The GDPR (General Data Protection Regulation) controls how personal data is processed within the EEA. Significantly, it also specifies how personal data must be handled when it is transferred anywhere else in the world. Put simply, a data processor must ensure that individuals’ rights under GDPR are fully upheld, even in (especially in) a country whose data protection regime does not meet European standards.
Several countries outside the EEA are specifically recognised as having adequate data protection laws, meaning personal data can be freely transferred to and from these. Transfers to other countries require specific arrangements such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
Until recently the USA had a bespoke exemption. At first, this was in the form of the “Safe Harbor” self-certification scheme but this was ruled invalid in 2015 as it did not provide sufficient protection from US government surveillance. A replacement framework, “Privacy Shield”, was hastily installed but this too was declared invalid in July.
As a result, the 5000 or so businesses currently relying on Privacy Shield, and the thousands more which use or subcontract their services, now all have to urgently review their arrangements. Critically, there is no transitional period – anyone dependent on Privacy Shield risks immediate liability under GDPR if alternative arrangements are not put in place.
SCCs are common alternatives but the “Schrems II” court case which did away with Privacy Shield also casts a shadow over these. Although the Court stated there was nothing wrong with SCCs as such, it made clear that their use will have to be assessed on a case-by-case basis. Historically, SCCs have been viewed as a kind of “get out of jail free” card, validating data transfers regardless of the destination country’s local laws. It is now clear that this is not correct and that each situation must be reviewed and additional measures adopted where necessary. These additional measures might include analysing what data is transferred, reviewing the technology used to process it, or inserting modified wording into the SCCs.
All parties in a data transfer chain could face significant fines and damages if they are found to be non-compliant. If your business has any direct or indirect exposure to US service providers such as cloud storage, payroll etc, you should review your situation as a matter of urgency.
For further information and advice on what this means for your business, please contact Kate Westbrook, head of Commercial.