If your business transfers anyone's personal data beyond the UK (particularly to the US), a recent ruling in the Court of Justice of the European Union has potentially made it more difficult for you to comply with data protection law.

We've updated our Privacy and cookie notice for a website to reflect the current position.

Background

Under the General Data Protection Regulation (GDPR), transferring personal data to a 'third country' (a country outside the EU) is allowed if the European Commission has decided that the third country has good enough data protection rules in place (this is known as an 'adequacy decision').

If there's no adequacy decision, you're only allowed to transfer the data if there are:

  • appropriate safeguards; and
  • legal rights and remedies for the people the data is about.

Essentially, the personal data transferred outside of the EU must be as well protected as it would be if transferred within the EU.

Data transfers to the US

No adequacy decision exists in relation to the US. Instead, since 2016, a framework called the 'Privacy Shield' was established as a method for providing adequate protection for transferring data to US companies.

However, the recent court ruling (known as 'Schrems II') has invalidated this, essentially because US surveillance laws give US public authorities too much power to access and use personal data.

The European Data Protection Board has published guidance on what organisations must do to continue to lawfully transfer personal data to the US and other third countries. This includes putting in place alternative mechanisms like:

  • standard contractual clauses(template clauses adopted or approved by the European Commission); or
  • binding corporate rules(agreements governing transfers made between organisations within a corporate group).

Wider implications

If you want to use standard contractual clauses to lawfully transfer personal data to any third country (not just the US), Schrems II clarifies that you must make an 'equivalence assessment' – i.e. you must assess, on a case-by-case basis, whether the country provides a level of protection that's equivalent to what's guaranteed within the EU.

This assessment must consider not only the standard contractual clauses but also:

  • any access that authorities might have to the data; and
  • whether the country's legal system gives enough rights to individuals re. the data.

Extra safeguards might be needed. The data recipient must inform you if they can't comply with the standard contractual clauses or any extra measures. You're then obliged to stop transferring data and/or end the contract with them.

The same applies if you're relying on binding corporate rules.

How does this affect the UK?

Although the UK has left the EU, the GDPR continues to apply to the UK during the transition period (ending on 31 December). After that, the UK is due to introduce a new 'UK GDPR', which will merge the requirements of the GDPR with existing UK data protection law.

The EU and UK are currently negotiating an adequacy decision, as the UK will become a third country when the transition period ends. There were already several potential barriers to the UK getting an adequacy decision, including the UK's own use of mass surveillance. These concerns could intensify following Schrems II.

If there's no adequacy decision by the end of 2020, under the GDPR, alternative safeguards will need to be implemented for any inbound transfers of personal data from the EU to the UK, such as standard contractual clauses being entered into; however, because of Schrems II, EU data senders might be reluctant to conclude that the UK offers protections that are equivalent to EU law.

For UK businesses, outbound transfers of personal data will be subject to the UK GDPR. It's likely that all EU Member States and Gibraltar will be recognised as 'adequate', as well as any countries with existing adequacy decisions.

But for other countries (including the US) the UK is required under the EU-UK Withdrawal Agreement to continue to apply EU law on the protection of personal data in certain circumstances until the EU agrees an adequacy decision for the UK.