Included in this edition of Data & Privacy News: ICO publishes list of UK BCR holders, EDPB establishes cookie banner taskforce and more
EDPB adopts opinion on the European Commission’s draft adequacy decision for South Korea
The European Data Protection Board (EDPB) has adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB focused on: general GDPR aspects; access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea; and whether the safeguards provided under the Korean legal framework are deemed effective enough.
Overall, the EDPB welcomed the European Commission and Korean Authorities' efforts to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR. The EDPB has concluded that there are key areas of alignment between the EU and South Korean's data protection frameworks including with regard to: data protection concepts; grounds for lawful processing for legitimate purposes; purpose limitation; data retention, security and confidentiality; and transparency.
In adopting the decision, the EDPB have also sought further clarity from the European Commission on the substantive and/or procedural requirements, such as a burden of proof, to which a complaint with the Korean Personal Information Protection Commission or any action before a court is subject.
ICO publishes list of UK BCR holders
The Information Commissioner's Office (ICO) has updated its page on Binding Corporate Rules (BCRs) to include a list of organisations that were automatically entitled to approval of their BCRs in the UK under paragraph 9, Part 3, Schedule 21 to the DPA 2018. BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships and allow for intra-organizational transfers of personal data across borders, while maintaining compliance with Data Protection Laws.
BCRs were developed as part of European Data Protection Law and authorised data transfers under Article 26(2) of Directive 95/46/EC, however following the UK's departure from the EU, holders of EU BCRs for which Information Commissioner issued an authorisation under Directive 95/46/EC were automatically eligible for approval of their BCRs in the UK. The organisations listed on the ICO website have been able to rely on their UK BCRs as a valid transfer tool since 1 January 2021 subject to
- producing a UK version of their BCRs by 1 January 2021 incorporating the changes described in that paragraph; and
- providing a UK version of their BCRs together with other amended documentation to the ICO on or before the next annual update return date.
EDPB establishes cookie banner taskforce
The European Data Protection Board (EDPB) has announced the establishment of a taskforce to coordinate the response to issues raised with regard to cookie banners. The issues were identified by digital rights campaigner NOYB who, in May 2021, sent over 500 draft complaints to companies who were deemed to use unlawful cookie banners. NOYB then followed this up in August 2021 by sending 422 formal GDPR complaint to 10 European data protection authorities.
The taskforce has been established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the SAs. In particular, the taskforce will:
- exchange views on legal analysis and possible infringements;
- provide support to activities on the national level; and
- streamline communication.
ICO and G7 blog post on international and domestic data flows
The UK Information Commissioner Elizabeth Denham has published a blog post summarising the discussions held at recent G20 and G7 meetings with regard to the free flow of data between countries. The G7 discussion on this topic was convened by Ms Denham as part of the digital and technology track that forms part of the UK’s presidency of G7 this year, and primarily focused on international collaboration for practical benefit, considering how the Information Commissioner's Office (ICO) and its international counterparts can ensure the free flow of data while maintaining public trust.
The meeting focused on where the authorities could commit to making progress that would have a positive impact domestically, both for organisations and individuals. The discussions covered seven topics including the specific uses of data (such as AI and cookies); how privacy overlaps with competition and national security; and regulatory aspects (including enforcement, deterrents and the impact of the pandemic).
The G7 data protection and privacy authorities have committed to finding better ways to secure information and ensure meaningful consent, and are working together with tech firms, standards bodies, designers, civil society and users, to ensure this. A full summary of all the topics discussed is available in the communique.