Does your business involve transferring personal data abroad? If so, you need to take action.
If you do business outside the EU, it is likely that you routinely transfer personal data outside the EU. A recent decision by the EU Court of Justice (“ECJ”) – whose decisions must still be followed by the UK – means that:
- If you do business in the USA, you likely need to enter into some additional written contracts.
- If you do business elsewhere outside the EU, you need to consider (and be seen to have considered) whether your current safeguards for transferring personal data are adequate, and take further action if not.
The ECJ has ruled that the EU-US Privacy Shield is invalid. The Privacy Shield is a mechanism which allowed personal data to be transferred seamlessly from EU Member States to the USA without being slowed down by the GDPR. It will no longer be lawful to transfer personal data from the UK/EU to the USA in reliance on the Privacy Shield.
This is the second time the ECJ has invalidated a special arrangement between the EU and the USA for transatlantic transfers of personal data (having previously invalidated the Safe Harbour arrangement). Once again, the sticking point is the USA’s insistence that its intelligence services be given unrestricted access to any information coming into the jurisdiction. Essentially, the ECJ ruled that this contradicts the main purpose of the GDPR: to allow individuals greater control over how organisations use their personal data. US law therefore does not offer the required level of protection for EU data subjects.
Given the breadth of the definition of “personal data” under the GDPR – in essence, any information from which a living individual can be identified – it is likely that most organisations in the UK (or elsewhere within the EU) regularly doing business in, or otherwise working with businesses in, the USA have been systematically transferring personal data to the USA under the Privacy Shield.
These organisations need to choose and implement a documentary mechanism to fill the void. The most straightforward solution is to use the standard contractual clauses for the international transfer of personal data (“Standard Clauses”). However, this has also become more complicated as a result of the ECJ’s decision. As the Standard Clauses have not been updated since before the GDPR came into effect, the ECJ has also taken the opportunity to address the issue. This is where the decision affects businesses transferring personal data to almost any other country outside the EU.
Organisations transferring personal data outside the EU on the basis of the Standard Clauses must now:
- consider whether the applicable circumstances, including the law of the country in which the data importer is based, their use of the Standard Clauses provides the level of protection to data subjects required under the GDPR;
- if not, implement additional protective measures; and
- keep a documentary record of the process, including an explanation why the additional protective measures provide the protection required.
It is worth remembering that the UK remains subject to the jurisdiction of the ECJ until the end of 2020, at the earliest.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org