Data transfers – where do we stand?

With all the change and debate around the issue of transfers of personal data outside the EEA (and the UK), it's taken a while for the impact of Brexit and the collapse of the EU-US Privacy Shield to play out. A number of recent developments should hopefully provide a degree of clarity, even if uncertainties remain. So what is the current transfer landscape?

The basics

Under the GDPR, personal data may only be transferred outside the EEA where the relevant third country provides an equivalent level of data protection to that in the EEA. Similar provisions apply under the UK GDPR with respect to transfers from the UK.

Adequacy decisions

Transfers to countries which benefit from an adequacy decision can take place without a need for additional transfer mechanisms. The UK is the latest country to be granted adequacy by the European Commission, joining 12 other countries.

The US had a partial adequacy decision but the Privacy Shield collapsed in the face of challenge by Max Schrems, primarily on the basis that data being transferred under it to the USA was vulnerable to access by law enforcement authorities.

Transfer mechanisms

If there is no adequacy decision in place, you need to use an approved data transfer mechanism: either Standard Contractual Clauses (SCCs) or, where you are carrying out intra-group transfers, Binding Corporate Rules (BCRs).

Derogations

There are limited options to transfer personal data on specific grounds including where you have consent to do so, however these can only be used for discreet rather than ongoing or regular transfers.

The UK after Brexit

The data protection regime

In addition to the Data Protection Act 2018, the UK now has its own version of the GDPR, known as the UK GDPR. The UK GDPR mirrors the GDPR in essentials and the data transfer provisions are largely the same. The Schrems decisions both apply in the UK.

In theory, the UK is now free to make its own arrangements for data transfers independent of the EU. For example, it could issue an adequacy decision in favour of the USA. To do so would, however, put the newly granted EU adequacy in serious doubt.

EEA to UK transfers

On 28 June, the European Commission adopted a UK adequacy decision; the sighs of relief were audible. This effectively preserves the free-flow of personal data between the EEA and UK (with a carve out for immigration-related data) for four years. There is no need for additional transfer mechanisms or supplementary measures.

There is, however, a sting in the tail. The EC reserves the right to amend or withdraw the decision should the UK depart significantly from EU data protection law.

Transfers from the UK to the EEA and EC adequate countries

The UK has preserved the free-flow of data to the EEA and to countries with existing EU adequacy decisions, and it has also negotiated agreements with all the countries benefitting from EU adequacy decisions. This was originally described as provisional, but there is no reason to think it is likely to change.

Transfers to third countries

Just as in the EU, transfers to third countries from the UK require additional transfer mechanisms to be put in place and, potentially supplementary measures to be taken to protect the data. Now that the EU has adopted new SCCs and that the UK cannot be the lead regulator for BCRs under the GDPR, this causes complications discussed below.

New SCCs

The EC's Standard Contractual Clauses (SCCs) are one of the key mechanisms to legitimise the cross-border transfer of personal data from the EU to third countries which do not benefit from an EU adequacy decision.

SCCs have proved popular over the years (particularly following the collapse of the US Safe Harbor regime which preceded the similarly ill-fated Privacy Shield). However, the previous versions (which are still in use in the UK) have limitations. They are rigid and only apply to controller to controller and controller to processor exports. In addition, they were approved prior to the GDPR and, of course, before the Schrems II decision which changed the landscape for data transfers.

The EC has now adopted new SCCs intended to address these issues and they are much more closely aligned to GDPR requirements, including on the data protection principles, breach reporting, data subject rights, and technical and organisational measures.

As expected, the new SCCs adopt a modular approach (so there is only one set of clauses) and cover processor to processor and the less common processor to controller transfers as well as the traditional terrain of the existing SCCs. The clauses also allow flexibility on the number of parties and when they can sign up.

The ICO has said it is working on UK SCCs. We don't know to what extent the ICO's approach will mirror the EU's and there may be slightly different obligations. The underlying law remains the same though, not least the impact of the Schrems II judgment. It is however likely that some organisations will need to enter into two sets of SCCs with the UK and EU respectively.

The new SCCs came into force on 27 June and must be used for transfers from the EEA (where SCCs are the selected transfer mechanism) from three months after adoption for new processing operations. Those using the old SCCs must transfer over to the new ones within 18 months (find out more here).

BCRs

Brexit also had an impact on Binding Corporate Rules which are used by organisations to transfer personal data to third countries within their group and we now have separate EU and UK BCRs.

In January 2021, the ICO published guidance on what should have happened to pre-Brexit BCRs:

• Holders of EU BCRs (approved under the Data Protection Directive) with the ICO as Lead SA should have identified an EEA SA and transferred the BCRs to that SA.
• Holders of EU BCRs authorised by the ICO under the DPD, whether as Lead SA or not, will be eligible automatically for a UK BCR. A UK version should have been prepared and must be submitted to the ICO on or before the next annual update due date.
• EU BCRs approved under the DPD which were not authorised by the ICO and where the ICO did not act as Lead SA, were only transferrable to a UK BCR where the ICO received a UK version incorporating DPA18 changes. This should have been done by 30 June.
• EU BCRs approved under the GDPR where the ICO was not Lead SA are not covered by changes under the DPA18. Holders should have contacted the ICO if they required a UK BCR.

As BCRs need to be approved by the relevant Lead SA in the EU and by the ICO in the UK where the ICO is the competent authority, some businesses will need two versions, which could lessen their appeal given the potentially lengthy approval process.

Supplementary measures for transfers to third countries

The CJEU judgment in Schrems II not only struck down the EU-US Privacy Shield, it also cast doubt on the future of data exports to the US and to other third countries which do not provide an adequate level of protection for the data.

The CJEU said it was up to controllers to assess on a case by case basis, whether or not the data being exported would receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect the data if it did not. Where any additional measures would still fail to ensure adequate protection, the transfer could not take place.

No detail was provided as to what those supplementary measures might be and under what circumstances they would need to be used until the EDPB published its recommendations for supplementary measures.

These apply to all data transfers to third countries from the EEA. They do not apply in the UK even though the Schrems II decision does as they were adopted after the end of the Brexit transition period. Having said that, in the absence of guidance from the ICO, they are likely to carry significant weight and should certainly be taken into account by UK businesses (find out more here).

The elephant in the room

There can be no doubt that the new EC SCCs and the EDPB guidance on supplementary measures, together with the UK adequacy decisions, have cleared up some of the uncertainties and anomalies around the data transfer regime.

One major issue remains. There is really no way to completely protect exported data from being accessed for law enforcement purposes in third countries if those countries really want to access it. Even anonymisation may not provide indefinite protection.

Does that mean data localisation will gain more traction in the EEA and UK? Some of the larger web services providers are already planning for this, but in the meantime, businesses have to do the best they can with the existing mechanisms and guidance, following a risk-based approach where appropriate. The situation is clearer than it has been in some time, but we're likely to see further developments, particularly around the supplementary measures.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.