What’s the future of international data transfers following Schrems II?

Organisations that conduct international data transfers have had a frustrating few months. First, the European Court of Justice invalidated the EU–US Privacy Shield, then the UK left the EU without a clear legal basis for transferring personal data.

If you’re confused about how those changes affect your organisation or what you’re supposed to do now, we have the answers in this blog.

How we got here

Let’s look first at data transfers to the US. It’s an important trading partner for any country, but it doesn’t have an adequacy decision from the EU, which would allow organisations to move data across borders freely.

There are two main reasons for this: there is no single, federal data protection law in the US, and US laws allow for mass state surveillance, which isn’t permitted in the EU.

To bridge the gap, lawmakers initially created a mechanism known as ‘Safe Harbour’, but it was invalidated in 2015 following a lawsuit brought by privacy campaigner Max Schrems.

Schrems was also responsible for the downfall of its successor, the EU–US Privacy Shield, in a 2020 lawsuit commonly known as Schrems II.

In both cases, the mechanism failed because it failed to meet EU standards regarding the protection people’s rights to privacy and data protection.

You can find out more about transatlantic data transfers with our EU-US Data Transfer Assessment and Action Plan service.

Our consultants will assess your progress against the six steps set out by the European Data Protection Board and provide you with an action plan to help you comply.

As for Brexit, the issue is much simpler. The UK’s departure from the EU meant it became a third country – i.e. a non-member state – so organisations now need a lawful process to transfer personal data from the EU into the UK.

The good news is that data transfers from the UK to the EU are unaffected. The UK has granted an adequacy decision to the EU, meaning organisations can move personal data into the European Union as normal.

Unfortunately, it will take longer for the EU to review the UK’s data processing practices, which has created a compliance gap.

What now?

European data protection law states that personal data can only be transferred outside the EU if appropriate safeguards are in place.

As a result, any data transfer to a third country must take into consideration not only the contractual clauses agreed between exporter and recipient, but also the legal system in the recipient’s country as it relates to access by the public authorities of that country.

If ‘essentially equivalent’ protection cannot be guaranteed, the transfer must be suspended.

EU supervisory authorities are expected to check transfers and are required to prohibit transfers that do not provide appropriate protection.

The European Court of Justice also considered the use of SCCs (standard contractual clauses) for transfers to third countries.

While the Court did not invalidate the use of SCCs entirely, it did find that their use must be supported by safeguarding mechanisms that ensure an equivalent level of protection to the GDPR, taking into account the legal framework in the recipient country.

If the necessary protection cannot be guaranteed, or the clauses are breached or rendered ineffective (e.g. if a new surveillance law comes into effect in the recipient country), then transfers must be suspended or prohibited.

Effect on UK organisations

UK organisations are in an unusual risk position. The Brexit transition period ended on 31 December 2020 without an adequacy decision, but a ‘temporary period’ of up to six months was agreed.

During this period, data transfers from the EU to the UK may continue as if the UK were still a member state.

In February 2021, the European Commission published a draft adequacy decision that, if adopted, will be valid for four years and periodically reviewed thereafter.

This is an encouraging step – if granted, data transfers from the EU to the UK will not require additional safeguards. Onward transfers of EU personal data from the UK to third countries, however, will still be affected by the Schrems II ruling.

Regardless of adequacy status, UK organisations that process the personal data of EU residents are likely to be asked to support information requests from EU organisations about the nature of the processing and any further transfer of data to third countries.

Such requests may ask that you provide information about the countries to which personal data may be made accessible, contracts with processors and sub-processors, the technical measures in place to protect data, and the strict necessity of the transfer.

Information about operating structures and practices, and how and why data is transferred and processed may also be requested.

Want to know more?

You can find out more personal data transfers between the UK, EU and US by downloading Schrems II and the EU–US Privacy Shield.

The free guide contains more detail on the Schrems II ruling and what it means for international data transfers under the GDPR.

It also explains how you can use data flow mapping to identify data transfers that are subject to specific rules or exemptions, and provides alternative methods for sharing personal data across borders.