If your organisation transfers personal data outside of the EEA, a recent judgement will affect you and now means you are required to take immediate action. We will explore the requirements in more detail, but firstly let’s explore the context…
International data transfers
The GDPR restricts the transfer of personal data to countries outside the European Economic Area (EEA). These transfers can only take place where:
- the European Commission has issued an ‘adequacy decision’ in respect of the country, territory or sector to which the personal data is to be transferred;
- the dataexporter has made the transfer subject to ‘appropriate safeguards’ (e.g. standard contractual clauses (SCCs) or binding corporate rules (BCRs)); or
- the transfer is covered by one of the ‘exceptions’ set out in the GDPR.
Until the recent Schrems II judgement (which is discussed below), the adequacy finding for the USA was only for personal data transfers covered by the EU-US privacy shield framework. Accordingly, EEA organisations could transfer personal data, without additional safeguards, to organisations in the US, which were members of the EU-US privacy shield.
Schrems II judgment
Why was the EU-US privacy shield found to be invalid?
On 16 July 2020, the European Court of Justice (ECJ) invalidated the privacy shield as a transfer mechanism for transfers of personal data from the EEA to the US, with immediate effect.
The ECJ concluded that the privacy shield prioritised the needs of US public authorities for national security, law enforcement and other public interest purposes, over the rights of the data subjects. It found that US surveillance laws meant that US-based organisations could not ensure a level of protection essentially equivalent to that under EU law. It also found that the US ombudsman could not guarantee independence and it does not grant actionable rights to data subjects before the courts against the US authorities.
What findings were made about the use of standard contractual clauses?
The ECJ confirmed that, in principle, SCCs remain a valid mechanism for international data transfers.
However, the data exporter must verify, on a case-by-case basis, whether the data can be protected to an ‘essentially equivalent’ standard, to assess whether the level of protection afforded in the recipient country is ‘essentially equivalent’ to that guaranteed by the GDPR. The assessment should take a number of factors into consideration, including:
- the particular circumstances of each transfer;
- the national laws of the data importer (particularly, any access and use to the data by public authorities in the data importer’s country); and
- whether data subjects have enforceable rights and effective legal remedies available to them in the data importer’s country.
If SCCs alone do not offer an adequate level of protection, organisations should consider whether any supplementary measures could be put in place. If SCCs, together with any supplementary measures, would not ensure an appropriate level of protection, then organisations are required to suspend or end the transfer of personal data.
What does this mean for you?
If your organisation transfers personal data outside of the EEA (for example, by transferring data to an overseas group company, or by utilising cloud based solutions where the data centre hosting your data is located outside of the EEA) this decision will affect you and will require immediate action. We would suggest that you:
- identify the circumstances of, and safeguards used, for each data transfer outside the EEA;
- for transfers to the USA which are reliant on the privacy shield, either suspend such transfers or put in place an alternative transfer mechanism;
- for transfers reliant on SCCs and BCRs, carry out an ‘equivalence assessment’ to ensure that the data can be protected to an essentially equivalent standard to that provided by the GDPR. Also, consider whether any additional ‘supplementary measures’ need to be put in place;
- consider whether the transfer can take place under any of the exemptions set out in the GDPR (although note that reliance on the exemptions are generally intended for occasional transfers only); and
- review any further guidance from supervisory authorities (e.g. the European Data Protection Board, the European Commission and the Information Commissioners Office).
Need some advice on data protection matters, we’re here for you – get in touch.