data-protection-privacy /  big-data
New rules on transferring data outside the European Union
3rd Sep 2020
Share
New rules on transferring data outside the European Union - Linkilaw Solicitors
Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

The backdrop in the United Kingdom to the data protection regime prior to this judgement has been that within the European Union, we allow for free data transfer between the European countries (in compliance with GDPR) but that you are not permitted to transfer personal data outside of the European Union, unless that recipient country has adequate protections in place.

There are number of ways this adequacy has previously been shown: it may be an approved recipient country by the European Commission (e.g. Canada or the Channel Islands), standard contractual clauses (SCCs) may have been relied upon between the parties sharing data and/or binding corporate rules governed this transfer. From 1 August 2016 many companies have relied on the EU-US Privacy Shield, which the European Commission had said provided adequate protection to allow personal data to be transferred to the US, however the Schrems II judgment has reversed this decision and the Privacy Shield is no longer considered valid.

This article considers the judgement handed down by the ECJ in relation to the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II).

The Schrems II judgment is based on a case instigated by Max Schrems in 2013, challenging the validity and legality of data transfer from Facebook Ireland to the US, as he had concerns about the access US authorities had to this data and the associated interference by the law of the US with the fundamental rights of people whose data was being transferred there.

Why was the judgment made?

The core of the decision to invalidate the EU-US Privacy Shield appears to be that the US surveillance regime still allows US authorities to access data without the parties’ control, so even though a data recipient or importer may be considered an adequate recipient of data, the fact that governmental authorities still may be able to access data undermines this.

This reasoning then also makes it difficult to rely on SCCs and binding corporate rules as arguably if the government in the recipient’s country still has access to this data, this does not support using SCCs or binding corporate rules as an effective transfer mechanism – so where does this leave us?

What now?

If your business has been relying on the EU-US Privacy Shield for your data transfers and/or you are transferring data to a recipient country that is not on the approved list by the ECC you should urgently review your processes.

If you are transferring data to the US, whether or not you can still transfer personal data on the basis of SCCs or binding corporate rules will depend on the result of your assessment on a case by case basis, taking into account the circumstances of the transfers, and additional measures that are or could be put in place to safeguard the data.

The key is to this assessment is that any transfer would have to ensure that US law and governmental powers does not affect the protections offered by the data recipient.

If following an assessment of a data transfer to the US you do not believe adequate protections can be put in place, you should either terminate the contract with the data importer or suspend the transfer of data and ask your local statutory authority for further guidance.

What the UK government have said about the judgement?

The UK government released the following statement that they “intervened in the case, arguing in support of the validity of standard contractual clauses (SCCs). It is pleased that this important mechanism for transferring data internationally remains in place and is considering any further implications that may arise from the judgment in respect of this.

The UK Government is working with the Information Commissioner’s Office and international counterparts to address the impacts of the judgment and ensure that updated guidance on international data transfers will be available as soon as possible.”

Conclusion

As a result of this judgment, the EU-US Privacy Shield has been invalidated so we no longer have that data transfer mechanism to the US, which was previously considered adequate.  This judgment represents a shift from prior views on SCCs and now additional focus must be considered by companies in assessing whether SCCs and binding corporate rules can be relied upon, or if supplementary measures should be put in place. It is important for your business to review their processes if they have relied on the EU-US Privacy Shield and if it continues to transfer data to the US.

How could we help?

We are here to help, share our market knowledge and guide you through relevant legal rules governing data protection and privacy. Book a call with our friendly and experienced legal team to discuss your legal needs.

Our legal commentary is not intended to be a comprehensive review of all developments in the law and practice. Please seek legal advice before applying it to specific issues or transactions.

Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

Get in touch

Book a call
One of our dedicated team members will be happy to discuss your needs.
Send us a message
We will review your enquiry and get back to you as soon as possible.