March 9, 2022
When it comes to moving between countries with different rules, there’s a lot going on at the moment. Countries with highly protective regimes (in particular, those in the European Union) want to ensure that their citizens’ data is protected, but many industries (and the tech sector in particular) are global and keeping data in one place is difficult.
There have been controls on transferring personal data out of the EU since the first directive back in 1995 (and even earlier in individual EU countries). The GDPR bolstered the restrictions and over the past few years, Max Schrems (and, more recently, his privacy activist group NOYB) have been putting pressure on regulators to enforce the rules more strictly.
In July 2020 the Court of Justice of the European Union issued a decision on the case of Data Protection Commission v. Facebook Ireland, Schrems – now commonly referred to as “Schrems II”. The key finding of this ruling was that:
In short, as well as knocking the US Privacy Shield on its head, Schrems II said that SCCs on their own are not necessarily enough.
In reality, they don’t. The rules are the same for data transfers out of the EU/UK to all countries that don’t have a decision of “adequacy”, it’s just that with so many popular Internet services being hosted in the US, performing functions such as web analytics, cloud storage and CRM services, transfers in that direction are more difficult to avoid than elsewhere.
Since Schrems II there has, therefore, been much debate over whether transfers to the US, in particular, could ever meet the obligations that EU businesses have to their EU customers under the GDPR.
The reasons for the level of uncertainty over the US are complicated but (as reported in a recent expert opinion by the German Courts) it seems to boil down to the fact that the US government could compel a wide variety of companies located in (or storing data in) the US to hand over that data – in some cases even if the data itself is stored in a different country. There is also a concern over the lack of ways for data subjects (individuals) to enforce their rights once their data has been sent to the US.
Following Schrems II, with limited alternative options available, most businesses have relied on the SCCs to legitimise transfers of personal data out of the EU/UK.
As of right now, there are two versions of the SCCs:
From 21 March 2022 the UK SCCs will be replaced by the UK international data transfer agreement. Contracts that incorporate the UK SCCs and that conclude on or before 21 September 2022 will need to be updated to the new international data transfer agreement by 21 March 2024.
Errm… Nope! (sorry…)
For quite a while following Schrems II there was a LOT of head-burying and hoping that the regulators would overlook the fact that data was being transferred to the US with no additional protection. However, over the past few months, NOYB has filed 101 complaints with data protection authorities across Europe and the decisions relating to these complaints are now starting to be published. Right now the challenge for businesses is getting harder to overcome rather than easier.
For example, the Austrian data protection authority recently found that the use of Google Analytics (in that case, by a relatively small organisation) was not compatible with EU data protection laws.
This is significant for two reasons:
It is thought that, as the other decisions come through, other EU regulators will follow suit, although even if they do, this ruling will not apply in the UK as a consequence of Brexit. However, given the factors considered by the Austrian Data Protection Authority, it is hard to see how the UK data protection authority (the Information Commissioner) could come to a different conclusion, leaving many data protection practitioners thinking it may only be a matter of time until such a ruling would apply in the UK.
This is one solution, but hugely impractical to the majority of businesses. Since the US is home to some of the largest tech companies in the world, many EU (and UK) businesses rely on US companies for services that are not easily replaceable, and for which transferring personal data is unavoidable. Examples of this include marketing technology, cloud service providers, social media engagement and software services.
Businesses could try limiting transfers to the US to only non-personal data such as business information, and aggregate information that cannot identify the individual. This could mean something like using cookies that collect aggregate information (e.g. how many visitors the website has) rather than individual personal data (e.g. tracking what each individual visitor does).
Other measures are likely to be out of the hands of most businesses. These could include:
Here at Stephenson Law, the flock isn’t holding its breath for any of the above! However, if you’re planning to wait and see whether any of these options materialise, check back in with us regularly or subscribe to our newsletter – we’ll be sure to tell you if it happens.
We recognise that the constant legal developments around international transfers put many businesses somewhere between a rock and hard place. It’s more important than ever to keep a careful record of your personal data and who you share it with so that you can stop any transfers that are likely to prove risky and are ready to react to new developments as they arise.
In the meantime, UK companies can start identifying which agreements need to use the new UK International Data Transfer Agreements (the new UK SCCs) and prepare to replace their old documentation.
The legal experts in our data protection team are always on hand to talk about your business’s options.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.