This month we look at the EU's Data Governance Act, FAQs on new standard contractual clauses and the trans-Atlantic data privacy framework, and more

EU Data Governance Act will apply from 24 September 2023

On 3 June, the EU Data Governance Act (DGA) was published in the Official Journal of the European Union, after having been adopted by the Council of the EU on 16 May. The DGA will come into effect on 23 June 2022, and will apply in full from 24 September 2023.

The act was initially proposed in November 2020 (please see our earlier Insight for further details) and has a number of intended purposes including:

  • Establishing robust mechanisms to enable data sharing by public authorities where the data in question is subject to rights such as intellectual property, data privacy, confidentiality or trade secrets;
  • Encouraging data sharing through profit-making data intermediaries, where data is shared by businesses or individuals; and
  • Promoting "data altruism", where data would be made available voluntarily by companies or individuals for the common good, such as for scientific research.

The DGA is part of the European strategy for data, which aims to create a single market for data.

European Commission publishes FAQs on new standard contractual clauses

On 25 May, the European Commission published a set of questions and answers which provides practical guidance for organisations on using the EU's two sets of standard contractual clauses (SCCs), namely (a) SCCs for use between controllers and processors (for compliance with Article 28 of the EU GDPR); and (b) SCCs for use for the transfer of personal data outside of the EEA (for compliance with Chapter V of the EU GDPR).

The guidance provides clarity on a number of topics, including (among others):

  • requirements for signatures, modifications to the SCCs and relationship with other commercial terms;
  • for the SCCs between controllers and processors, the requirements on the form the controller's instructions should take, appointment of sub-processors, time periods for reporting data breaches and how a processor can demonstrate compliance with the SCCs; and
  • for the SCCs for transfers of personal data outside of the EEA, the scope and application of the SCCs, including for which transfers the SCCs can be used, rights of data subjects under the SCCs, the obligations on data exporters and importers under the SCCs, and obligations under the SCCs relating to local laws and government access requests.

NYOB publishes open letter on new EU-US Transatlantic Framework

As reported in our April edition, the European Commission and the US government announced that they had reached political agreement on the Trans-Atlantic Data Privacy Framework which would enable the free flow of personal data between the EU and the US.

Following this announcement, Max Schrems' digital rights organisation, NYOB, has published an open letter setting out its preliminary observations on the announcement.

Notably, NOYB highlighted that it has concerns that the new framework will not fully meet the standards required to protect EU personal data when transferred to the US and that it is "prepared to challenge any final adequacy decision that would fail to provide the needed legal certainty" before the European Court of Justice.

At this time, we are still awaiting further detail on the framework and clear timings for when it will be finalised.

ICO fines facial recognition company Clearview AI £7.5 million for GDPR breaches

On 23 May, the UK Information Commissioner's Office (ICO) announced that it had fined facial recognition company, Clearview AI Inc, over £7.5 million for scraping facial images of individuals in the UK from the web for the purposes of providing facial recognition services to its customers (including the police), in breach of UK data protection law. The ICO has also ordered Clearview AI to stop collecting this data of UK individuals and to delete data of UK residents.

ICO launches AI and data protection risk toolkit

Further to the ICO's guidance on artificial intelligence (AI) and data protection (published in July 2020), the ICO has launched its AI and data protection risk toolkit. It is designed to assist organisations with assessing data protection risks within their AI systems. The toolkit, as well as a webinar introducing the toolkit, can be found on the ICO's website.