Transferring personal data between jurisdictions has always been big business. In Europe, the General Data Protection Regulation provides a number of mechanisms to allow data exports overseas. The end of the Privacy Shield, Schrems II and Brexit will make it more difficult to send and process data worldwide. But there are solutions.

The End of the Privacy Shield

Transferring data specifically to the US suffered a setback as a result of the “Schrems II” case (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). The Court of Justice of the European Union (CJEU) ruled that the Privacy Shield mechanism, which allowed the transfer of personal data from the EU to certain US entities, is no longer compatible with the General Data Protection Regulation (GDPR). The Privacy Shield permitted some 5200 qualifying adherents to import personal data from Europe. It did not, however, give data subjects actionable data protection rights equivalent to those in the EU because the data could have been processed freely by US government authorities for public, defence and state security reasons, explain the data privacy law advisors at Moore Barlow LLP, a Member of ECOVIS International.

Standard Contractual Clauses

Standard Contractual Clauses (SCCs) are the usual mechanism in which respective entities in different jurisdictions agree formal data protection provisions in a specific contract. The CJEU determined that the Decision that implemented SCCs was valid. SCCs are therefore permissible as a mechanism for transferring personal data anywhere outside the European Economic Area (EEA). The relevant parties must verify that the level of protection of personal data in the country of the importer is acceptable. To ensure that the data export is legitimate, an impact assessment must first be made which takes all risk factors into account.

Brexit – a Possible “Adequacy” Decision?

Also looming over international data transfers is what happens if, at the end of the current transition period, the UK is not found to be “adequate” in that its own data protection regime offers the same protections as EU data protection law.

The European Commission has determined that several countries have adequate data privacy laws which allow for the unhindered transfer of personal data to those countries. There has been work towards a UK adequacy decision as part of a UK/EU trade deal since Brexit itself happened earlier this year.

There will be no adequacy decision if the UK’s data privacy legislation does not provide an adequate level of protection for personal data. The UK/US agreement on access to personal data for the purposes of prosecuting serious crime may contain inadequate safeguards, the experts explain. The surveillance provisions in the Investigatory Powers Act 2016 may also be considered to be incompatible with the GDPR. The UK considers all EU member states to be adequate for the transfer of personal data from the UK to any of them until this is reviewed in 2024.

What Should Businesses Be Doing?

Commercial operations, educational and health provision bodies which export data to a country outside the EEA should be taking the following steps:

All data transfers from the EU to third countries must be checked. It must be ensured that any of the alternatives to Privacy Shield or SCCs, such as Binding Corporate Rules (BCRs), general adequacy findings pertaining to certain third countries, or explicit consent of all relevant data subjects, are appropriate.

If data is exported to adherents of the Privacy Shield in the US, the arrangement should be replaced with contracts based on SCCs following impact assessments.

If an EEA business wants to export personal data specifically to the UK, BCRs or SCCs with the appropriate impact assessment should be used.

For further information please contact: Moore Barlow LLP – Member of ECOVIS International