Data is everywhere and it is more valuable than oil. In the Digital Age companies depend on building up customer profiles so they can better understand and sell to those customers. It is estimated that our data will be worth $197.7 billion by 2022 – more than the total value of American agricultural output.[1]

But there are strict rules in place around when, where and how you are allowed to transfer that data out of the UK or the EU.  In this article, “GDPR” refers to both the UK and EU GDPR.

What is the new UK adequacy decision all about?

In June 2020, the EU Commission agreed that the UK will be on the EU’s safe list of countries for, at least, the next 4 years. This means that data can be sent unrestricted from the EU (or EEA) to the UK.

What are these Standard Contractual Clauses (‘SCCs’) I keep hearing about?

Standard Contractual Clauses or ‘SCCs’ are basically a set of clauses that you ask the receiving company to sign. In signing them, the receiving company agrees to provide an adequate level of data protection for the data they receive.

What are the new SCCs and how are they different from the old ones?

New SCCs were approved by the European Commission (EC) in June 2021. They were updated to comply with GDPR and the Schrems II decision. To rely on the SCCs you must use the precise wording laid down by the EC.  

The new SCCs contain clauses for:

a)     Controller to Controller transfers

b)     Controller to Processor transfers

c)      Processor to Processor transfers

d)     Processor to Controller transfers

This means you can choose based on the type of transfer you are making ie based on whether the data exporter and importers are ‘controllers’ or ‘processors’ under GDPR in respect of the personal data processing. c) and d) are new and these types of clauses didn’t exist under the old SCCs.

The new SCCs also allow for multiple data exporters to be involved in the contract and for new parties to the contract to be added at a later stage.

What is this Schrems II case all about?

The European Court of Justice (CJEU) gave judgment in a case called Schrems II in July 2020.

The judgment is part of EU and UK law. It basically decided two things:

1.      There was a framework called Privacy Shield that allowed companies to transfer personal data from the EU to the United States.  The CJEU decided that Privacy Shield was no longer valid.

2.      They also said that Standard Contractual Clauses were valid but they added some caveats to this.

Why do companies transfer personal data around the globe?

Global companies need to transfer personal data to countries around the globe for a multiplicity of reasons. For example, a company may send personal data to a different country for:

• Staff administration e.g. sending employee data to Group HR in another country

• Storage e.g. sending customer data to a cloud provider in another country

• Operations e.g. sending customer personal data to a marketing company

Why do I need to know about data transfers?

If you are caught by the GDPR Regulation then you must be careful when sending personal data outside the EU (or the European Economic Area to be more precise) or the UK. GDPR carries potential fines of 4% of your company’s group turnover. After Brexit there are now two “versions” of GDPR. One for the UK and one for the EU. They are very similar apart from a few tweaks here and there.

The UK GDPR applies to processing carried out by companies operating within the UK. It also applies to companies outside the UK that offer goods or services to individuals in the UK such as a US company targeting their sales to people in the UK.

The EU GDPR applies to processing carried out by companies operating within the EU. It also applies to companies outside the EU that offer goods or services to individuals in the EU such as a US company targeting their sales to people in the EU.

Our company is caught by GDPR. What must we do in order to be allowed to send personal data from the EU or UK to another country?

In order for the transfer to be allowed, it must fall into one of the following three categories[2]:

1. Safe country – It is going to from the EU or UK to a safe country i.e. on the list of countries considered “safe” countries by the UK GDPR or EU GDPR such as Canada. The US is not on the list of safe countries.

2. Appropriate safeguard – There is an appropriate safeguard in place e.g. although the data is being sent to a country that is not on the UK’s list of safe countries, there is a contract (containing the Standard Contractual Clauses) between the sending and receiving companies covering data protection, OR

3. Exception – There is an exception in place e.g. the company has the consent of the data subject to send the personal data outside the UK.

The bottom line is that companies (whether they are in the UK or EU) can still use Standard Contractual Clauses to transfer personal data to a third country.

The CJEU said that when companies send personal data to a third country under Standard Contractual Clauses, then they must be satisfied that the country to which the data is sent has a level of protection for the personal data that is “essentially equivalent” to that in the European Union or UK.

If the protection is not essentially the equivalent (for example, because the third country’s government might snoop or access the personal data), then the companies must put “supplementary measures” in place to help protect the data.

These supplementary measures can be:

• Contractual – e.g. clauses that ensure the data is protected.

• Technical – e.g. making sure encryption is used.

• Organizational – e.g. making sure staff are trained so that the data being sent is protected.

When you are sending personal data abroad and you are caught by GDPR then you must make sure you comply with this judgment. You must undertake a risk assessment to be satisfied that the data subjects of the data that is being sent to the third country will have a level of protection that is essentially the equivalent to that under the UK or EU data protection regime. [3]

Practical steps

1. Map your data flows – Try to understand where your data is being sent in the world as I have set out above.

2. Contracts – Ascertain which data transfers are not covered by standard contractual clauses and work to ensure these clauses are put in place to cover the transfers. Start with your higher risk transfers, such as transfers involving large amounts of data to cloud providers or processors. Work with your Group Legal Function to ensure these contractual clauses are rolled out.

3. Risk Assessment – As explained above in relation to the Schrems II case, companies must now do a risk assessment when sending data to a third country. They must do this to be satisfied that the data that is being sent to the third country with a data protection regime that has a level of protection that is essentially equivalent to that under the UK or EU data protection regime. Try to put a risk assessment regime in place to deal with this.

4. Training - Ensure staff are trained on their obligations on transferring data in your Staff Privacy Training.

Act now to put your company on the right side of the transfer rules!

Patrick O’Kane is a UK Barrister. He is Head of Privacy at a Fortune 500 Company where he helped lead a major GDPR project across a group of more than 100 companies. Previously, he led the Privacy Team at a large group of insurance companies in London. Patrick is the author of the book ‘GDPR: Fix it Fast – How to Apply GDPR to your company in ten steps’ (Foreword by Kristy Grant-Hart). He has written on Privacy for numerous journals and magazines. His upcoming book ‘GDPR in Financial Services’ https://www.amazon.co.uk/GDPR-Apply-Company-Simple-Steps/dp/0993478859 is published this month by Law Brief Publishing. http://www.lawbriefpublishing.com/product/gdprinfinancialservices/.

[1] Don’t be Evil – Big Tech – Rana Foroohar – Penguin Technology – page 25

[2] GDPR – Articles 45-49

[3] ICO Guide to GDPR – Page 256