CLS Blue Sky Blog

Kirkland & Ellis Discusses Cross-Border Transfers of Personal Data

In the wake of the landmark judgment in Schrems II in July 2020 (which invalidated the EU-US Privacy Shield with immediate effect) (as reported by us here), the European Commission has recently adopted a number of hotly anticipated (at least in the privacy world!) decisions that re-adjust the framework for transferring personal data from the European Economic Area (the “EEA”) to countries outside the EEA (“third countries”) and the United Kingdom.

These decisions include:

In the UK, the Information Commissioner’s Office has also published a number of draft documents for consultation which indicate how transfers of personal data outside the UK to third countries might be legitimised going forward.

This Kirkland Alert summarises, at a high level, the key impacts and significance of these developments and outlines the practical steps that businesses should now be taking to ensure continued compliance with the European and UK rules applicable to cross-border transfers of personal data.

The New SCCs – Background

As reported by us here, in July 2020, the Schrems II decision determined that the Standard Contractual Clauses (the “SCCs”) remain valid as a data transferring mechanism subject to: (i) the data exporter assessing, analysing and verifying that the personal data being transferred will be adequately protected in the country to which the personal data is being exported (this is now commonly referred to as carrying out a ‘Transfer Impact Assessment’), and (ii) adopting supplementary measures to safeguard the transfer.

In light of: (i) the Schrems II decision and (ii) the outdated nature of the previous SCCs (which were adopted years before the entry into force of the GDPR), the European Commission published a discussion draft of New SCCs which, following consultation, were formally approved by the European Commission on 21 June 2021.

The New SCCs – Key Clauses and Changes

The New SCCs are intended to address the inadequacies of the previous SCCs and reflect the findings of the Court of Justice of the European Union in Schrems II, by including the following key changes:

The New SCCs – Key Dates and Deadlines

Businesses should note that:

UK Adequacy

Following the adoption of the New SCCs, the European Commission has also issued two adequacy decisions in favour of the UK. This much awaited decision means that personal data can continue to flow freely between the EEA and the UK without there being a need to put in place additional safeguards.

The decision in favour of the UK (which must be renewed every four years) came with a number of qualifications, namely that: (i) the European Commission is able to “intervene” at any point if it decides that the UK has deviated from the level of protection for personal data that it currently has in place; and (ii) the UK adequacy decision will not be renewed by default in four years (i.e., the level of protection of personal data provided by the UK may need to be re-assessed at the time).

Key Impacts for Businesses and Next Steps

As outlined above, businesses will now need to review their data flows and consider how various exports of personal data to different regions can be legitimised going forward.

This post comes to us from Kirkland & Ellis. It is based on the firm’s memorandum, “Cross-Border Transfers of Personal Data: The Post-Schrems II and Brexit Landscape Begins to Take Shape,” dated September 30, 2021, and available here.

Exit mobile version