It has been a busy few weeks in the world of international data transfers, and we finally seem to be heading towards some certainty after many months in a state of flux. The latest development, announced today (28 June 2021), is confirmation that the European Commission (“EC”) has formally adopted its draft adequacy decisions in relation to the UK.

Given the number of new developments we thought it would be helpful to summarise the current position and what you need to know. As many of you will be advising multi-national organisations (and therefore face the added complexity of considering both the EU and UK regime), we have highlighted the differences, where relevant.

UK Adequacy Decision

Today (28 June 2021) the UK has been deemed an “adequate” jurisdiction for the receipt of personal data from the European Union (“EU”).

When the UK left the EU, it became an “inadequate” jurisdiction for data protection purposes. However, as part of the trade deal, the EU agreed to delay transfer restrictions until 30 June 2021 (known as the “adequacy bridge”) in order to enable personal data to flow freely until either an adequacy decision was adopted, or the bridge ended.

On 19 February 2021 the EC published its draft decisions on the UK’s adequacy under the EU GDPR and the Law Enforcement Directive (“LED”). In both cases, the EC found the UK to be adequate.

The draft decisions were then considered by the EDPB and the European Council of the EU (a committee of the 27 EU Member State Governments).

The European Data Protection Board (“EDPB”) issued its opinion in support of the EC’s decisions on 16 April 2021.

However, the same view was not taken by the European Parliament, with MEPs passing a resolution on 21 May 2021 which asked the EC to modify its draft decisions. The resolution stated that if the decisions were adopted unchanged, national supervisory authorities should suspend transfers of personal data to the UK where such transfer would result in unrestricted access to the personal data transferred. Fortunately for the UK, the European Parliament does not have a formal role in the ratification process and the resolution fell short of formally requesting the EC to reconsider its decisions. As a result of lack of consensus in Europe and the rapid approach of 30 June without an adequacy decision in place, the ICO was recommending that alternative safeguarding measures were put in place to govern EU to UK transfers during the bridging period in the event the Commission’s draft adequacy decisions were not adopted. This is because if, on 1 July no adequacy decisions has been adopted, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions.

However, despite the opposition faced, a unanimous decision from the European Council on 17 June 2021 agreeing the adequacy decisions paved the way for the UK adequacy decisions to be formally adopted by the European Commission in time for the expiry of the adequacy bridge on 30 June 2021.

Following the decision of the European Council, the European Commission announced today (28 June 2021) in a press release (available here) that it had formally adopted its two draft adequacy decisions for the UK.

The immediate effect of this announcement is that personal data can continue to freely flow between from the EU and wider European Economic Area (“EEA”) to the UK without the need for any supplemental measures such as standard contractual clauses to govern the transfers after 30 June.

One unusual aspect of the decisions are that, unlike any previous adequacy decision adopted by the European Commission, they contain an automatic “sunset clause”. These strictly limit the duration of the adequacy decision to four years, with the decisions expiring at the end of this period, with any renewal of the adequacy decisions being subject to a further formal adoption process. This perhaps doesn’t give the longer term certainty many had hoped for, but at least gives a bit of breathing room for UK and EU companies trying to negotiate the complex landscape of international data transfers.

The adequacy decisions also exclude transfers for the purposes of UK immigration control following a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. This exclusion may be reviewed by the European Commission as the situation evolves in the UK.

Finalised EDPB Recommendations on Supplementary Measures

On 21 June 2021, the EDPB announced that it had adopted a final version of “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (the “Recommendations”) dated 18 June 2021. As readers will know, the Recommendations were drafted following the Schrems II judgement and a version was issued for consultation in November 2020.

These Recommendations are not binding, but reflect the interpretative understanding of the law by the EU supervisory authorities and therefore are likely to be reflected in enforcement action.

The final Recommendations retain the six step approach to considering proposed data transfers, which form a “transfer impact assessment”.

1. Know your
2. Verify the data transfer
3. Assess the law or practice of the third country to ensure that it does not impinge on the effectiveness of the transfer mechanism identified as part of step 2.
4. Identify supplementary measures to address the deficiencies identified as part of step 3, if necessary.
5. Take formal procedural steps to implement supplementary
6. Re-evaluate at regular

In the version for consultation, steps 3 and 4 caused particular controversy due to the lack of any risk based approach or ability to take into account the real likelihood of any access to personal data by authorities in the importer’s jurisdiction. Almost 200 responses were submitted, many of which focussed on the practical consequences of this for routine data transfers where there was little perceived risk to the rights of data subjects. Our own view was that the approach was too “linear” and went against the general spirit of the EU GDPR which, in many places, balances obligations against the risk of harm to data subjects.

So, what approach has been taken in the final version of the EDPB Recommendations? Fortunately there has been some softening of approach and we were particularly pleased to note the removal of the statement which prohibited organisations from relying on “subjective” factors when carrying out an assessment.

There has been a key change in approach which now permits exporters to consider the practice, as well as legislation, in the importer’s jurisdiction. This gives exporters the ability to make a subjective assessment which takes into account factors such as the practical experience of the importer.

The problematic case studies (or “use cases”) relating to the use of cloud providers and business transfers where access to personal data is required in the “clear” remain, and the EDPB continues to state that it is “incapable of envisaging” any supplemental measure that would prevent the rights of data subjects being infringed. However, these too now include the additional “in practice” language, as well as a reference to encryption and pseudonymisation, which provides a slight distinction from the previous position, and potentially some scope to continue with these transfers in certain cases.

The finalised Recommendations make it clear that the requirement to take into account the practice in the importer’s jurisdiction applies in all cases, not just those where an assessment of the legislation alone might otherwise conclude that the jurisdiction doesn’t provide appropriate protection (i.e. those where it would be favourable to the exporter to look beyond the legislation). As a result, if an assessment concludes that:

• The legislation of an importer’s jurisdiction does provide appropriate protections, a further assessment must be carried out to confirm that such legislation is complied with in practice. If it is not, the assessment must conclude that the transfer can only go ahead if appropriate supplementary measures can mitigate that risk.
• There is no legislation in the importer’s jurisdiction which causes concern, then the exporter must consider if the practices of the importer’s jurisdiction are problematic.

Therefore, an extra step must be incorporated into the transfer impact assessment to evaluate relevant practices in all cases, even if the assessment concludes that legislation does provide appropriate protections. The implied message from the EDPB appears to be that exporters cannot “have their cake and eat it too” when it comes to subjectivity.

The following points are also of note:

• The EDPB makes explicit that Article 49 GDPR derogations for transfers should only be used on an exceptional basis and cannot “become the rule”.
• The list of possible sources to help assess the importer’s jurisdiction set out in Annex 3 has been expanded, and now includes internal records of the importer which indicate that no access requests have been received. However, note that the sources are listed in order of preference with this appearing at the bottom of the list.

The final Recommendations represent a very welcome shift towards a more subjective approach. However, all transfer impact assessments will still require very careful consideration. The EDPB repeatedly stresses the need to document the analysis that is carried out. The “transfer impact assessment” is officially here to stay as a routine part of any data transfer.

What about the UK position?

The EDPB Recommendations are not applicable to personal data processed under the UK GDPR and we await guidance from the ICO on its approach to transfer impact assessments. However, given the UK adequacy decision (see below), we consider it unlikely that the ICO’s approach will stray too far from that of the EDPB.

New EU Standard Contractual Clauses

On 4 June 2021 the EC published its final Implementing Decision (available here) (“EC Decision”) adopting new standard contractual clauses (“New EU SCCs”) for the transfer of personal data from the EU to third countries.

The New EU SCCs cover the following four different types of transfers to allow much greater flexibility and address some fundamental gaps in the existing versions:

• Controller to Controller
• Controller to Processor  
• Processor to Processor  
• Processor to Controller

The New EU SCCs are structured in a “modular” format. Each “module” can be used alone or together to cover multiple scenarios in one agreement. The clauses are split into (i) general provisions which apply to all modules; and (ii) specific provisions which must be selected based on the status of the parties.

The content of the clauses themselves has received the long overdue update that was required in order to reflect the requirements of the EU GDPR and Schrems II. The exact content of the clauses will depend on the modules that are selected, but address requirements in relation to:

• Safeguards and obligations.
• Dealing with data subject requests (including the obligation to provide a copy of the clauses to the data subject if requested).
• Use of sub-processors and onwards transfers.
• Redress and liability.
• Dealing with requests for access to data made to the importer by authorities.
• Article 28 requirements for processor arrangements (meaning that the New EU SCCs can be used as a standalone agreement for transfers to processors, without the need for an additional data processing agreement).

From a practical perspective, the addition of a “docking” clause (to allow additional parties to be added) is helpful and reflects the nature of data transfers with multiple parties which evolve over time.

Timetable for implementation

Perhaps reflective of the size of the task, organisations have been given 18 months to update existing contracts (increased from the 12 month period initially indicated in the draft EC Decision).

Helpfully, there is a grace period of 3 months to continue using the existing standard contractual clauses (“Existing EU SCCs”) before the previous EC decision is repealed. This will allow exporters with “in-flight” contract negotiations to conclude those arrangements using the Existing EU SCCs. These contracts will remain valid until 27 December 2022 provided that the processing operations remain unchanged.

What about the UK position?

The EC Decision and the New EU SCCs will not be binding on organisations which are not subject to the EU GDPR. We are expecting the ICO to publish a new set of UK standard contractual clauses to govern transfers of personal data from the UK to third countries later this summer. In the meantime, the Existing EU SCCs (as adopted by the ICO for UK to third country transfers following Brexit) will continue to be valid.