| 04/03/2021 6:48
In recent months, there has been a major problem affecting International data transfer It is an understanding of how UK data protection regulations care for Brexit.
At the moment the European Commission has a draft decision agreement You can put a tick before and after on this issue. A decision in this regard is expected before the summer.
At a meeting organized by the Spanish Association of Privacy Professionals (APEP) chaired by its vice president Maria Arias Boo– Cecilia Alvarez, Facebook’s Chief Privacy Officer for Europe, the Middle East, and Africa, and Eduardo OstranAnd the Global Co-Director of Privacy and Cybersecurity Practice at the international law firm Hogan Lovells in London, they analyzed the future environment.
Cecilia Alvarez put the situation in context and why international data transfers in the UK are so important. He noted that Schrmems II is an important sentence for understanding these transmissions.
Stressed that RGPD Standard Contractual ClausesAs a tool for managing such transfers, it is used by many companies while reaching an agreement between the parties.
“Almost 75% of European companies use these items. Also in the UK, many companies were using these terms, as was the US. Meanwhile, 94% of these transfers are known to be made to the United States.
Alvarez explained that 70% of small and medium businesses use these tools to make international transfers This percentage increases when the company is larger because its international interaction is greater.
This lawyer stressed that “International remittances are important in a global environment. Now it will be essential to see how they are after Brexit.”
“We live in a global world where the data economy matters and are interconnected by various appropriate safeguards“, claimed.
How is the relationship with the UK being reoriented?
In this discussion between two experts on privacy, Eduardo OstranFrom London, he commented: “In the world we live in, it is not easy to manage data transmission. Any restrictions of this nature must be resolved.”
In his view, “Despite Brexit and whatever political motive, what will prevail in the UK is that The freedom of data movement that existed with the European Union until now..
In his view, the UK will direct its activity to continue these data transfers between the European Union and this country, the UK and the rest of the world.
However, “part of the“ Brexit ”logic is to differentiate itself from the European Union. The UK needs to see how to get the best of both worlds, in the sense of preserving free data traffic with the European Union At the same time, take advantage of the opportunity to be outside the European Union. “
Project according to the European Union
A few days ago, news broke out that the European Union had approved a draft resolution agreement at an appropriate level with regard to the United Kingdom. It is an important milestone that these experts have commented on in this discussion.
Cecilia Alvarez stressed that “there are two adequacy statements, one of which relates to the commercial data system, regarding the adaptation of English law in the RGPD. There is another statement of its adequacy with Implement regulations in English to guide “law enforcement”Another regulation leaves room for discretion other than the Environmental Protection and Development Act itself. “
In his opinion, “the two documents are important. The European Commission has made an effort to advance these documents. It is mentioned in this report that the United Kingdom was a member state. We don’t have much to teach the UK about democracy and privacy at this point. “
For his part, Ostran noted, “It has always been very clear about that. That the UK receives a suitability decision. The past year has been hectic in this regard. On an objective level, without delving into Brexit policy, from a legal point of view, the fitness criteria are clear and can be described in a detailed way, but it is about two factors.
For this expert, the first “is based on the fact that the country’s legislative framework is equivalent to European regulations. In this case it is the same. The Data Protection Act, English law, contains 400 references to RGPD“.
The second most controversial criterion concerns controls in place so that the public sector cannot access the data. This is an issue of concern to the European Commission. Democratic controls operate on a daily basis and it is good to have them so that the authorities do not exceed their mission. “
In this expert’s opinion, “the suitability decision is assured, although formal steps need to be taken.” I think that before the summer there will be a decision that will be reviewed every four years. I think he will preserve the “status quo” in this context. “
Can Plan B speak?
In the absence of such adequacy, these experts recommend some advice for companies or SMEs. Firms need Plan B in the absence of an agreement between the EU and the UK.
On this issue, Alvarez noted that “it would seem to me something incredible if sufficiency was not achieved.” We have to ask ourselves if the GDPR should change at that point. I think this point is shared by other experts and data protection authorities. “
There is another element that has emerged about the impact of “Brexit”, “one of its effects is that it will no longer be subject to the European Data Protection Committee or to other entities or the jurisprudence of CJEU.”
“This is important. By using the same rule you could have a mismatched explanation.”, careful.
Alvarez noted that the English language is practical when it comes to data protection, “They are not just about the flow of personal data but there are also other elements that need to be taken into consideration.”
He noted that the ICO, the UK’s data protection authority, unlike other authorities, has a constitutional obligation Review the economic impact of your decisions.
This jurist believes, “It is a dual right, a right to data protection as a basic right but a commercial asset. We should have a more balanced view from this perspective“.
“If you are looking for Plan B, an honest analysis, about using other tools that the RGPD has, not only as guarantees, but also as exceptions, they will not be presented in the same fashion and standards, as long as you have effective protection in mind for that right. This is what we seek with this fundamental right“.
Ostaran pointed out that “it will not in fact be necessary to have a standardized conditional contract for transportation from the European Union to the UK, although we have spent a year notifying clients that customers have that plan B”.
In the opinion of this expert, “I think we have to go back to Plan A,” The methods of legalizing and being able to make these transfers are the same. The difference will emerge over the years“.
He noted that the UK, in theory, was no longer subject to the CJEU jurisprudence, and in theory, the Schrems II decision should not be applied. The realistic thing is that it applies for a period of time. ”.
“That way if you have a company in the UK and want to transfer the data to another inappropriate jurisdiction, you have to do what you do in any other European country.”
For Ustarán, the difference is that the ICO will apply the practical standard when interpreting the protection mechanisms that could be put into place, Either contractual mechanisms, binding rules, or those available, So that these data transfers are possible. “
For this juror, it was less successful in the Schrems case when some data protection authorities indicated that the data could not leave Europe. This is not true and the court did not say that. “
The law states that the data is protected and not kept in Europe. Hopefully practical vision will prevail in the UKHe made it clear that the UK would evolve towards this scenario.
In this debate, the UK regulator is said to be the advocate of binding corporate rules that have a lot of development and could be another way to manage international data transfers.
Ustaran commented:The United Kingdom has been a pioneer in adopting and developing these types of standards.. The fact that this tool is recognized by the RGPD is a great achievement in itself. “
Now we have to see how these rules work in the post-Brexit era. “I think the UK and the ICO They will have to take a practical stand So that the adoption of this type of mechanism does not diminish and develop, but rather grows. “
For this expert, “It’s a way to protect data from a global point of view, and that’s what it is all about.”
In his opinion, the rules have evolved in Europe and the process for their adoption has been simplified, ”The ICO will likely find a way to trust the companies that make this strategic data protection decision“.
In his view, he believes “data protection agencies like the ICO should do just that Support and trust this tool. And I think the United Kingdom will go in that direction in this way. “
For Alvarez, “The UK has gained flexibility in using this tool. It’s about helping companies get a one-on-one with all data protection authorities“, pointed out.
“With Brexit, this is gone, and the agility will be greater. Now they will be able to agree to it more quickly because they don’t have to agree with anyone,” he said.