On 16th July 2020, the highest Court in the EU issued its long awaited judgement in respect of the Schrems II case and, in turn, left the entire business community in considerable uncertainty in respect of the lawfulness of their international transfers of personal data.
GDPR and international transfers
What is the relevant law and what was the case?
As a reminder, under the GDPR, currently personal data may only be transferred to a country outside of the EEA (“a third country”) if:
- The third country has received an adequacy decision or, in respect of US transfers, the relevant company is Privacy Shield certified;
- The entities involved in the transfer have entered into the Standard Contractual Clauses (“SCCs”); or
- The transfer is covered by an exception (the circumstances where this will apply are quite limited).
Where transfers are made between different companies in a corporate group, the companies may also rely on Binding Corporate Rules, but these must be approved by the appropriate supervisory authority.
A transfer includes sending personal data or otherwise making it accessible in another country. In most cases, use of US software and cloud storage providers will mean you are transferring personal data to a third country.
The Schrems II case concerned a challenge to the validity of the Standard Contractual Clauses (SCCs) as a lawful mechanism for the transfer of personal data to a third country.
What was the outcome?
The Court:
- invalidated the US Privacy Shield.
- upheld the validity of the SCCs, but imposed substantial limitations on when these clauses may be used.
The Court’s key reason for invalidation of the Privacy Shield was the ability of US security and law enforcement agencies to access non-EU citizens’ data once in the hands of US companies, causing EU citizens to lose control over their data.
What does this mean for the SCCs?
Companies can continue to use the SCCs to transfer personal data to third countries provided that:
- the parties carry out an assessment of the laws in the relevant third country to determine whether, as a result of such laws, the data recipient in the third country is able to comply with the SCCs; and
- where potential issues are identified, the parties implement appropriate safeguards to mitigate these issues.
The European Data Protection Board (“EDPB”) has indicated that it intends to release further guidance in respect of what “safeguards” could be implemented alongside the SCCs. Until then, there remains significant uncertainty as to what may be required of businesses in this respect.
Transferring personal data to the US
What does this mean for the US Privacy Shield and transfers of personal data to the US?
Companies relying on the Privacy Shield for their transfers to the US will need to implement another measure to make these transfers lawful. This applies with immediate effect.
Given the concerns the Court raised about security agency and law enforcement access to the personal data of non-EU citizens, we know that use of the SCCs alone (without additional safeguards) is very likely to be in breach of data protection laws.
Next steps to achieve GDPR and data protection compliance
Although the decision took effect immediately, we consider it unlikely that the ICO will take action against any company for breach of the GDPR’s international transfer provisions until further guidance has been released by it and the EDPB.
That said, the ICO would likely look unfavourably on any business which failed to take any steps following this decision and so businesses should be taking stock of their international transfers to ensure they are in the best possible position to execute any guidance, once published. This includes:
- assessing where personal data is transferred to third countries and for what purpose.
- identifying the mechanism used for transfers to third countries (e.g. privacy shield, adequacy decision, SCCs etc.).
- approaching overseas suppliers and asking what steps they intend to take as a result of the decision.
- assessing whether the personal data needs to be transferred to a third country or a local provider could be used instead.
Get in touch with a data protection solicitor in Manchester
If you’d like to learn more about what this decision means for your business please contact James Wall from our data protection team on 0161 838 7996 or email jameswall@kuits.com.
