What do you need to do if you hold/transfer personal data between the UK and the EU/US? (Post Schrems II and Brexit)
There’s a lot of uncertainty around how to comply with the law(s) for holding and transferring personal data at the moment, with the end of the Brexit transition period looming and after the recent Schrems II court ruling. But here are some practical steps you should take now.
- Review and document what personal data you hold/ transfer and where, by what means (e.g. HR software, CRM system, Google, Slack, etc) and in what countries, and then identify the legal basis for it. You should have contracts in place with each provider and these should include Standard Contractual Clauses (SCCs) unless you’re using some other legal basis.
- Decide whether you need to update any SCCs now or whether you can/ should wait (why? See below).
- If you’re holding/ transferring personal data in/ to the US and were relying on the Privacy Shield you’ll need to use something else, e.g. SCCs.
- If you’re handling/ transferring consumer data or sensitive data such as children’s or health data, these are higher risk, so you’ll need to take extra steps to ensure your data storage/ transfers are compliant. If you haven’t already, we’d recommend a proper data transfer impact assessment.
To explain the background, and why this has changed (again!), the EU Court of Justice has recently said that the Privacy Shield is no longer valid due to US state surveillance powers (the case is known as Schrems II). It also said that although SCCs can still be used, you now have to do more due diligence and perform a risk assessment to ensure data is properly protected (from surveillance etc).
Also, the EU is changing the SCCs so that they align better with GDPR and to make them work for more types of data transfers. The new version of SCCs, due to be published in the next few weeks, will need to be used for all new data transfers. For existing data transfers, you have up to 1 year to replace the old version of SCCs with the new ones. But if any of the terms of your agreements change sooner, you must also update the SCCs at that time.
Brexit has further complicated matters for UK business that receive personal data from the EU. From 1st January you’ll need to have a legal mechanism to continue to validly receive this data – meaning you’ll most likely need to use (the new) SCCs. Fortunately, the UK has confirmed that transfers from the UK to the EU can continue unrestricted so unless anything changes between now and 1st January, no further action is needed for these.
We are waiting for further guidance and for the final version of the updated SCCs to be published. But if you want to discuss any of the above, do a data transfer impact assessment, or need other help, please do get in contact.