Free guide: International Transfers - where are we now?
The data protection landscape has greatly changed over recent years, and in the last few months the rules surrounding international data transfers have been no exception.
Following the departure of the UK from the EU, the issue of international data transfers came to the fore as transfers to and from the EU became transfers to a ‘third country’, requiring either an official decision of the relevant authorities that the destination provides adequate protection for personal data or an ‘appropriate safeguard’ to be put in place before transfers of personal data could take place, unless one of a limited set of ‘derogations’ (situation-specific exemptions) applies.
In addition, the ‘Schrems II’ judgment from the Court of Justice of the European Union (CJEU) not only declared the EU-US Privacy Shield framework to be an insufficient data transfer mechanism, but also cast doubt on the ability to use Standard Contractual Clauses (SCCs) – the most commonly-used ‘appropriate safeguard’ – to make compliant transfers to the US and other countries that are not deemed adequate by the European Commission.
Happily, these issues have been partially smoothed out:
- In the past week, the European Commission has published an adequacy decision that UK data protection law offers an adequate level of protection for data transfers from the EU to the UK (see Commission adopts adequacy decisions for the UK (europa.eu)).
- A new Schedule 21 to the Data Protection Act 2018 states that personal data transfers from the UK to the EEA, Switzerland and Gibraltar are covered by adequacy regulations, and therefore no further appropriate safeguards or derogations are required for such transfers (see Schedule 21, Part 3, Paragraphs 4 and 5 in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (legislation.gov.uk)).
- The European Commission has published a new set of SCCs which should help to lay to rest some of the thorny issues raised by Schrems II (see European Commission adopts new tools for safe exchanges (europa.eu)).
Nonetheless, it can be complicated to work out how to make international personal data transfers in a compliant manner. With this in mind, we have put together a FAQ guide to assist with understanding and navigating international data transfers in a post-Brexit, post-Schrems world.