Personal data transfers – where are we now?

It’s been a rather muddled few years in the world of data transfers.  Most businesses will be aware of the rule under EU and UK data protection law that (with limited exceptions) personal data cannot lawfully be transferred to a territory outside the EEA and the UK unless that transfer satisfies the conditions in the law which are designed to protect the personal data.

Transfers to “adequate” jurisdictions

It’s always been possible to transfer personal data without special formalities to a jurisdiction deemed by the EU to provide “adequate” protection to the data, but the list of those jurisdictions is still very short.  It comprises only Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.  On 28^th June 2021 the EU declared that the UK was an adequate jurisdiction for transfers from the EU, which was something of a relief, although the EU will review the position after four years.

Transfers to the USA

The EU has for years tried to secure adequacy for transfers to the United States.  Back in 2000 it agreed a set of “Safe Harbour” privacy principles with the US, enabling EU data controllers to transfer personal data to any US entity which signed up to those principles.  However, largely at the instance of an Austrian citizen, Maximilian Schrems, in 2015 the Safe Harbour scheme was declared invalid by the European Court.  So the EU tried again, this time setting up the “Privacy Shield” with the US, but Schrems succeeded once more in July 2020 when the Court struck down that decision also.  The problem was US surveillance programmes, which the Court considered to be incompatible with the right to privacy.  Accordingly the US is now just like any other “third country”.

Model clauses

For transfers to such countries, in the absence of some of the more useful exceptions (like the express consent of the data subject, or the fact that the transfer is necessary to conclude or perform a contract with the data subject) the common route to take has been standard contractual clauses based on forms approved by the European Commission in 2001, 2004 and 2010.  These are in very widespread use.

However, in its 2020 decision (commonly known as “Schrems II”) the European Court said that on their own these clauses are not necessarily enough.  Data controllers who undertake data transfers are under a duty to ensure that the data subject is afforded a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights – if necessary with additional safeguards to compensate for gaps in the protection of the legal system of the destination territory.

The latest model clauses

This is a big ask for a data controller.  Even sophisticated data controllers are not really in a position to make a full assessment of the degree of protection in a foreign country.  So in an attempt to make things easier, the European Commission has produced a new modular form of standard contractual clauses, effective from 27 June 2021.  These clauses attempt to deal with the Schrems decision by requiring the parties to the clauses to warrant that they have no reason to believe that local laws and practices in the importer’s country would prevent the importer from complying with its obligations under the clauses.

Time will tell whether this latest attempt will defeat objections from Mr Schrems and other interested parties.  But where does this leave us?

The current position

First, as the UK is no longer part of the EU, this latest version of the model clauses does not apply to transfers from the UK.  Accordingly the former (2001-2010) versions of the model clauses are still effective for transfers from the UK to other countries, albeit with the additional safeguards which the Schrems II decision requires.  The UK will produce its own model clauses in due course, but hasn’t done so yet.  In the meantime the UK Information Commissioner (“ICO”) recommends the use of a UK version of the old clauses, which are published on the ICO’s website.

Secondly, the old model clauses will soon cease to be valid in the EU.  They can still be used for new transfers up to 27 September 2021, but all contracts based on the old clauses must move to the new (modular) clauses no later than 27 December 2022.  This is a big operation, and it is certain that many businesses will begin the process of transferring to the new clauses right now.

Internal arrangements for larger businesses

Several large businesses have relied on internal international data transfer agreements incorporating the model clauses to govern transfers of personal data between their various offices across the globe.  However, these are becoming longer and more complex.  Not only is the UK in the process of diverging in its approach, but other countries (such as Brazil and South Africa) are also insisting on the protection of international data transfers, but without specifying exactly how.  South Africa, which started enforcing its law on 1 July 2021, had already extended its data protection regime to include companies as data subjects, which creates its own headaches.

The root of the problem

A large part of the reason for the current complexity is that European data protection law has developed faster than the rest of the world.  Ideally, there would have been treaties with other countries under which they would have been obliged to provide protection to EU data to the standards which the EU expects.  But those other countries aren’t ready to do that, and so it is down to individual EU businesses to attempt to regulate transfers by contract, which in practice is extremely difficult to regulate and enforce.  It is perhaps not surprising that very little actual enforcement activity has taken place except when someone like Maximilian Schrems makes a huge (and extremely effective) fuss.

Next steps

All businesses in the UK which transfer personal data outside the EU and the UK will need to keep an eye on the ICO’s pronouncements concerning model clauses.  We can expect more later this year.  And businesses which transfer data from the EU to destinations outside the EEA and UK will need to become familiar very quickly with the new model clauses, since in a very short time the old clauses will become invalid.  In the meantime, the EU is still trying to grapple with the problem of transfers to the US.  It is simply not safe to re-use forms of contract which are even only a few years old, so all businesses need to keep on their toes in this very fluid situation.

Photo by Joshua Sortino on Unsplash