Draft UK Adequacy decisions, Vietnam’s Draft Decree and, Russia’s Amendments to the Federal Law on Personal Data – Legal Monitoring Letter #4

/ Draft adequacy decisions for transfers of personal data to the UK [1]

On 19 February 2021, the European Commission (“EC”) has published two draft adequacy decisions for the transfer of personal data from EU to the UK, one under the General Data Protection Act (“GDPR”) and the other for the Law Enforcement Directive (“LED”).

The EC concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the GDPR and under the LED.

Background:

On 24 December 2020, the EU and UK reached a Trade and Cooperation Agreement which came into effect on 1 January 2021. According to the Agreement personal data can be transferred freely between the EU/ EEA and UK without the need for parties to implement additional safeguards (e.g., Standard Contractual Clauses) for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier).

If an adequacy decision is not adopted before the end of the abovementioned period, data transfers from the EU/ EEA to the UK will require additional safeguards.

[1]https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661

What is an adequacy decision?  [1]

The EC could determine whether a country outside the EU offers an adequate level of data protection. The adoption of an adequacy decision involves:

• a proposal from the EC
• an opinion of the European Data Protection Board
• an approval from representatives of EU countries
• the adoption of the decision by the EC

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein, and Iceland) to that third country without any further safeguard (such as Standard Contractual Clauses) being necessary.

Next steps:

The publication of the draft decisions is the beginning of a process towards their adoption.

The next steps are obtaining an opinion of the European Data Protection Board (“EDPB”) and an approval from representatives of EU countries. After that, the EC could adopt the final adequacy decisions for the UK.

If the draft decisions are adopted, they would be valid for a first period of four years after which it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.

[1]https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Outcome:

If the draft decisions are adopted, they will allow the continued transfer of personal data from the EU to the UK without the need for additional safeguard.

The UK has already decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU.

/ EDPB Opinions on draft UK adequacy decisions [1] , ^[2]

On the 13 April 2021, the European Data Protection Board (“EDPB”) adopted two opinions:

• the Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 („GDPR”) on the adequate protection of personal data in the UK.

• Opinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the UK. The EDPB recognizes that the UK has mirrored, for the most part, the GDPR/ LED in its data protection framework. The authority notes that there is a strong alignment between the GDPR framework and the UK legal framework on certain core provisions such as, for example, concepts (e.g., “personal data”; “processing of personal data”; “data controller”); grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security, and confidentiality; transparency; special categories of data; direct marketing; automated decision making and profiling.

The EDPB welcomes the fact that the UK has established the Investigatory Powers Tribunal and positively notes the introduction of “Judicial Commissioners” in the Investigatory Powers Act 2016.

However, the EDPB considers that there are several items that should be further assessed and closely monitored by the EC among which are:

• the evolution of the UK legal system on data protection.
• the “immigration exemption” (laid down under Schedule 2 to the Data Protection Act 2018, Part 1, paragraph 4) – the EDPB considers that it is “broadly” formulated and calls on the EC to provide further information in relation to the necessity and proportionality of such broad exemption in UK law.

• the onward transfers – the EDPB has identified certain aspects of the UK legal framework with regard to onward transfers that might undermine the level of protection of personal data transferred from the EEA.

• the access by UK public authorities for national security purposes to personal data transferred to the UK

• the EDPB notes the following points that need further clarifications and/or monitoring: bulk interceptions, independent assessment, and oversight of the use of automated processing tools and safeguards provided under UK law regarding overseas disclosure.

/ New Draft Decree on Personal Data Protection, Vietnam

On 9 February 2021, the Ministry of Public Security of Vietnam released the Draft Decree on Personal Data Protection (the “Draft Decree”). It was open for public consultation until 9 April 2021 and is expected to come into effect in December 2021.

Key takeaways:

–             Two types of personal data:

• basic personal data;
• sensitive personal data.

–             Establishment of Personal Data Protection Committee.

–             Registration with the Personal Data Protection Committee for:

• the processing of sensitive personal data (prior to the data processing);
• cross-border transfer of personal data of citizens of Vietnam (prior to the data transfer).

–             The data subjects have the following rights:

• consent or disagree with the processing of their personal data;
• be informed of the personal data processing at the time of processing or as soon as possible;

• request from the personal data processors to correct, show, provide a copy of their personal data;
• request from the personal data processors to terminate the processing of their personal data, limit the access to their personal data, terminate the disclosure or access to their personal data, delete or close their personal data;
• complain to the Personal Data Protection Committee in case of data violation;
• claim damages from a data breach.

–             The consent of the data subjects shall be obtained prior to processing. It shall be voluntarily given, and the data subject shall be informed regarding the following:

• the type of personal data;
• the purpose of the processing;
• the entities to process and share personal data;
• the conditions for transferring or sharing personal data to third parties;
• the data subjects’ rights.

–             In case of cross-border transfer of personal data of citizens of Vietnam the following requirements must be followed:

• the data subjects’ consent to the transfer must be obtained;
• the original personal data must be stored in Vietnam;
• the country/ territory to which the data is transferred must have a regulation on personal data protection at the same or higher level than those in Vietnam;
• a written approval by the Personal Data Protection Committee must be obtained.

/Amendments to Russia’s Federal Law on Personal Data

On 1 March 2021, came into effect the Russia’s Federal Law of 30 December 2020 No. 519-FZ on Amendments to the Federal Law on Personal Data (the “Amendments”).

With the Amendments are removed from the Law the concept of “personal data made publicly available by the data subject” and an article that previously allowed such data to be processed by a data operator without the data subject’s consent.

 It is introduced a new concept of “personal data permitted by the data subject for dissemination”, which is defined as personal data, access to which is granted to the public by the data subject giving their consent to the processing of this data.

The consent shall be drawn up separately from other consents of the data subject to the processing of his/ her personal data. It could be provided to the data operator directly or using the information system of the Russia’s Data Protection Authority. Silence or inaction of the data subject shall not be considered as a consent.

The data operator is obliged to provide the data subjects with the opportunity to determine which data (data categories) they consent to be disseminated.

The data operator is obliged to provide the data subjects with the opportunity to determine which data (data categories) they consent to be disseminated.

Within the consent, the data subject must be able to prohibit the transfer of data (except for providing access to data) from the operator to an unlimited number of persons, and to prohibit the processing or to establish data processing conditions by this unlimited number of persons (except for such persons obtaining access to the data).

The operator cannot refuse to comply with these demands from the data subject and is obliged, no later than three working days from the date of receipt of the consent of the data subject, to publish information regarding the processing conditions and the existence of prohibitions established by the data subject.

Transfer (dissemination, making available, providing access) of personal data permitted by the data subject for dissemination shall be stopped at any time at the request of the data subject. The data subject has the right to request to any of the third parties processing their data, to whom he/she initially provided authorization for dissemination, to stop transfers (dissemination, provision, access) of his/her personal data, in case of non-compliance with the provisions of Article 10¹ or to address such a request to a court of law.