International organisations with a UK presence are likely to face further dilemmas in relation to their compliance with the rules concerning international data transfers in 2020, especially now we know that Brexit is set to occur on 31st January.
Whilst the data transfer rules will remain unchanged during the transition period, which runs until 11pm on 31st December 2020, what happens after then is yet to be seen. What we do know is that Britain will become a “third country” for the purposes of EU GDPR from this date. This has the potential to cause a significant amount of disruption.
The most positive outcome would be for the EU Commission to issue an “adequacy” decision before end of the transition period. This would allow data to continue to flow freely between the UK and the European Economic Area (“EEA”). However, reaching an “adequacy” decision is often a lengthy procedure and it is perhaps wishful thinking to believe that the EU Commission will take a short-cut and make such a decision in time.
If an adequacy decision has not been made by the end of the transition period, then organisations in the EEA which are transferring personal data to the UK will need to ensure that they have in place an “appropriate safeguard” for the data. In the majority of cases, the most appropriate lawful mechanism for transfers will be for the parties to enter into the appropriate EU approved “standard contractual clauses” (“SCCs”).
There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:
- an EEA controller to a non-EEA controller; and
- an EEA controller to a non-EEA processor (“C2P SCCs”) (see more on the validity of these below).
One legal grey area is in relation to transfers from an EEA processor to a UK controller. There are no SCCs which would regulate such transfers and there will often be no other suitable lawful mechanism which could be used for these types of transfer, meaning EEA organisations are likely to be faced with either violating the GDPR or stopping transfers to the UK if such circumstances arise. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.
On a more positive note, it appears the C2P SCCs will survive the legal challenge currently being brought against them in the European Court of Justice (ECJ) in the case of Data Protection Commissioner v. Facebook Ireland Limited (often referred to as “Schrems II”). The Advocate General Henrik Saugmandsgaard Øe issued his opinion in Schrems II at the beginning of December 2019, recommending that the court uphold the validity of the C2P SCCs.
Although this is not binding and the ECJ will have the final say in the matter, the opinion of the Advocate General is followed in around 80% of ECJ cases. It is, therefore, widely expected that the C2P SCCs will remain intact following the court’s judgment. Although imperfect, and in need of updating, the SCC’s will, for many businesses, continue for the time being to be the glue that holds international data transfers together.