Brexit, Schrems II and International Data Transfers
Date: 18/12/2020 | Data Protection & Information Law
Organisations need to keep an eye on events until we see how data transfers abroad will be regulated after 31 December 2020.
From 1 January 2021 the transition period has ended and the EU GDPR will no longer have direct effect in the UK.
However:
- There will be a UK GDPR.
- UK data protection laws will remain the same, for the time being.
- International transfers of personal data will become more complicated.
Currently we can transfer personal data to and from organisations in EEA countries without any additional safeguards. Next year that will change and complicate international transfers of personal data, including the use of, for example, cloud storage where the server is hosted in the EEA.
In addition, transferring data to countries outside EEA may be more complicated due to the Court of Justice decision in Schrems II (Case C-311/18). This invalidated the Privacy Shield, which allowed personal data to be transferred to and from the US without additional safeguards. It also impacted the use of standard contractual clauses (“SCCs”).
These issues are still to be finally resolved, and so this article is intended to point you in the direction of what to look out for.
Adequacy
The UK will become a third country under the EU GDPR and any data transfers from an EEA organisation to the UK will require additional safeguards in place, unless and until the UK is deemed “adequate” by the Commission.
The Commission is considering whether the UK provides an essentially equivalent level of protection to data transferred here. We have had the GDPR for the past two and a half years, but there are concerns about several issues in the UK, including the bulk surveillance of communication data as highlighted in a recent case decided in the Court of Justice, Privacy International (Case C-623/17), which is the latest in a series of cases challenging the bulk collection of communications data by the intelligence services in the UK.
There are also concerns that the UK Government intends to change data protection law, undermining data subject rights, as the Prime Minister stated earlier this year.
The UK Government has indicated that it will recognise adequacy decisions already in place, and it has also indicated that it will permit transfers to EEA countries to continue. The complication is ensuring that data can be transferred to the UK from these countries.
A simple solution was thought to be through the use of SCCs, until the Court of Justice’s decision in Schrems II.
Standard contractual clauses
Schrems II challenged the legality of the transfer of personal data to the US using SCCs. The court held that SCCs could still be used, but only with additional investigations to ensure an essentially equivalent level of protection in the third country.
In October the European Data Protection Board (“EDPB”) outlined what it believes these additional investigations should be. Its recommendations are still in draft form. There are also draft recommendations setting out how to assess surveillance by public authorities in third countries.
The Commission also took the opportunity to update SCCs. They now take into account the GDPR changes, and the new versions deal with transfers from EU processors to non-EU processors or controllers. Again they are still in draft. The current recommendation is to allow existing SCCs to be valid for another year. But it is likely that the EU will expect the additional investigations requirements to be satisfied sooner.
The UK’s position
It is unclear what, if any, of these recommendations will be adopted by the UK. The ICO is considering the recommendations, but it will be up to the Department for Culture, Media & Sport (“DCMS”) to decide whether to implement the new provisions once they are approved. In particular, it remains to be seen how UK organisations will be expected to safeguard transfers to the US. If transfers of personal data are allowed from the UK to the US without the additional investigations, that will make the EU less likely to consider the UK adequate and will further complicate transfers from EEA organisations to the UK.
Conclusion
The consultations in relation to these drafts end in December 2020, and organisations need to keep an eye on EDPB updates, Commission updates and ICO updates, but ultimately the UK Government/DCMS will determine the UK’s approach to international transfers of data going forward and, like so many Brexit issues, that future is still very uncertain.
This article first appeared in Lawscot.org.uk on 14 December 2020.