This Week in Privacy: 7 June 2021
June 07, 2021
EU: Commission adopts new SCCs for exchanges of personal data
Following much anticipation, the European Commission announced that it had adopted a finalised version of Standard Contractual Clauses for the transfer of personal data to third countries as well as SCCs for use between controllers and processors under Article 28 of the GDPR.
The finalized Third Country SCCs aim to take into account the CJEU's decision in Schrems II, as well as feedback received from the European Data Protection Board and European Data Protection Supervisor.
The Third Country SCCs adopt a modular approach to reflect the realities of modern data transfers and include detailed requirements around purpose limitation, transparency, accuracy, security, and the assessment of local laws and practices of the third country to which data is being transferred.
For controllers and processors that are currently using previous sets of standard contractual clauses, a transition period of 18 months is provided.
The Article 28 SCCs address the obligations of the controllers and processors around documented instructions to be provided by the controller to the processor in relation to the processing activities; security of processing, the use of sub-processors, international data transfers and other matters.
OneTrust DataGuidance is hosting a webinar with Sidley Austin and a cross-industry panel to provide analysis of the development today, Monday 7 June. You can register for the webinar here.
Read our Key Resources page here.
Germany: State commissioners release statements on coordinated examination of cross-border data transfers
Data protection authorities in Germany announced plans for a country-wide examination of international cross-border data transfers to third countries, in light of Schrems II.
The authorities highlighted that participating authorities will provide a questionnaire to companies that will address web tracking, emails, website hosting, and internal data-sharing practices.
The authorities further noted that the CJEU has expressly obliged supervisory authorities to prevent inadmissible data transfers and to respond with regulatory action where necessary.
Read more here.
UK: ICO launches consultation on draft anonymisation, pseudonymisation, and privacy enhancing technologies guidance
The Information Commissioner's Office launched a consultation on the first draft chapter of its anonymisation, pseudonymisation, and privacy enhancing draft guidance.
The draft chapter explores the legal, policy, and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law. In addition, the ICO noted that it will continue to publish draft chapters for its anonymisation guidance, as part of its plans to build on the data sharing code.
Feedback may be submitted until 28 November 2021.
Read more here.