Reading this Mayer Brown piece around GDPR and compliance requirements for transferring personal data outside Europe, a number of points come to mind….
Specifically, when it comes to new developments, the piece states: “At the beginning of June 2021, the European Commission published a final version of its new SCCs for international personal data transfers outside the EEA (the “New SCCs”), which will replace the SCCs that many businesses currently rely on for transfers to the US (the “Old SCCs”). Businesses will have 18 months, until December 27, 2022, to transition from the Old SCCs to the New SCCs.” Ultimately 18 months to replace existing SCCs may sound like a reasonable period of time, but in reality, there are a number of challenges which must be met in a structured and coordinated fashion for this type of exercise to be successful. These include:
- Knowing your data flows, vendor relationships and contracts. Most companies still struggle to keep on top of this, and as such, when undertaking this exercise, the key is to build a better process for the future. This should never just be a one-off exercise.
- Understanding that not all data flows, data sharing partners and service providers are equal. There must be a plan for how to prioritise what could be hundreds, and in some cases, thousands of EU third country data transfers. It is also essential to build a process which can be scaled up in a way that does not burden key privacy and legal teams at a time when they are dealing with any number of complex and high-risk issues.
- Use this as an opportunity to engage internal stakeholders across legal, privacy, procurement, risk management, technology and the business functions, as well as building better relationships with key vendors and service providers. Again, this must not be a box ticking contract exercise – this will not provide you with a defensible position regarding Schrem II challenges.L
Also on reading this piece I also thought it useful to flag that on 28th June 2021, the European Commission adopted a formal EU Adequacy Decision recognising the UK’s data protection regime as being sufficiently similar to the GDPR to allow for EU to UK data transfers without additional legal requirements being necessary. Whilst there have been calls for a post-Brexit UK to adopt a more “GDPR-Lite” approach to data protection rules, continued free movement of data between the EU and the UK is a key priority for the growth of the UK’s digital and technology companies.
The UK has historically taken a more pragmatic approach to international data transfer requirements when subject to EU Data Protection Directive 95/46/EC and GDPR rules. For example, the ICO has stated in a published letter it sent to the US Securities and Exchange Commission in September 2020 that UK firms could, in light of the Schrems II ruling, still transfer UK data to the SEC for under current GDPR rules and derogations, including Article 49 grounds based on reasons of public interest. It would therefore seem unlikely that they would not accept the new SCC terms as a basis for a UK data transfer. It is more likely though, that any UK SCC will be similar (if not less onerous) than the EU Commission’s version.
If you want more on this I urge you to chat to Robert Grosvenor in my team.
While SCCs provide a convenient method for transferring data between the EEA and the US, their use is now subject to more complex considerations, including the need to undertake an assessment of the protection afforded in the jurisdiction to which the personal data is being exported.