International transfers and Schrems II: GDPR obligations

Out-Law Guide | 04 Jan 2023 | 12:11 pm | 9 min. read

Strict requirements are outlined in UK and EU data protection laws in relation to the international transfer of personal data.

The so-called ‘Schrems II’ ruling by the Court of Justice of the EU (CJEU) in July 2020 emphasised the robust due diligence businesses must undertake before transferring personal data outside of the European Economic Area (EEA).

In this guide, we examine some of the key questions businesses will ask themselves when considering what they need to do to comply with the EU and UK GDPR.

What obligations are included in the GDPR around international transfers?

Chapter V of the GDPR sets restrictions on transfer of personal data internationally, outside of the EEA. These are designed “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.

 The philosophy behind this is that personal data that benefits from the protections under the GDPR should continue to benefit from an equivalent standard of protection, even if it is transferred outside the EU or UK. Chapter V sets out several different options controllers or processors can take advantage of to ensure that standard of protection is undermined: adequacy decisions; standard contractual clauses and other “appropriate safeguards”; binding corporate rules; and derogations for specific situations.

Adequacy decisions

The European Commission can pass decisions declaring that a country provides an adequate level of protection for personal data. Organisations can transfer data to these countries without the need for additional safeguards like standard contractual clauses.

To-date, the Commission has passed adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, and the UK, though the adequacy decisions for Japan and Canada do not cover all transfers to those countries.

On Brexit, the UK made its own “adequacy regulations” for the EEA, Gibraltar, and the countries on the EU adequacy list at 31 December 2020 – that is, all the countries listed above except the Republic of Korea, which received its EU adequacy status in December 2021. Since then, the UK government has passed its own adequacy regulations for the Republic of Korea.

Further adequacy decisions are expected to be issued in due course by the Secretary of State for Digital, Culture, Media, and Sport.

Standard contractual clauses and other appropriate safeguards

For countries where no adequacy decision is in place, Article 46 of the GDPR lists some “appropriate safeguards” that can be used, including standard contractual clauses (SCCs). The European Commission is responsible for providing these clauses under the EU GDPR. For new contracts subject to the EU GDPR, the SCCs published by the European Commission in 2021 must be used. Any existing contracts using the SCCs published in 2001, 2004, or 2010 need to be updated so that those legacy SCCs are replaced with the 2021 SCCs by 27 December 2022.

For transfers subject to the UK GDPR, the Information Commissioner’s Office (ICO) has published an International Data Transfer Agreement (IDTA). As an alternative, the ICO has also provided an Addendum to the EU SCCs, which gives businesses the option of bolting on the addendum to the EU SCCs to meet their obligations in relation to transfers subject to the UK GDPR. The UK Addendum therefore provides a straightforward option for transfers subject to both the EU and UK GDPR, and for organisations that want to follow the same process for GDPR compliance in the UK and EU.

The IDTA or EU SCCs and Addendum must be used for new contracts and must be replaced in existing contracts by 21 March 2024.

Binding corporate rules

Binding corporate rules (BCRs) can be used to govern intra-group international data transfers and are an alternative to using SCCs. BCRs entail putting in place a set of binding intra-group rules governing the data transfers and obtaining regulatory approval for those arrangements.

Approval from any EU data protection authority allows BCRs to be used for compliance under the EU GDPR. For UK GDPR compliance, separate approval must be obtained from the ICO. For organisations with obligations under both the EU and UK GDPR, two sets of regulatory approvals must be obtained.

Derogations

Article 49 of the GDPR includes several “derogations” where transfers can take place without an adequacy decision, SCCs or another appropriate safeguard, or BCRs. These include circumstances where:

  • the data subject has given specific and informed consent to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the controller; or
  • the transfer is necessary for the performance of a contract between the controller and another person which is made in the interests of the data subject.

To rely on a derogation, the transfer must meet the specific conditions laid out in Article 49. Consent must be specific to the specific transfer and transfers relying on the exemptions for contractual necessity must only be occasional.

What constitutes an international transfer under the GDPR?

Generally, whenever personal data is sent, accessed from, stored in, or used in another country, a transfer will have taken place for GDPR purposes. Cloud offerings including SaaS will often include some form of transfer, either because data is hosted in another country, because data is used or analysed in another country, such as in the context of offshore HR or payroll solutions, or because data is accessed from another country for ‘follow-the-sun’ support.

There are some limited exceptions. For example, the European Data Protection Board (EDPB) has confirmed that an EU employee travelling to a third country on a business trip and accessing personal data remotely does not qualify as a transfer. 

The ICO has confirmed that the international transfer rules under the UK GDPR do not apply to transfers within the same legal entity.

What obligations did the Schrems II ruling clarify?

The Schrems II ruling confirmed that SCCs could be relied on for transfers of personal data to countries without an adequacy decision. However, it also confirmed that an assessment of the laws of the third country needs to be undertaken in the context of the transfer to confirm whether the data would receive essentially equivalent protection to the protection provided in the EU after it is exported. These assessments are sometimes called transfer impact assessments or data transfer impact assessments (DTIAs).

In summary, to transfer personal data to a third country that does not benefit from an adequacy decision, it will usually be necessary to:

  • enter into SCCs, or use another transfer tool, like BCRs; and
  • carry out a DTIA.

The Schrems II decision also struck down the EU-US Privacy Shield, a mechanism which could previously be relied on for transferring personal data from the EU to the US in some sectors.

What are the deadlines for putting in place new SCCs?

The EU deadline for updating any existing contracts using the EU SCCs published in 2001, 2004, or 2010 was 27 December 2022.

In respect of the UK position, contracts put in place before 21 September 2022 may continue to rely on the old EU SCCs until 21 March 2024. From that date, however, organisations will need to have put in place the UK IDTA or the 2021 EU SCCs and UK addendum.

The legacy EU SCCs can no longer be used for compliance with EU or UK GDPR requirements for new data transfer contracts.

Are the data transfer impact assessment deadlines the same as the deadlines for updating SCCs?

No. The CJEU clarified what they considered to be an existing GDPR obligation in the Schrems II ruling – so the obligation to carry out a DTIA for new and existing transfers formally applied from 16 July 2020.

The process was very different from the introduction of the GDPR, where organisations had almost 26 months to get their compliance programmes in place between the final text being published and the GDPR becoming applicable.

A contractual obligation to carry out a DTIA was introduced in the 2021 EU SCCs and UK IDTA, so where the legacy SCCs are still relied on, there may be no contractual obligation to carry out an assessment. Organisations still have a legal obligation to carry out a DTIA regardless of this.

Are data transfer impact assessments necessary if I rely on BCRs or a derogation?

Yes, it is necessary to carry out a DTIA if you rely on BCRs. 

It is not necessary to carry out a DTIA to rely on a derogation. However, data controllers must be able to demonstrate that the condition being relied on has been satisfied to comply with their accountability obligations.

In the UK, the ICO suggests derogations can be relied on where a DTIA has been carried out and shown that SCCs, or another transfer tool like BCRs, do not provide appropriate safeguards for all risks. So, data exporters may wish to rely on a derogation when a DTIA has been carried out and shown to be the only available option to proceed with the transfer.

When can we expect to see a new EU-US Privacy Shield?

In October 2022, US president Joe Biden signed an Executive Order paving the way for a new EU-US data privacy framework, which has been colloquially referred to as Privacy Shield 2.0. Before the new framework is operational, the European Commission must adopt a new adequacy decision. The Commission has already published a draft adequacy decision and EU justice commissioner Didier Reynders has said that he hopes the new framework will be in effect by spring 2023.

The UK has also announced a parallel process for a UK-US adequacy decision. It is expected that the UK will finalise its adequacy decision ahead of the EU’s adequacy decision.

Will the new Privacy Shield mean SCCs and data transfer impact assessments are no longer needed?

No.

The impact the new EU-US data privacy framework, and UK equivalent, will have is different for the US and for other countries.

Countries other than the US

The new EU-US and UK-US data privacy frameworks will not affect the obligations around these transfers. Transfers to a third country will still require SCCs or another safeguard, or reliance on a derogation. You will still need to carry out a DTIA.

Transfers to the US

The EU and UK adequacy decisions in respect of the US will be partial adequacy decisions only: they will only apply to organisations signed up to the new framework. It is likely the new framework will not be available to all organisations. The draft adequacy decision, like the original EU-US Privacy Shield, only makes the framework available to organisations regulated by the US Federal Trade Commission and US Department of Transportation. This notably excluded US financial services institutions and telecommunication companies from benefiting from the arrangements.

Where personal data is to be transferred to US-based organisations that cannot sign up, or have not signed up, to the new data privacy frameworks, SCCs or another tool will need to be relied on. A DTIA will still need to be carried out, though the commitments in the Executive Order may mean that it is possible to conclude that data transferred to the US will receive essentially equivalent protection in a wider range of scenarios than previously.

As discussed above, the EU GDPR deadline for replacing old SCCs with the 2021 SCCs in existing contracts was 27 December 2022. The new data privacy framework will not be available until spring 2023 at the earliest. This means that organisations planning to rely on the new Privacy Shield when available will still need to meet this deadline for updating their contracts.

How do I carry out a data transfer impact assessment?

The EDPB has outlined a process for assessing the laws and practices of the third country in theory and in practice, and identifying and adopting supplementary measures necessary to bring the standard of protection up to the EU standard of essential equivalence. Since the guidance was issued, data protection authorities including France’s CNIL and Austria’s DSB have said that it is not possible to take a risk-based approach to these assessments.

For assessments under the UK GDPR, the ICO has said that the EDPB approach is acceptable. Alternatively, they set out the option of an assessment on whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK. The ICO has confirmed that exporters should carry out a reasonable and proportionate assessment in the context of the transfer.

Will UK reform affect the requirement for data transfer impact assessments?

The Data Protection and Digital Information Bill was introduced into the UK parliament in July. It is aimed at reforming existing UK data protection law.

The current text of the Bill sets out a risk-based approach for DTIAs, where the assessment is whether the standard of protection is “not materially lower” than the standard under UK data protection law. This aligns with the approach set out in the ICO guidance. DTIAs will still be required, but there is an emphasis on carrying out assessments in a way that acknowledges the desirability of facilitating transfers as well as the importance of protecting data subjects’ rights.

It is also important for multinational companies to bear in mind that many transfers from the UK will be subject to the EU GDPR, so the EU rules will continue to apply.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.