Data transfers: new tools and new requirements

Following the CJUE’s ruling in Schrems II, data transfers to the US can no longer be based on the Privacy Shield.

In addition, each data transfer to a third country based on GDPR “appropriate safeguard” (including standard contractual clauses (SCCs) and binding corporate rules (BCRs) must be individually assessed and documented to demonstrate that the law or practice of the third country does not impinge on the effectiveness of the safeguards the parties are relying on. The EDPB published practical recommendations to that end.

These new requirements apply to data transfers to the US, the UK after Brexit (ie from 1 January 2021) and, more generally, to any third country with no adequacy decision.

At the same time, SCCs are being entirely redesigned. Companies using SCCs will therefore need to update them.

The reality check

• Are data transfers outside the EU (including to the US or the UK after Brexit) clearly identified?
• Which transfer tools are currently used (SCCs, BCRs, Privacy Shield, adequacy decision…)?
• Are these tools still appropriate?
• If not, what is the roadmap for changing them or updating them (update of the SCCs, alternatives to the Privacy Shield, assessment of the law of third countries where data is transferred, implementation of supplementary measures…)?

Taylor Wessing can provide support

• Audit your specific situation and implement a pragmatic action plan.
• Choose the right transfer tools or applicable exceptions.
• Assess and document the effectiveness of SCCs or BCRs in light of the law of the third country where data are transferred.
• Where applicable, determine and implement the required supplementary measures to ensure an adequate level of protection of transferred data.
• Identify transfers which can or must be based on the new SCCs, and so much more.