Since the decision last July (2020) by the Court of Justice of the European Union (CJEU) in what is known as Schrems II, the legitimacy of international data transfers to outside of the EU has once again been thrown into question.
What Has This Got To Do with My Business?
You may be wondering what this has to do with you and your business? You might be surprised to learn that the chances are, it very much does. The reason for this is as follows.
Many cloud and service providers use servers which are based outside of the EU. Whilst some have now moved their data inside the EU, or have an option for you to choose where your data is stored, many are still based in the US (or outside the EU). Which is a potential problem and could put your business in breach of both EU and UK data protection laws (since the UK Data Protection Act 2018 largely follows the GDPR (or General Data Protection Regulation)).
Decision in Schrems II
Without going into the detail of why Max Schrems took Facebook to court and what the court decided (if you want to read more about that, see here), the decision in Schrems II effectively means:
- the EU-US Privacy Shield is now invalidated (the Privacy Shield allowed data to be transferred from the EU (and from the UK, when we were in the EU) to the US, provided the US importer had voluntarily registered itself for the Privacy Shield scheme)
- the only method now of transferring data to third countries like the US (assuming there has been no adequacy decision by the EU Commission[1] and ignoring Binding Corporate Rules[2]) is using EU standard contractual clauses (or SCCs for short).
However, the current SCCs are arcane, largely inappropriate in today’s world and therefore under review by the EU Commission. They will be superseded later this year most likely, so contracts containing SCCs will need to be updated again when this happens (but cannot be before).
It doesn’t stop there: you also now have to be an expert in surveillance laws and both the exporter and importer need to decide if the destination country’s laws are “essentially equivalent” to EU data protection laws (an easy task!), by doing the following:
- if you conclude that the third country does not pass the ‘equivalence’ test, you need to identify and adopt supplementary measures to bring it to the level of “essential equivalence”, e.g. through the use of encryption or pseudonymisation, or by adding layers of contractual obligations on the parties or using other organisational methods
- if there are no supplementary measures which will help, then the data should not be transferred (or if it is already being transferred, those transfers must stop immediately)
- whatever the position above, you need to keep the situation under review, in case things change, e.g. the third country obtains (or loses) adequacy status (see footnote 1) or its laws or practices (e.g. in relation to surveillance) change
Conclusion
Since Schrems II, the law in relation to data transfers has become even more complex and compliance is difficult if not challenging. Failing to carry out an appropriate assessment in relation to the destination or importing country can get the data exporter into hot water with the supervisory data protection authorities, result in fines and a prohibition on any further transfers of data to your chosen data importer, putting your business at risk.
We are experts in international data transfers and can assist in the review, regularisation and drafting of standard contractual clauses as part of a data processing agreement (as well as updating them when the EU Commission approves the new versions of the SCCs due out later in 2021).
Should you require further assistance or advice in relation to data transfers, please do not hesitate to contact Brian Miller on +44 (0)203 588 3538 or bmiller@saracenssolicitors.co.uk
This note is intended to be general guidance of the law and not a substitute for tailored advice in individual circumstances.
[1] This is where the EU Commission determines a country’s data protection laws are largely equivalent to those of the EU and may therefore be added to the list of countries which have an adequate level of protection. [2] Binding Corporate Rules (or BCRs) are a method whereby (usually) a multi-national company can legitimise transfers between one legal entity to another, where each is in a different jurisdiction and where at least one is usually outside of the EU.