On 13 April 2021 the EDPB adopted a statement regarding the exchange of personal data between public authorities under existing international agreements. While the statement is not binding on UK public authorities, it provides guidance on how to comply with GDPR, which has been retained as part of domestic law as the UK GDPR.
The statement says that the EDPB and national supervisory authorities have been receiving questions about the exchange of personal data between public authorities under existing international agreements. It notes that all international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States prior to 24 May 2016 (under the GDPR) or 6 May 2016 (under the Law Enforcement Directive (LED)), and which comply with EU law as applicable prior to that date, remain in force until amended, replaced or revoked. The EDPB states that consideration should be given to bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case.
The statement invites the Member States to assess and review agreements that involve international transfers of personal data that were concluded before the above dates.
According to the statement, the review should identify whether further alignment might be needed with:
If you would like our support in reviewing your international data sharing agreements in accordance with the EDPB statement, please contact JP Buckley.
The statement says that the EDPB and national supervisory authorities have been receiving questions about the exchange of personal data between public authorities under existing international agreements. It notes that all international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States prior to 24 May 2016 (under the GDPR) or 6 May 2016 (under the Law Enforcement Directive (LED)), and which comply with EU law as applicable prior to that date, remain in force until amended, replaced or revoked. The EDPB states that consideration should be given to bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case.
The statement invites the Member States to assess and review agreements that involve international transfers of personal data that were concluded before the above dates.
According to the statement, the review should identify whether further alignment might be needed with:
- current EU legislation;
- case law (in particular the Schrems II decision, which invalidated the EU-US Privacy Shield and stated that additional safeguards are needed in order to rely on standard contractual clauses as a basis for international transfers); and
- EDPB guidance, in particular Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies. Article 46 of the GDPR provides for additional appropriate safeguards as tools for transfers between public bodies:
- a legally binding and enforceable instrument (Article 46(2)(a)); or
- provisions to be inserted into administrative arrangements (Article 46(3)(b)).
Guidelines 2/2020 set out recommendations to help ensure that these instruments or arrangements comply with the GDPR. Despite the UK having left the EU, the GDPR and the Schrems II decision form part of UK law, and the UK Information Commissioner's Office has stated that EDPB guidance is still relevant.
If you would like our support in reviewing your international data sharing agreements in accordance with the EDPB statement, please contact JP Buckley.
