Unlocking the Potential of eSignature Lawfulness for Business Partnership Agreements in European Union

How to eSign a document: eSignature lawfulness for Business partnership agreement in European Union

okay i welcome everyone to this sales lunchtime seminar for those who don't know me i'm david erdos and i uh teach and research data protection uh in the faculty particularly eu and uk data protection and therefore it's my very great pleasure to uh welcome elena dews who has an incredible experience with gdpr with negotiating it with advising the government on brexit which is a a big topic across uh the faculty and and across society still and she's now in at field fisher and is advising businesses and others on particularly data protection and the uk eu data relationship which is a a really topical issue and a really important issue so um eleanor is going to talk for about 40 minutes and then there'll be the opportunity for questions uh uh to put to eleanor you're very uh welcome to put those questions as the presentation goes on um i don't tend to to i mean not generally won't name check everyone but if you particularly want to be anonymous i think there's you can note that or i think there's a button to to say that um so the talk is going to be particularly on the trade and cooperation agreements so absolutely topical and particularly on the free flow of data globally including outside the uk and eu's borders so without any further ado i will now pass over to eleanor thank you very much indeed david for that introduction it's wonderful to be here um and good afternoon to all of you um so the eu and uh uk trading cooperation agreement and the free flow of personal data is it a solid foundation for data flows um so i'm going to take you through uh the structure of this talk first um so it's got three parts to it first of all i'm going to give a bit of context so i'm going to look at the eu in particular a little bit as well at the uk data protection regimes and how the free flow of data to third countries is affected under those relevant instruments and i'm going to look at data adequacy which is the mechanism that allows for the free flow of data from those jurisdictions to third countries next i'm going to analyze the trade and corporation agreement and in particular the provisions that relate to free flow of data and data adequacy and look at how that interacts with the eu regime in particular and then finally i'm going to come on to look at the uk's future policy on data protection and the free flow of data and that's really central really to to this post-transition period um era if i can put it that way the where the uk is wanting to strike trade deals with third countries but also to enable the free flow of data to those countries to really um encourage economic growth and trade between the uk and and these and these international partners and there's going to have to be a delicate balance struck here really between keeping data adequacy eu data adequacy and allowing that free flow of data from the eu to the uk on the one hand but also conferring uk data adequacy on those third countries in order to enable that trade to take place so those are the three components as it were of this seminar so moving on then to the first section looking at the context and the eu and the uk data protection regimes in the eu we have the general data protection regulation or gdpr and i'm also going to touch on the led the law enforcement directive as well so those two instruments regulate the general data protection uh regulates um the processing of personal data generally and the law enforcement directive um relates to the processing of personal data in the context of criminal offences and police cooperation that sort of thing but i'm going to focus as i say on the general data protection regulation so the form of the measure the g of the gdpr is interesting prior to 2018 the processing of personal data was regulated via a directive in the eu and so all of the member states had their own national laws and there was a sense when the eu looked again this this policy area that there was fragmentation um there was uh a a difficulty really in in enabling the flow of data um in order for example to to allow the single market to function properly and that regulation would actually create better harmonization of standards so that's that's what we have now a regulation rather than a directive so the same legislation the same measure applying right across the eu to regulate the processing of personal data the legal basis for the gdpr is a new one under the lisbon treaty article 16 of the treaty on the functioning of the european union and it's interesting i think to look at the drafting of article 16 and the drafting of article a to the chart of fundamental rights which is the protection the right to the protection of personal data and there are really quite striking similarities in the way that um the charter and article 16 express this protection of the right um to personal data so those are the foundations really of the gdpr that that charter writes and article 16 the tfeu the other thing to note about the gdpr is that it has extra territorial scope so if you're processing personal data perhaps you're monitoring data subjects in the eu but your businesses outside the eu you will still be subject to those eu rules in the gdpr so the gdpr has potentially global reach i just want to touch on what's happened in terms of the way in which data personal data is regulated the processing personal data is regulated in the uk after the end of the transition period after the end of last year so the uk essentially turned the gdpr into domestic law through the european union withdrawal act 2018 so the gdpr became the united kingdom general data protection uk gdpr so in many ways it is exactly the same as the gdpr has the same language and the processing of personal data and in particular the free flow of personal data the transfer of personal data outside the uk and the eu those provisions look um essentially the same at the moment but there are some differences which i think are interesting so um the european union withdrawal act 2018 didn't save the charter of um fundamental rights that's no longer applicable in the uk so we've got the basis for the protection of personal data in the eu being founded essentially in the chart of fundamental rights articles charter fundamental rights that instrument no longer applies um in the uk and i think it's going to be interesting to see whether that makes some difference in in terms of how we approach um this this fundamental right um in the uk as compared within the eu so that's a bit of context on the instruments themselves and i want to look in a little bit more detail at how the free flow of data from the eu in particular because i said the provisions are essentially the same in the uk as well but the free flow of data from the eu how is that done under the gepr and chapter five is the relevant chapter and the three main ways that you transfer data out of the eu in ance with the gdpr so the first is adequacy decisions um so i mentioned adequacy at the start of this talk this is a really important mechanism that allows for the free flow of data without businesses having to really do anything else if you have an adequacy decision and that requires the european commission to look at the data protection regime in the third country to which the data is being sent as well as its adherence to the rule of law its international obligations these are all looked at in detail by the european commission and if the commission decides that the country in question has an essentially equivalent standard of protection to the standard of protection in the eu then an adequacy decision is conferred there are very few adequacy decisions actually that the eu has conferred only 12 at the moment some are on countries like uruguay argentina japan others are on certain territories within a country or potentially a particular sector say for example with canada there's an adequacy decision which applies to commercial entities in canada but only 12 adequacy decisions next standard contractual clauses so these are signed by the data exporter in the eu and the data importer in the third country these are the most usual way to transfer data out of the eu so these mother clauses are used and they're signed by both parties and again the standard of protection that is required for sending data using standard contractual clauses is the same as for adequacy this essentially equivalent test and i'm going to look in a bit more detail about how all of that works in practice and as i advise on this a lot and there are real difficulties i think um for businesses in complying with these standard contracts contractual causes although they are the most usual way to transfer data and finally derogations so if you've got a sort of one-off um situation where you're just sending data for a particular purpose so if someone's booking a holiday abroad or something like that a derogation can apply but really they're not used very much so standard contractual clause is the main way um to enable data to leave the eu in ance with the gdpr so looking at these methods in a little bit more detail so the commission as i said assesses the level of protection in the third country looking at a number of factors which has set out in the gdpr and the test they're applying is do all of these elements taken together mean that the protection of personal data in this third country will be essentially equivalent to that in the eu so the sort of matters that the commission will take into account um they're set out in article 45 gdpr i haven't done a comprehensive list but this is just to give you a sense here um so the third country's laws and rules governing data protection um the relevant legislation um concerning public security defense um national security and criminal law respects the rule of law more generally and fundamental rights access to personal data by public authorities that's really worth highlighting because this is where adequacy decisions in the past have come unstuck and been invalidated so this is an area of of real difficulty the rules for onward transfer personal data so if you've got free flow of data to the third country but then the onward transfer isn't sufficiently protected that would be problematic so the rules for onward transfer from that third country to another country are very important in terms of making sure that protection is essentially adequate essentially equivalent sorry to that in the eu and finally the international commitments that the third country has entered into so that gives you a sense of what the commission's looking at when it's making these um adequacy decisions um there are also further criteria which were introduced by the commission in 2017 looking at which countries it wanted to engage with relating to adequacy so these are much more to do with trade and and much more of an emphasis on that so the extent of the commercial relationships the third country whether there's a free trade agreement being negotiated the extent of the data flows to the third country um the role third country plays in in the field of um privacy and data protection and finally this overall political relationship with third country in question so that's really looking at who is going to be um whose system is going to be legal system is going to be analyzed in relation to um data protection and with a view to adequacy and as i say very few adequacy decisions actually um in place at the moment um in terms of eu to uk data flows um it's just worth mentioning that in february of this year the commission published two draft decisions one in relation to adequacy under the general data protection regulation gdpr the other under the law enforcement directive so these decisions confirmed that the uk was adequate in terms of its protection of personal data unsurprising i think had the commission decided that the uk didn't have an adequate level of protection for personal data as a departing member state that would have been extremely problematic because if a departing member state isn't adequate what other territory or country could be adequate really so i think there was some speculation is the uk going to receive adequacy i think it was expected otherwise really the bar would have been set impossibly high for adequacy um but the uk's adequacy decision interestingly is time limited so it's going to last for four years only um it's going to be closely monitored um by the commission but also i think generally there's going to be an awful lot of interest in it and in what the uk is going to be doing in terms of its data protection policy and whether that means that the protection of personal data in the uk is moving away from that essentially equivalent standard of protection so i'll come on to talk about that in a little while but i think and there's going to be a lot of interest in the uk's adequacy decision um adequacy is really problematic um and the reason for that is that twice now um adequacy decisions in favor of u.s companies this was a sector specific um adequacy decision um have both twice um the court of justice the european union has invalidated adequacy decisions relating to the us um both cases uh brought involving um mr mack schrems who's a privacy activist uh and the first uh involved the safe harbor decision say an adequacy decision um uh which as i say related to u.s companies so enabling the free flow of data from eu entities to those u.s companies the sticking point i don't want to go into too much detail on the cases but it really essentially was that point about the access by public authorities to eu data once it was in the u.s and we had a similar um uh outcome last summer in shrems to where privacy shield which was the successor instrument adequacy decision successor adequacy decision to safe harbor was also invalidated by the court of justice the european union and i think it's fair to say that um i think particularly safe harbor when it was invalidated um it was extremely difficult for businesses it took about nine months to do a re-papering exercise um when adequacy was lost to put in place standard contractual clauses so there's that that's that second mechanism for the transfer of data um so really i think there was a sense that businesses um were left sort of having to pick up the pieces when adequacy um was lost and that's obviously happened again uh last summer with privacy shield so there is a sense i think that adequacy although it's um in some ways the preferable transfer mechanism because you don't have to do anything further in order to transfer the data you just rely on the adequacy decision the difficulty is that it does seem to be unstable i want to talk about the shrems ii case as well in relation to the standard contractual clauses because as i say that that's the second transfer mechanism that was the one that people turned to when safe harbor and privacy shields were invalidated that is a valid transfer mechanism but it has become extremely um problematic and in shrems to the court of justice looked at standard contractual clauses and said that essentially the way in which we thought they worked wasn't the way they worked because before you would have the standard contractual clauses the exporter would sign an importer would sign they would go into um into someone's desk quite frankly and no one would really think about that about them anymore but um that's that has all gotten that way of simply signing the clauses and and and thinking right we can transfer the data from the eu to a third country no longer applies um so now what we have um is a much more detailed and onerous process that has to be gone through so firstly um a business that wants to rely on standard contractual clauses to send data from the eu to a third country has to look in detail at standard contractual clauses can we really comply with all the requirements here and so just signing them isn't nearly good enough a detailed um look has to be undertaken and next the court of justice in the tremendous uk said you also have to look at all of the factors that the european commission looks at when it confers adequacy on a third country or territory or sector and so all of these um factors which i've set up here will be relevant so the business itself has to look at the third country's data protection laws it has to look at its national security legislation its respect for the rule of law its international commitments and that is really setting the bar so high that for most companies that is just not realistic to actually be able to do a meaningful assessment of the third country's um rule of law in order to decide whether it's adequate um so uh i think there was a sense that perhaps that one could just assume third country wasn't adequate and move on to look at other measures and which is that third element um but no the european data protection board which is the um group of eu regulators that meets and and sets out guidance for companies to follow says no you have to actually do this mini adequacy assessment so a huge amount of resource um is now having to be devoted to this um and i think i've put on the slide a system in crisis question mark um because really uh this there is a very strong sense that this is a completely unrealistic requirement on companies if your country your third country doesn't meet the essentially equivalent test it's not adequate which for the most part i think will be the case then you have to adopt other measures to protect the data so it reaches that um essentially equivalent standard of protection when you're sending the data um as as as you have with this adequacy process so you look at technical contractual organizational measures which might provide those essentially equivalent protections and i just want to mention how these work because again these are extremely difficult to comply with so the european data protection board and its draft guidance although we we think probably that the final guidance is going to look quite similar um the european data protection board has looked at three different uh technical methods amongst others um and i just want to show you how difficult these are because um encryption pseudonymization where you take out the identifiers and keep them separately in order to enable the data to be sent and without those identifiers um in in place um which is a way of of protecting the data or split processing where you send the data to different entities outside the eu who can't then put the data back together those are three methods of protecting the data which are suggested in the european data protection board's guidance but which are really really difficult to comply with say for encryption the cryptographic keys have to stay in the eu or in an adequate third country says the european data protection board that's unrealistic because in the life cycle of most data it has to be decrypted at some point in the third country otherwise it rather defeats the purpose of sending it in the first place so for many clients encryption isn't the answer particularly if the cryptographic keys have to remain in the eu um pseudonymization um is also problematic because you have to take out the identifiers before the transfer takes place leave them in the eu or in a third country and um the exporter is the only one who should be able to re-identify um and also analysis has to be undertaken as to whether um a public authority in the recipient country could work out whose data is being processed and again in most cases the uh the life cycle of the data does require those identifiers to be put back in at some stage um in order for the transfer to make sense in the first place so that that technical measure again is really problematic and the split processing as well is problematic because you have these um two separate importers who who can't put the data back together but again for most practical data protection or data transfers you really do need at some point to have those identifiers in place so that just shows how difficult data transfers and the free flow of data from the eu are at the moment for most businesses um and now i'm going to look at the trade and cooperation agreements and how that deals with the free flow of data and cross-border data transfers um the first element to mention which i'm just going to touch on briefly is that the training corporation agreement contained an adequacy bridge um what what that did essentially was to say that the uk was adequate for transfers until such point as the adequacy decisions which was currently still in draft were put in place so that lasts for up to six months from at the end of last year um i think as i say that there's no real uh question mark in my mind that the uk is going to receive those adequacy decisions and they'll be finalized shortly but the reason for the adequacy bridge was simply that negotiators ran out of time the other thing now i want to focus on is the provisions in the trading corporation agreement which are in many ways exceptional they're exceptional because they are at odds with the eu's normal position on the data protection provisions in in trade agreements um they give i think uh a greater stability to uk adequacy as compared with other adequacy decisions which don't have these sorts of provisions which really assist i think in providing political solutions um should there be difficulty or challenge um or the potential for a uk adequacy decision to be invalidated um so i think that's that's um remarkable and and worth thinking about and looking at in more detail i think that they create tension um between the gdpr and and the provisions in the trading corporation agreement and potentially tension as well between the eu institutions and the partnership council which oversees the trade and cooperation agreement so to start with the standard position on um free trade agreements and the uk sorry the eu's position um in relation to those and the provisions it normally um has in place uh for uh for trade agreements um so prior to 2018 um there were no provisions on cross-border data flows um in in eu trade agreements and the reason for that um is that the eu sees uh the protection person's data as a fundamental right and the view was we don't negotiate on fundamental rights so we don't put in um provisions relating to fundamental rights in trade agreements because they're not up for discussion essentially and that position changed somewhat in 2018 so there were some new standard provisions um which allow or support the free flow of information whilst safeguarding fundamental rights safeguarding the privacy of citizens so the two core components of these new standard provisions are firstly and that they prohibited or prohibit specific types of restrictions on cross border data flows they don't have a broad commitment to allow cross-border data plays but they do prohibit specific types of restrictions and the second core component is that they carve privacy measures completely out of the scape of the agreement and that reflects that policy position that we don't negotiate on on data protection and our data protection regime shouldn't be subject to any other um provisions in free trade agreements so just to summarize uh what these standard provisions do so they promote cross-border data flows um because but they also ensure that the eu unconditionally preserves its autonomy to regulate in the area of data privacy and essentially protect the gdpr so it's immune from challenge what's really interesting in the trading cooperation agreement is that only part of that standard drafting has actually ended up in the treaty so we've got the standard wording on cross-border data flows so cross-border data flows um shouldn't be restricted on a number of different grounds so one example here is uh shan't be restricted between the parties by a party requiring the localization of data and in the parties territory for storage um so that provision is unremarkable and standard but the next provision um which i wanted to highlight really is quite remarkable because um contrary to the usual standard wording from 2018 uh which sets out that data protection is a fundamental right that reference isn't there in the trading corporation agreement and secondly this extract here which carves out um the eu's data protection framework from the trading corporation agreement has also not found its way into the drafting in in the trading cooperation agreement so this protection for the eu regime that each party may adopt to maintain safeguards it deems appropriate to ensure protection of personal data and the adoption and application of rules for the cross border transfer personal data that carve out isn't present and commentators have said that the absence of that carve out means that the eu is going to have to pass some strict trade tests in order to justify its measures so that protection of these gdpr provisions isn't there so that really is interesting and i think creates something of a tension between the gdpr then and the tca the training corporation agreement provisions um on the protection of personal data and the free flow of data the next tension i think is really fascinating as well so i mentioned earlier about the partnership council which oversees the trade and cooperation agreement um and and how it's how it's conducted if i can put it that way how the relationship is between the parties in the context of that agreement um so this provision here allows the partnership council to make recommendations to the parties regarding the transfer of data covered by the agreement or any supplementing agreement and this is really interesting because um if there was a sense that the uk's adequacy was somehow well possibly subject to challenge or there are question marks over it then the partnership council can come in and provide some solutions and possibly head off that potential loss of adequacy before it happens so i think in contrast to what we've seen in shrems one and trems ii there's real possibility here for the partnership council to provide some extra stability for that adequacy decision but potentially also to create some tension between the european institutions possibly even the court of justice finding that the um the the adequacy decision is invalid on the one hand and the partnership council providing that political forum in which to deal with that issue so potentially it's not going to be like shrems one and trends two works business is picking up the pieces but we get a political solution through the partnership council to any potential loss of adequacy and i think this is even more striking actually and this is in the context of law enforcement um so um if adequacy is lost if there are deficiencies that have led to a relevant adequacy decision ceasing to apply then this provision comes in it anticipates that a party presumably the eu in this instance will suspend potentially or look to suspend certain provisions of the law enforcement aspects of the trade incorporation agreement but then the partnership council is able to come in and look at ways of allowing the party who has notified that suspension to either postpone its entry into effect reduce its escape or even withdraw it which is really quite striking so you could have a situation where the court of justice has said that the adequacy decision under the law enforcement directive isn't valid but the partnership council can come in and even look at the possibility of the parties withdrawing that uh that suspension and allowing those data flows to continue so i think um some i think there's some good arguments that can be used here obviously we haven't seen how this treaty is is going to actually um sort of take shape because it's in such an early stage but there is real possibility here i think for the uk adequacy decision to be more stable and for those political solutions to be found to enable and the free flow of data to continue in a way that we didn't see with shrems one and trends two and safe harbor and privacy shield so that's a little bit on the trading corporation agreement and these those um provisions um on on personalization for you for personal data and then the final um component and to this uh to this talk um is looking now forward at the uk's future policy on the free flow of data and on trade and digital trade in particular um so this slide is contains an excerpt from the national data strategy which was published in draft um at the end of last year and it sets out a vision for the uk as a world leader in the digital space and in the promotion of the free flow of data across borders in order to create economic growth so there are various missions here that that are set out in the national data strategy unlocking the value data across the economy transform forming the government's use of data but it's this fifth mission here championing the international flow of data which i wanted to highlight um so just to look in a little bit more detail about what that means um we see here that the uk is intending to come up with new ways to transfer data internationally so new and innovative mechanisms and facilitating the cross border flow of data and removing unnecessary barriers to international data transfers and then a really important aspect of the policy as well this idea of uk adequacy so the uk conferring adequacy decisions very much like the eu does but on global partners to promote um trade and the free flow of data to and from the uk so a little bit more detail on that so what i've set out here is the relevant um provisions in the legislation say article 45 the uk gdpr looking essentially the same as article 45 the eu gdpr which we looked at before so all of those factors like the rule of law the protection of personal data within the jurisdiction all of those will be factors that the uk looks at and the secretary of state under section 17a of the data protection act 2018 will be empowered and to make adequacy regulations conferring um adequacy on third countries um is there going to be a different approach here um obviously the legislation the broad framework is the same but from what one sees in the national day strategy there is a suggestion i think that this is something that the uk is going to be doing um a lot more of perhaps than the eu has done with its with its 12 adequacy decisions and really using um adequacy as a means of um strengthening um economic ties with third countries so so a really interesting potential departure here really for the uk and being uh being agile i think is the word that's often used and and really pushing that that agenda that international flow of data um coming on to standard contractual clauses there's also part of the uk's regime um so that's article 46 of the uk gdpr article 46 of the eu gpr looking more or less the same but then under the uk regime there's a power for the secretary of state and for the information commissioner to bring forward new standard contractual clauses and so i think one of the questions um which is interesting is to consider um what happens to that shrems ii approach that that shrems 2k store that we looked at that three-stage test of having to look in detail standard contractual clauses having to do the mini adequacy assessment of the third country and having to look at these technical measures which quite often really aren't practical for the transfer of data so the shrems ii case under the new uk um gdpr and the european union withdrawal act 2018 is retained in our domestic legal system um as retained case law um but the interesting thing about retained case law is um that it applies um to uh to retained eu law as it's called so it applies to the uk gdpr but if you're bringing forward new mechanisms such as new standard contractual clauses it becomes a question of the intention of those new um clauses the attention of ministers in bringing forward those new clauses as to whether or not the old retained case law applies to the to the interpretation of that measure of those new standard contractual clauses or not so that's section six three and six six the european u withdrawal act 2018 so it's very possible that ministers could decide that with these new standard contractual clauses they shouldn't be interpreted as um retained eu law they should be interpreted as new domestic law and therefore the retained case law no longer applies them so shrems ii potentially wouldn't apply if that was the intention of ministers to the new standard contractual clauses so potentially that sweeps away some of those really significant barriers to the transfer data that companies are having to deal with at the moment but then the real issue then do do we have a solid foundation that um you know at the end of this this um exploration of data adequacy in the trading corporation agreement do we have a solid foundation for the transfer of data um i think under the trading corporation agreement um we do have um something which gives some stability i think to uk adequacy which is that forum for political dialogue the partnership council being able to make recommendations to the eu and the uk and hopefully to head off difficulties which may emerge challenges to the uk's adequacy decision but if the uk adopts a policy of conferring adequacy on third countries and perhaps adjusts its own regime say no longer has the shrimps to approach the standard contractual clauses and thereby enabling data flows then there could be a price to pay which would be um the risk and that any data adequacy conferred by the eu on the uk could be lost so so that brings me to the end of this um this talk um here are some references um i will get the slides um sent round if you wanted to have a further uh a read of some material um david's done excellent article covering these these issues um which i highly recommend so thank you very much thank you very very much eleanor uh for a really really rich uh presentation with so much food for thought in actually many many different areas um well i have i have a lot of questions already but i i that one question has already come in and by the way do keep the questions flowing