International data transfers

On 16 July 2020, the European Court of Justice handed down its long-awaited decision in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems and others (Case C-311/18) ("Schrems II"). This ruling has had significant implications on the international transfers of data outside of the European Union ("EU") and European Economic Area ("EEA") and now, following Brexit, the UK. 

We have published many insights and updates on the future of data transfers in the wake of Schrems II and Brexit, including:

  • For a discussion of the invalidity of the Privacy Shield see our article here (16 July 2020)
  • We look at EDPB's guidance on safeguarding international data transfers here (2 December 2020)
  • The team conducted an initial assessment of the draft SCCs here (2 December 2020) 
  • When the SCCs were finalised, we produced a new go-to-guide (10 June 2021)
  • The team discussed the ICO's developments here (13 August 2021) and for more detail on what this means for you see here (3 September 2021)
  • Most recently, we set out the key deadlines and action points for updating SCCs here (18 February 2022)

The Schrems II case stemmed from a complaint by the Austrian privacy activist, Max Schrems, that personal data sent by Facebook from the EEA to the US was not adequately protected. The key issue was whether the European Commission's standard contractual clauses ("SCCs") provide a valid safeguard for the transfer of personal data from the EEA to the US, taking into account US government surveillance practices.

It decided that the Privacy Shield was invalid whilst SCCs remained valid, but only on the basis that they require both the parties to the SCCs and the competent supervisory authority to assess the recipient’s ability to comply with the SCCs. Any such assessment must take into account the recipient’s obligations under its national law.

Following the judgment in Schrems II, there were two big developments in Europe. The first was the publication of a new set of SCCs by the European Commission which replaced outdated versions from before the GDPR was introduced. Draft versions of the new SCCs were published in November 2020 with the final versions being released in June 2021. The second development was the European Data Protection Board’s recommendations on supplementary measures when transferring data outside of the EEA.

More recently, the UK's Information Commissioner's Office ("ICO") published a draft consultation on an all new International Data Transfer Agreement ("IDTA") which is the UK's equivalent to the SCCs and a transfer risk assessment ("TRA") guide and tool.