It has been a busy start to the year in the world of data protection. First, there were two noteworthy decisions by the European authorities on transfers of EEA personal data to the US, followed recently by the ICO presentation of its proposed International Data Transfer Addendum. So, where does this leave us?
Duty to watch over the safety of European users’ data
A year ago (January 2021), the Austrian based data protection group None of Your Business (NOYB), founded by Max Schrems, brought complaints against the European Parliament in relation to its internal coronavirus testing website. The complaints related to the transfers of data to the US as well as misleading cookie banners and unclear data protection notices.
The European Data Protection Supervisor (EDPS) – an independent supervisory authority whose primary objective is to monitor data compliance by the official European institutions and bodies – investigated. In January 2022, it reprimanded the European Parliament for violating the GDPR which applied to EU institutions under a special regulation applicable to EU institutions only (Regulation (EU) 2018/1725).
Even the placement of cookies by a US provider may be considered a violation of EU and UK privacy laws. The EDPS commented that no proper protections against US surveillance were put in place, considered to be particularly serious given that European politicians have been targets for surveillance. Arguably, this may be less serious if the data subjects are not European politicians or other public figures.
The Austrian Google analytics case
The recent Austrian court ruling is another example of how the transfer of personal data to the US for electronic storage or services is a restricted transfer that may only be made if adequate security is in place to prevent third party access. As the US authorities have an overriding right to surveillance of e-communications in the US, it is very difficult to see how their access to electronic communications can be limited or excluded and as such, these transfers are likely to be in breach of GDPR.
Considering the EDPS action against the EU parliament, the clear message from the EU is to review cookie use (although we are post-Brexit, UK GDPR follows EU GDPR).
Introduction of the IDTA before parliament by the ICO
The Information Commissioner’s Office (ICO) recently put the draft International Data Transfer Agreement (IDTA) before parliament, after a long period of consultation, intending it to come into force on 21 March 2022.
The proposed document follows the existing UK GDPR and the GDPR processes, and appears to indicate the intention of the UK to continue to follow the EU lead on personal data protection and stay close to the GDPR, rather than break away and create new laws post-Brexit.
The draft IDTA will be relevant for transfers – or ‘restricted transfers’ – of personal data to third countries (including the US) under the GDPR. The IDTA may replace the EU SCCs in relation to UK personal data transfers to third countries, but it also includes a ‘UK addendum’ format of the IDTA, to be addended to the ‘new’ EU SCCs (of 4 June 2021), or other data protection transfer documents in place in other territories. This is, presumably, to simplify the transfer of UK personal data alongside EEA personal data (the two data sets currently require entirely separate documentation).
For the time being, however, the IDTA is a draft and not yet in force.