Background – the Schrems II case
In July the Court of Justice of the EU, in a case called “Schrems II”, invalidated a US programme called “Privacy Shield”, which enabled companies to freely transfer data between the EU and the US in a GDPR-compliant manner. In addition to invalidating the “Privacy Shield”, the Court also ruled that one of the most popular mechanisms used by many companies for the international transfer of data – the Standard Contractual Clauses (SCCs) – remains valid, but not on its own. Parties wishing to rely on the SCCs must satisfy themselves that, given all of the circumstances surrounding the transfer, the data importer (the party receiving the data) will be able to provide legal protection that is at least equivalent to GDPR level. This includes, on a case by case basis, evaluating the nature of the data, the parties’ identity, the circumstances of the transfer, and even the laws of the data’s destination country. If the parties are not satisfied that the SCCs alone can afford an adequate level of protection, they must adopt additional “supplementary measures” in order to afford enhanced protections.
What happened this week?
Practitioners have been confused since this ruling how to properly interpret these amorphous requirements introduced by the Court. Specifically, it wasn’t clear how the evaluation of third countries was to be carried out, and what types of “supplementary measures” might be appropriate in each case.
Just one day after the EDPB published its recommendations, and after over a decade of using antiquated SCCs (with much criticism from privacy professionals, rightly claiming that the SCCs do not reflect the versatile reality of data sharing in the modern digital world), the EU Commission published a new set of SCCs. The draft SCCs are still open for consultation, which ends on 10 December 2020.
What does this have to do with the UK?
On 1 January 2021 (unless a deal is reached between the UK government and the EU, which at the moment seems unlikely), the UK will become a “third country” for the purposes of GDPR. This means that any transfer of data from the EU to the UK (which was covered by GDPR just a day earlier) will instantly be considered to be an international data transfer and companies will need to put in place a “transfer mechanism” approved by the EU Commission such as the SCCs.
Indeed, the GDPR has been implemented into UK law, and one would assume that the UK’s laws would automatically be considered to be “adequate” by the EU Commission. However unfortunately, life isn’t that simple. The CJEU and other EU institutions have already raised concerns about some of the UK’s other laws, specifically those providing law enforcement the ability to request the disclosure of data, similar to the laws in the US which were the catalyst for the Schrems II case and led to the invalidation of the Privacy Shield programme.
Okay, got it. So what do I need to do?
- As a first step, you will need to identify what types of data you collect and whether any of that data is transferred from the EU. Note that the word “transfer” is defined very broadly so may include more activities than would you assume. If in doubt, feel free to get in touch.
- Once you have identified any data transfers from the EU to the UK, you must carry out an assessment of the transfers to ensure you have in place the correct “transfer mechanism”. Circumstances that will be relevant are the amount of data transferred, the sensitivity of the data, the number of data subjects concerned, among other considerations.
- Next, you will need to carry out an evaluation regarding which UK laws apply to the transfer data, such as the legislation which allows law enforcement and security services to access data. This is a complex area of law and we recommend you get in touch with our experts who can help with this.
- The next step will be engaging with any EU-based third parties in order to ensure you have in place the right “transfer mechanism”. In most cases this will be the SCCs (discussed above).
- If you already have the “old” SCCs in place, you will have a one year transition period to replace them with the new ones. Our recommendation is to deal with this sooner rather than later, whilst the matter is fresh on everyone’s mind.
- If the assessment’s result is that the transfer presents a risk (for example, because of the nature of the data, the data subjects, the volume of data, etc) you may need to put in place one or several of the “supplementary measures” recommended by the EDPB. Our team of experts can help advise you on the appropriate measures and assist you in negotiating with any third parties.
- You may also need to appoint a representative in the EU (depending on your processing) and register with an EU lead supervisory authority (in addition to your registration with the Information Commissioner’s Office).
- Lastly, if you have appointed a Data Protection Officer, you will most likely not need to appoint another, EU-based, DPO, as the function of the DPO will remain similar in the UK and in the EU post-Brexit. Unless, of course, local law in the relevant country, requires you to do so.
Brexit is fast approaching and a deal is seeming less and less likely by the day. Therefore, we strongly recommend you follow the simple steps mentioned above in order to be sure your business is ready and you are not caught off guard. As ever, Asserson’s data protection team is standing by to advise and answer your most pressing questions in this evolving and complex, yet business critical, area.
Article written by: Avishai Ostrin