Transferring personal data internationally has become more difficult in recent days. The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield, an EU adequacy decision that allowed data to flow freely from the UK and EU to more than 5,300 companies in the US.
At the same time, it made reliance on standard contractual clauses (SCCs) – the obvious alternative to Privacy Shield – more onerous. It requires assessments by businesses of legal regimes in the countries to which the data is to be exported and “appropriate safeguards” to be put in place if the legislation in the country of destination is found wanting.
Regulators will now be expected to police international transfers much more rigorously than they have done in the past. Commentators fear that data transfers from the EU and UK to the US are now effectively prohibited, although it should be emphasised that the CJEU did not say that EU or UK to US data flows should stop.
Businesses in the UK and the US may be asking themselves what Brexit – which ends the application of the EU’s treaties in the UK – might mean for UK-US data flows, and whether it will make exchanging data with the US easier.
The General Data Protection Directive (GDPR) will cease to apply to the UK at the end of the transition period on 31 December 2020, when the UK will no longer be subject to EU law. However, this does not mean that the UK will have a free hand in the data protection arrangements it puts in place with non-EU countries, including the US.
The UK is negotiating an adequacy decision with the EU. If the EU decides that the UK’s legal arrangements are “essentially equivalent” to those in the EU, an adequacy decision would allow the free flow of data from the EU to the UK to continue after the transition period has ended.
An adequacy decision will also limit the UK’s ability to agree new arrangements for data transfers with non-EU countries. This is because any significant changes to the UK’s data protection regime, in particular lowering standards of protection, could jeopardise the UK’s status as being adequate for EU-UK data flows. The EU can revoke an adequacy decision if the country in question no longer provides an essentially equivalent data protection regime to that in the EU.
Even if the UK were to lose its status as being adequate for EU-UK data flows at some point in the future, the UK has undertaken to ensure a level of protection of personal data essentially equivalent to that in the GDPR, at least for data that came from the EU before the transition period ended.
The UK is intending to…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…