This Week in Privacy: 18 January 2021
January 18, 2021
CJEU's AG opinion addresses data protection authorities' competence over cross-border data processing
The Court of Justice of the European Union's Advocate General published its opinion in a case concerning the competencies of EU data protection authorities under the GDPR. The Advocate General noted that a reading of the GDPR highlighted that, vis-à-vis cross-border processing, the competence of the lead supervisory authority is the rule, and the competence of other supervisory authorities is the exception. In this regard, the Advocate General explained that where national DPAs do not act as the lead authority, they can nonetheless bring proceedings before the courts of their respective Member State in cases of cross-border processing in certain situations outlined in the opinion.
EDPB and EDPS adopt joint opinions on Commission's draft SCCs
The European Data Protection Board and the European Data Protection Supervisor adopted joint opinions on the European Commission's draft Standard Contractual Clauses. In particular, several amendments were requested in order to bring more clarity to the texts. The EDPB and EDPS also suggested that the Annexes to the SCCs clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity as any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle. In addition, the EDPB and EDPS highlighted that provisions regarding the scope of the SCCs, third-party beneficiary rights, obligations regarding onward transfers, aspects of the assessment of third country laws regarding access to public data by public authorities, and the notification to the supervisory authority, could be improved.
EDPB updates statement and information note on Brexit
The EDPB also released updated documents with respect to the end of the Brexit transition period. The EDPB clarified that the EU-UK Trade and Cooperation Agreement, which provisionally came into force on 1 January 2021, and which is pending ratification by the European Parliament and the Council of the European Union, provides that, for a maximum period of six months from its entry into force and upon the condition that the UK's current data protection regime stays in place, all data flows of personal data between stakeholders subject to the GDPR and UK organisations will not be considered as transfers to a third country. In addition, the updated information note on data transfers recalls that if no adequacy decision is adopted by 30 June at the latest, such transfers will then constitute transfers to a third country.