine accordingly.
Step 4Identify the relevant legal maximums for the different processing operations. Increases applied in previous or later steps cannot exceed this amount.
Step 5Analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by GDPR Article 83(1) GDPR, and increase or decrease the fine accordingly.

The EDPB Guidelines state that the calculation of GDPR fines should not be a mere mathematical exercise. The circumstances of each specific case will ultimately determine the final amount between any minimum and the legal maximum. These Guidelines are intended to help EU data protection regulators consistently apply and enforce the GDPR and set out the EDPB’s common understanding of the rules in the GDPR.  The Guidelines also aim to create harmonised starting points and shared methodology for all EU GDPR regulators, but not necessarily harmonised outcomes. The Guidelines apply to all sorts of private sector controllers and processors and extend to the public services, in so far as, national member state laws allow.

High GDPR Fine Patterns Since 2018

Together with the power to stop or suspend data processing, the power under the GDPR to issue 2% or 4% fines of annual worldwide turnover are powerful enforcement tools. GDPR fines vary greatly. The highest fines announced have been Amazon (€746 million) in Luxembourg, Facebook: WhatsApp (€225 million) In Ireland, H&M  (€35 million) by Hamburg in Germany,  TIM (€27.8 million) in Italy, British Airways (€22 million) in the UK , Clearview AI (€20 million) in Italy, Caixabank (€6 million), The Dutch Tax and Customs Administration (€3.7 million) in the Netherlands, National Revenue Agency (€2.6 million) in Bulgaria. These fines were issued largely using each regulator’s own internal and unpublished methodologies and analysis, guided by their interpretation of the law.  Several GDPR fines have been challenged in courts and have been upheld. A few of the fine amounts have been reduced.

GDPR Fines Guidance in the Netherlands, Germany and the UK

In 2019, the Dutch data protection regulator, published GDPR fines guidance for companies and government organisations. The guidance emphasised the organisation’s revenue stream as being a key factor in the final fine, to be considered at the final stage of the calculation. In 2019, Germany’s data protection authorities published a concept paper on methods for calculating GDPR fines for companies. The concept paper focused on turnover, with a detailed methodology. This approach has not proved sustainable and has been challenged. In 2020, the UK data protection regulator published draft guidance setting out four categories of culpability, included the organisation’s turnover and proposed fine reductions to encourage early payment. Post-Brexit, the UK GDPR draft fine guidance was updated, simplified  and received consultation responses in 2022.

Future EU GDPR Fines: Looking Ahead

These EDPB Guidelines are likely to change with consultation and over time. Businesses and organisations will be better able to understand the important elements that make up a GDPR fine. The themes of proportionality, transparency and EU enforcement interoperability now appear to be the driving forces in EU GDPR financial penalty calculations. It is unclear whether this will encourage or discourage appeals against the amount and calculation methods of GDPR fines. However, it is important to remember that these are guidelines. Each EU data protection regulator has scope to decide how much of the guidelines to apply in each case.  The ability of EU data protection regulators to issue dissuasive or exceptional fines remains. The decision-making autonomy of each regulator, on a case by case basis, continues to operate.

For assistance with EU/UK GDPR compliance, data protection regulatory investigations, GDPR enforcement support, data breach response and our Legal & Regulatory Support services, contact Privacy Solved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS062022

Data Protection is Trending in the Middle East

Briefing

Countries in the Middle East have bold plans for economic growth, new technologies, innovation and urban development in the next ten to twenty years. The United Arab Emirates (UAE) is at the forefront of this high ambition. Bahrain, Qatar and Oman are smaller still, but are resource-rich and intend to diversify to meet a changing world. Saudi Arabia is a sleeping giant with confident plans for urbanisation and diversification of its economy. Israel stands slightly apart with its efforts to update its long existing data protection laws. The nation is highly regarded for technology, security, unicorn companies and start-ups, with a successful history of technology exports.  All of these countries are adopting new data protection laws, maturing existing rules or expanding the scope of technology regulation. These policy shifts seek to protect individual rights, build trust in new technologies and increase international and regional data flows. Data protection is trending in the Middle East, because the region is investing heavily in data, technology, automation, smart cities and scientific innovation.  Turkey is a notable regional neighbour; most fully aligned to international data protection and EU standards. Turkey serves as a reference point for the wider region. The overall regional picture is not uniform. There are different approaches, differing levels of data protection maturity, variable enforcement, many timelines and a range of expectations.

United Arab Emirates (UAE)

The UAE is made up of seven emirates. These are Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. The country has three international-facing data protection regulatory systems. The most recent is UAE Data Protection Law of 2021. It is wide-ranging but does not apply to the UAE government or government organisations. The UAE Data Office, the data protection regulator, is still being fully set up. Rules, regulations and guidance will be published soon to clarify and expand the law. These updates and clarification could be announced at relatively short notice, so companies and organisation must watch developments closely.

The other two laws relate to the UAE’s Free Zones that focus on international financial services, fintech, cryptocurrencies and sectors adjacent to these services. Abu Dhabi Global Market (ADGM) data protection laws were updated in 2021, adding elements that mirror the EU’s General Data Protection Regulation (GDPR). Dubai International Financial Centre (DIFC) data protection rules were updated in 2020 and adopted several matching principles and elements of the GDPR. The DIFC law is now more interoperable with the GDPR. DIFC has been taking steps to grant data protection adequacy to the EU, UK and Singapore. There is an ongoing appetite to establish data flows with other trusted countries and regions.  

For further information and analysis, please read PrivacySolved’s detailed briefings on:

Abu Dhabi Global Market (ADGM) Data Protection

Dubai International Financial Centre (DIFC) Data Protection

UAE Data Protection Law

Bahrain

Bahrain’s Personal Data Protection Law (PDPL) came into force in August 2019. The key definitions largely mirror the definitions in the EU’s GDPR. Independent Data Protection Guardians, who are like GDPR Data Protection Officers, are to be appointed. Penalties range from 100 to 20, 00 dinars and could also include a year in prison. The regulator is the Ministry of Justice and Islamic Affairs (MOJ), who carry out the duties of the Bahrain Personal Data Protection Authority.

Qatar

Qatar’s Protecting Personal Data Privacy Law (PPDP) was enacted in 2016. The definitions in the law are similar to those in the EU’s GDPR and incorporate key international data protection principles. The Qatar Financial Centre (QFC), a Free Zone in Doha, also has its own data protection rules for businesses and organisations that are registered and licensed by the Centre. The Qatar Financial Centre Authority updated the QFC’s 2005 data protection regulations in December 2021 with new regulations and rules aligned with GDPR.

Saudi Arabia

The Kingdom of Saudi Arabia introduced its first Personal Data Protection Law (PDPL) by royal decree in September 2021. This was followed by a draft Executive Regulation in March 2022 to interpret and extend the PDPL. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA). The PDPL comes into force on 17 March 2023 (postponed from 22 March 2022). The law reflects key elements of international data protection principles, EU GDPR and mirrors various data protection laws in the Middle East.

Israel

Israel’s data protection law was introduced 1981. Data Security Regulations followed in 2017. These include the concepts of personal data, sensitive data, database, database owner, database holder and database manager.  The main law is the Protection of Privacy Law and the regulator is the Privacy Protection Authority (PPA), which is part of the Ministry of Justice. Israel’s data protection landscape is a mix of law, regulations and formal guidelines issued by the PPA. The European Commission granted Israel data protection adequacy in 2011, under the EU Data Protection Directive 1995, and remains the only country in the Middle East to have received an EU adequacy decision. Further legal alignment with the EU’s GDPR may be required going forward. In 2021, the Ministry of Justice announced proposals to update its data protection laws to improve the regulatory scope, key definitions and increase the PPA’s enforcement powers.

Other Countries in the Middle East

Turkey, a near neighbour to the Middle East with enduring historical and trade links, introduced a comprehensive data protection law, the Protection of Personal Data Law of 2016. Turkey also ratified the Council of Europe Convention 108 in 2016. The Turkish Personal Data Protection Authority, Kişisel Verileri Koruma Kurumu (KVKK), is the regulator. Turkey’s data protection regulatory landscape reflects international data protection principles and is substantially similar to the EU’s GDPR.

Egypt introduced a Law on the Protection of Personal Data in 2020. The law includes principles, definitions, rights and duties that mirror EU GDPR. The Minister of Communications and Technology is tasked with publishing Executive Regulations for the law. The regulator is the Data Protection Centre, but this organisation has not been fully established. Lebanon has a basic data protection law in the form of the  Electronic Transactions and Personal Data Law of October 2018. There is no independent data protection regulator.  Oman published a Personal Data Protection Law in February 2022, with plans to bring it into force in February 2023.

Jordan published a draft data protection law in 2021. Iraq, Iran, Kuwait, Palestine, Syria and Yemen do not have a comprehensive national or international facing data protection laws.  

Other Future Trends to Watch

The UAE and Saudi Arabia are moving quickly to expand their national artificial intelligence capabilities and introduce regulatory frameworks for new technologies. Fintech will continue to grow and mature in most countries. The emergence of Middle Eastern data protection regulators with distinct voices, regulatory approaches and ways of operating is a noticeable trend. The Turkish Personal Data Protection Authority (KVKK), ADGM Office of Data Protection (Commissioner for Data Protection) and the DIFC Commissioner of Data Protection are creating notable blueprints. In the longer term, Chinese investment in the Middle East coupled with the strengthening of historic ties with India, will impact the regulatory environment in the Middle East. China’s recent data protection and data security laws, as well as India’s impending comprehensive data protection law will also shape data protection, cybersecurity, data flows, trade and the market adoption of new technologies and innovation.

For help, support and advice with data protection, data breach response, cybersecurity strategy, new technology projects and artificial intelligence data risks in the Middle East, especially the UAE, Turkey, Israel, Saudi Arabia, Bahrain and Qatar, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS052022

Ireland’s Cautious Cybersecurity Outlook

Ireland should be a cybersecurity powerhouse. However, the nation takes a cautious approach. The country is a preferred destination for California’s Silicon Valley technology giants and other foreign technology investments. The island is home to around 30% of Europe’s data centres. It has artfully managed its strategic relationships with the European Union and the United States of America. Technology and cybersecurity clusters in Dublin, Cork, Galway and Shannon continue to grow and attract investment. Cyber Ireland, the national cybersecurity cluster, is seeking to join up and mature the local ecosystems.  Headline-grabbing cyberattacks such WannaCry (2017), NotPetya (2017) and the Health Service Executive (HSE) ransomware attack in May 2021 were significant warnings to Ireland to significantly upgrade its national information security resilience. In 2021, it was estimated that cybercrime cost Ireland €9.6 billion a year. Ireland public sector remains stoic, pragmatic and relatively low spending. In contrast, the private sector is developing a growing appetite for cybersecurity services and solutions.

Ireland’s National Cyber Security Strategy 2019-2024

Ireland’s current National Cyber Security Strategy was published in 2019 and covers the five years from 2019 – 2024. Ireland’s National Cyber Security Centre (NCSC) is the main body responsible for the Strategy and many of the measures set out in the document. The NCSC is also accountable for Ireland’ Critical National Infrastructure information security and enforcing the EU’s Networks and Information Systems Directive (NIS Directive). NCSC has been designated as Ireland’s Cyber Security Incident Response Team (CSIRT-IE). See PrivacySolved Insights Briefing Cybersecurity: Focus on Ireland’s National Cyber Strategy for more details on the Strategy.   

Cautious New Funding for the National Cyber Security Centre (NCSC)

Ireland’s digital economy has been valued at USD $14 billion and is increasingly facing cybersecurity threats that have led to increases in cybersecurity spending in the private and public sectors. In July 2021, two months after the HSE ransomware attack, the Irish Government announced a doubling of staff numbers at the NCSC over the following 18 months. This was estimated to cost €2.5m in the first year. Twenty (20) new roles would be added to the existing 25 already working at the NCSC. The longer-term plan is to reach 70 employees within five years (by 2026). A new headquarters building, new graduate training programme and a new head of the NCSC have also been added.

There are growing calls for the NCSC to receive more funding as a good investment and to reflect the spending priorities of Ireland’s European neighbours like the UK, France, Netherlands, Belgium and Germany. Evidence given to the Irish Parliament’s Joint Oireachtas Committee on Transport and Communications in May 2021 suggested that the NCSC should receive a ten times budget uplift from £5 million a year to £50 million a year. Ireland is informally called “data island” because of its considerable market share of European data centres, yet the NCSC’s £5 million budget is relatively low. For context, the NCSC’s budget is said to be a third of the spending by the public relations (PR) team in the Department of the Taoiseach (the Irish Prime Minister’s Department) which was about 16.9 million in 2020. A former Chief Executive of the HSE suggested in 2021 that the HSE’s expenditure on IT security was about a quarter of what would be expected when compared with other health systems. On closer analysis, there is evidence of underinvestment in government and public sector information security. By contrast, the $300 million Irish market for cybersecurity solutions and services (mainly private sector) is growing.

Cyber Security Baseline Standards (Public Sector)

In January 2022, the NCSC and the Office of the Government Chief Information Officer (OGCIO) published their jointly developed Cyber Security Baseline Standards for Irish Public Sector bodies. The Standards are intended to create an acceptable security standard, build a more resilient security environment and form a broad framework for measures which can be revised over time. The standards will help organisations improve the management of cybersecurity risks, allowing Public Service bodies to better identify, protect, detect, respond to, and recover from cybersecurity attacks. This will minimise damage and adverse impacts. 

The Standard includes a Cyber Incident Response Plan (CIRP) checklist and checklists for a range of other activities such as Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. It is a minimum set of standards and requires organisations to expand upon these depending on their activities and risk profiles.

Data Protection Commission Ireland’s data breach enforcement efforts

Data Protection Commission Ireland (DPC Ireland) is Ireland’s data protection and GDPR regulator. Since May 2018 it has not developed a significant and high- profile case work on major cyberattack response and data breaches. So far, DPC Ireland’s position on major data breaches remains underdeveloped. However, in October 2021, DPC Ireland fined Twitter €450,000 for reporting a data breach late, which breached GDPR. DPC Ireland’s Annual Reports 2021 suggests a high level of engagement and high rates for resolving personal data breach notifications and referrals.  In 2021, the Commission it received 6,549 personal data breach notifications and concluded its work on 95% (6.274) in the same year.  In October 2021, DPC Ireland received a budget increase of 22% (€4.1 million), from the year before, to €23.2 million for the next year. At present, DPC Ireland, receives nearly five times the annual budget of the NCSC. DPC Ireland has 190 staff, four times more than the recently enlarged NCSC.

Future Developments

The key future developments to look for are more public sector cybersecurity funding and specific new investment and resources for the NCSC. The growth and maturity of the NCSC will be demonstrated by a larger staff pool, more IT and technical specialists and more involvement in critical national infrastructure initiatives. The NCSC is beginning to work more fully with the EU’s Agency for Cybersecurity (ENISA), the UK’s National Cybersecurity Centre (UK NCSC), the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA). Together they respond to coordinated threat alerts and cyberattack responses. Future high impact cross-border activities will also imply maturity, growth and development. DPC Ireland’s increased enforcement activities, especially in the area of large data breaches, sophisticated cyberattacks and GDPR non-compliance in large systems will signal a more confident future for Ireland’s cybersecurity, data protection, trust and national security resilience efforts.

Resources

Ireland National Cyber Security Strategy 2019-2024

Ireland Cyber Security Baseline Standards 2022

For help, advice, consulting and strategy for Irish Data Protection compliance, GDPR gap analysis, Cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:

Dublin +353 1 960 9370

London +44 207 175 9771

Email: contact@privacysolved.com

PS042022

Sanctions, International Data Flows and ESG Compliance

Briefing

Globally, at any given time, there are international, economic or trade sanctions in place that directly affect countries, sectors, businesses, organisations and individuals. The world is interconnected in terms of trade, investment, financial flows, debt repayments and just-in-time supply chains. Sanctions are often underpinned by laws with criminal and civil penalties. Russia’s annexation of Crimea in 2014 and its subsequent invasion and war in Ukraine in 2022, has led to an unprecedented level of international, coordinated and punishing sanctions against Russia. Its political system, leaders, parliament, central bank, key sectors, businesses, influential individuals and its uber-rich citizens called oligarchs have all been targeted. Currently, significant sanctions are in place against Russia, Belarus, Iran, North Korea, Syria, Myanmar, Venezuela and Cuba. The European Union, China and the United States have imposed a range of unilateral trade sanctions between themselves, in recent years, to protect several of their strategic sectors. Sanctions directly affect confidence, investment, trade and international data flows. After sanctions are imposed, the data flows to and from sanctioned parties must be scrutinised for lawfulness, human rights compliance and for fit with an organisation’s Environmental, Social and Governance (ESG) position.

Types of Sanctions

International sanctions are political and economic decisions, made through diplomatic efforts by countries, multilateral or regional entities against states and organisations to protect international law, national security and to defend against threats to international peace and security. These sanctions are normally put in place by the United Nations (UN), or by countries working in consultation with the UN. These decisions include temporary restrictions or blocks on economic, trade, diplomatic, cultural, environmental and other restrictions. Sanction measures are lifted when the issues that led to the restrictions ends or the situation changes. Often, sanctions are given their primary functional title, such as diplomatic sanctions or economic sanctions. Sanctions remain the international community’s most powerful peaceful actions to prevent or respond to threats to international peace and security. Increasingly, unilateral sanctions can be imposed by a country on another nation to further its strategic interests via strong economic pressure through economic, trade or diplomatic activities.  Breaching sanctions deliberately or inadvertently can lead to criminal or civil penalties. Assisting a sanctioned entity or an individual to evade sanctions can also lead to severe consequences for all involved.

Lawfulness and Fairness in Data Flows

A key principle in international data governance, data protection laws and in modern data privacy analysis is that the processing of personal data, personal information and personally identifiable information must always be done lawfully and fairly. Lawful means that the activity should not breach civil or criminal laws, directly or indirectly. Fairness is a wide concept and includes, equity between the parties, respect for natural law, upholding fundamental rights, human rights protection, substantive fairness and fairness in processes. The principle of fairness discourages the sharing of personal data and personal information for covert purposes, or by tricks, deception, obfuscation, online dark patterns or via the misuse of language. Fairness considerations can also protect individuals with special or protected characteristics such as age (young and old), disability, ethnic origins or nationality.

The EU’s General Data Protection Regulation (GDPR) requires transparency and accountability in data flows. China’s Personal Information Protection Law (PIPL) and Brazil’s Data Protection Law (LGPD) contains a fundamental principle that all parties should act in “good faith” when they collect, use, share or store personal information. The flow of personal data to sanctioned countries, sectors, businesses, organisations, groups or individuals can conflict with lawfulness, fairness, transparency, accountability and good faith requirements. Companies and organisations should ensure that they do not breach these principles when dealing with sanctioned entities and individuals. These breaches of data protection and data privacy rules could lead to investigations, reprimands, administrative fines, third-party actions, other enforcement action or legal (court) action.

International Personal Data Transfer Risk Assessments

Aware that the transfer and sharing of personal data to some foreign countries can put individuals at risk, breach national laws and cause other harms, European regulators such as the European Data Protection Board (EDPB) and the European Commission have led the way in developing data Transfer Impact Assessments (TIAs). In the UK, these are often called Transfer Risk Assessments (TRAs). These assessments seek to evaluate a wide range of information to assess the risks to individuals and personal data flows. These also assess the level of compliance with the GDPR and other laws, in recipient countries or organisations. Considerations includes the types of data, types of data subjects (individuals), the sectors, the purpose of the data transfer and the transfer methods proposed. The technical and organisational systems in place to secure the data transfers, the list of countries the personal data will pass through and the possibility of onward transfers to third or fourth countries are also crucial considerations.  In this process, identifying sanctioned countries, organisations and individuals could be crucial to the sender’s corporate risk, insurance cover, legal compliance and liability.

Crucially, these data transfer assessments also aim to evaluate the receiving country’s human rights record, its legal system, its courts and how foreign judgments are recognised. The laws relating to third-party access to data, including by government bodies and the security and intelligence services are also reviewed.  

For a sanctioned country, organisation, sector or individual, these assessed factors will be influenced by the existence of sanctions. A country’s human rights record that led to international sanctions could make in-coming international data transfers high risk, unlawful or unfair. Both the human rights record and the specific sanctions restrictions could prove to be problematic or prohibitive. If a country’s political system requires that all data centres and internet traffic are scanned for political purposes, this could make the data transfer high-risk, needing additional technological safeguards such as data minimisation, pseudonymisation or anonymisation to reduce the data protection risks. Sanctions may also prohibit certain economic activities or sector-specific trading, and so the sharing of personal data to facilitate these activities, directly or indirectly could breach the sanction measures. Sanctions could target government or military organisations. This is the case in the sanction measures against Myanmar. Identifying true beneficial ownership is crucial. However, it is often difficult to clearly identify all government-directed, military-supported, government owned and backed organisations. The work of transferring personal data to sanctioned countries, entities or individuals is difficult and it can be a dynamic fast-moving environment.

Steps to Better Environmental, Social, Governance (ESG) and Compliance

The following steps will help businesses, organisations, governments and public sector bodies to better navigate the international personal data flows affected by sanctions regimes.

(A) Monitoring Sanctions Lists, in all relevant territories, should be a high priority. This should be done regularly, part of business as usual processes. These lists should also be consulted during supplier and partner due diligence and when a key organisation, in the existing supply chain, changes its ownership, size or composition. Experts that understand the full intent, meaning and implications of sanctions on data and personal data flows should be consulted.

(B) Registers of Processing Activities (ROPAs) should be properly maintained, reviewed and updated by companies and organisationsthat fall within the scope of the EU’s GDPR or similar laws in the UK, Brazil, China and the UAE. A ROPA can help to answer important preliminary questions such as the level of exposure to a sanctioned country, company, organisation, sector or individual. It can also be used to highlight, at least broadly, which countries sends and receives which types of personal data and the intended purposes.

(C) Contractual agreements are important governance tools when dealing with sanctions. Contracts are widely used to facilitate trade and transfer personal data around the world. These include international data transfer agreements, data protection Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various types of data processing agreements. Sanctions could make these agreements voidable, void or otherwise untenable. Parties could be forced to trigger the frustration or force majeure clauses, which could lead to contract termination and remove existing duties to perform the contract. Signing agreements that undermine or conflict with sanctions, after sanctions have been imposed, could breach criminal and civil laws. Detailed legal advice and care should be taken when parties seek to deliberately contract in ways that aim to stay within the legal limits of transferring personal data to sanctioned countries, businesses, entities and individuals.

(D) Systematic Supply Chain Reviews are important, especially detailed periodic reviews. Companies and organisations could be subject to criminal and civil liability if they take steps to evade or help other parties to avoid sanctions. Work should be done to ensure that substitute suppliers and third parties are not simply re-routing goods, services and data to sanctioned countries, businesses, organisations and individuals.Mergers and acquisition activity should be monitored as well as the unusual creation of offshore companies, holding companies, subsidiaries, branches and other formalised attempts to disguise the true beneficial owners of legal entities and assets.

(E) Anti-Money Laundering (AML) and Know Your Customer (KYC) Procedures should be upgraded. This is crucial in order to respond to the personal data risks associated with sanctioned countries, businesses, organisations and individuals. The use of cryptocurrencies, speciality blockchains, non-fungible tokens (NFTs), unexplained venture capital funds, aggressive modern art market investments, cybercrime and any involvement in the ransomware ecosystem, should be fully investigated.

PrivacySolved has many years of expertise in global data protection, data privacy, international data transfers and Environmental, Social and Governance (ESG) activities, including work with key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS032022

International Data Transfers: New UK Standard Contractual Clauses

On 21 March 2022, the UK formally adopted a new UK General Data Protection Regulation (UK GDPR) Standard Contractual Clauses (SCCs) regime.  After the UK’s exit from the European Union (Brexit), this represents a necessary divergence from the EU approach, because the UK became a “third country.” The UK has now declared data protection adequacy for most of the countries that shared data protection adequacy before Brexit. However, as a third country, with GDPR imbedded into its laws, it needed to put in place appropriate safeguards for personal data transfers to the rest of the world. This is the main purpose of the UK’s new data protection SCCs.

Countries that have UK Data Protection Adequacy

The UK Government has granted data protection adequacy status to the twenty-seven (27) member states of the European Union (EU) and member countries of the European Economic Area (EEA), plus Gibraltar. The EU’s and EEA’s institutions, bodies, offices and agencies also have UK adequacy. The UK has also approved the countries the EU has declared adequate. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate data protection.

The UK has published plans to actively pursue data protection adequacy agreements with key foreign countries. These high priority countries are Australia, Brazil, Colombia, the Dubai International Financial Centre Free Zone in the United Arab Emirates, India, Indonesia, Kenya, the Republic of Korea (South Korea); Singapore and the United States of America.

All the countries that have been declared adequate by the UK, escape the complexities of putting in place wide-ranging appropriate safeguards, including the UK’s new SCCs, to facilitate international personal data transfers. The UK GDPR SCCs will govern international personal data transfers to non-EU, non-EEA and non-adequate countries, in the rest of the world.

Understanding the new UK Standard Contractual Clauses Documents

Important Dates: The clauses become effective on 21 March 2022. By 21 September 2022, companies and organisations must start to use the new IDTA or UK Addendum for all new international personal data transfer arrangements governed by UK GDPR.  Contracts signed before this date using the old EU SCCs will continue to be valid until 21 March 2024, if the data transfers remain unchanged during this period.  By 21 March 2024, all data transfers under UK GDPR must use the new clauses. All historical UK GDPR international personal data transfers based on the old EU SCCs must be updated by that date.

The International Data Transfer Agreement (IDTA) is the UK’s new standaloneSCC document. The main users will be UK-only based companies and organisations seeking to sign a stand-alone document to facilitate the data transfer. The IDTA could also be added as a self-contained schedule to another contract. It cannot be used by organisations that are seeking to cover personal data leaving both the EU and the UK. The IDTA is an alternative to the UK Addendum. The IDTA reflects the EU’s new SCCs, but not the modular approach seen in it. A wider range of parties such as Data Controllers, Data Processors and Sub-Processors can use the agreement and can list any supplementary measures that apply to the data transfer.

The UK Addendum is the UK Addendum to the EU’s SCCs for international personal data transfers. It is an alternative to the IDTA.  The main users will be companies and organisations that carry out EU to non-EU/EEA international personal data transfers and who also seek to add similar provisions for UK personal data that will be transferred outside the UK, EEA and the list of countries declared adequate both by the EU and the UK.

Transfer Risk Assessments (TRAs) must be completed when the IDTA or the UK Addendum are used, in order to assess the transfer risks and levels of compliance for the international personal data transfer. TRAs must be reviewed regularly. If the TRA indicates that the destination of the personal data transfer is not adequate, the company or organisation sending the personal data must put in place supplementary measures. It is likely that the UK Information Commissioner’s Office (ICO) will published a UK GDPR TRA template or model for companies and organisations to use.

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com