Legal development

Spotlight on International Transfers

Insight Hero Image

    In July 2020, the decision in the case of Schrems II, fundamentally changed the way companies in the UK and EU approached transfers of personal data.  Since then, the spotlight of data protection compliance has barely moved from this topic.

    We've had onerous guidance from the European Data Protection Board on conducting transfer impact assessments, new EU model clauses, a new international data transfer agreement from the UK and draft guidance from the UK's ICO on conducting transfer risk assessments. Throw into the mix numerous regulator decisions across Europe prohibiting certain transfers of personal data and an impending deadline of the 27 December 2022 to repaper data transfer agreements based on the old EU model clauses, data protection practitioners have had a lot to contend with in trying to ensure data continues to flow cross border in a compliant way.

    A glimmer of hope has now appeared on the horizon for Trans-Atlantic data flows, with the signing by President Biden of an Executive Order, covering the activities of surveillance authorities in the US.

    We've compiled some FAQs about what these updates mean for your data transfer remediation projects over the coming months.

    1. What's the significance of 27 December 2022?

    27 December 2022 is the deadline for remediating all existing contracts which rely on the older versions of the EU standard contractual clauses ("Old EU SCCs") for transfers of personal data from the EU to third countries that are not subject to an EU Adequacy Decision. For an overview analysis of the New EU SCCs, please see our previous Data Bytes article (available here).

    This is essentially a repapering exercise. For those transfers of personal data from the EU you will have needed to understood your data flows and signed up to new contracts incorporating the New EU SCCs. Responsibility for having the right clauses in place rests on both parties to a transfer (the exporter and the importer) so it is in every party's interest to engage in this process and ensure that the correct clauses are in place.

    The form of the New EU SCCs require you to select and incorporate the relevant modular wording and this can be fiddly and an administrative burden. Therefore Ashurst has developed an EU SCCs generator tool to assist our clients with efficiently and accurately completing the required information and selecting the correct modules. If you would like to take advantage of this tool, please get in contact.

    2. But haven't I got a bit longer for transfers of personal data from the UK?

    Correct.  For restricted transfers of personal data from the UK to third countries that are not subject to a UK Adequacy Regulation, such transfers will need to be governed by appropriate safeguards. Key dates to diarise are:

    • For contracts concluded on or before 21 September 2022 (provided that processing operations remain unchanged eg there are no changes to sub-contracting), the Old EU SCCs continue to be valid until 21 March 2024;
    • Current position: For all new restricted transfers and agreements being entered where there is a change to processing operations, the UK's International Data Transfer Agreement ("IDTA") or the UK's Addendum ("Addendum") (links to each available here) must be incorporated into the relevant contract; and
    • 21 March 2024 is the deadline for remediating all existing contracts to incorporate the IDTA or Addendum.

    In reality however, many of our international clients have transfers of personal data occurring subject to master services agreements covering both UK and European data exporters. In this situation, the EU SCCs should be used to cover both sets of transfers and the Addendum used in respect of the transfers from the UK.

    3. What's the deadline for completing transfer impact assessments (TIAs) for data transfers from the EU and transfer risk assessments (TRAs) for transfers from the UK? 

    Not a straight forward question to answer.  In theory the requirement to complete TIAs has been in place since the Schrems II judgment ie 16 July 2020.  In reality, companies needed guidance from the regulators on how these should be completed.  For Europe this guidance was released by the EDPB on 18 June 2021 and in the UK we are still waiting for the finalised guidance from the ICO.  

    Many of our clients have therefore been using the EDPB guidance as the basis for both TIAs for EU transfers and TRAs for UK transfers and producing these in tandem with the re-papered data transfer agreements.

    Although there have been a few examples of transfer impact assessments being analysed by courts/regulators in Europe and transfers being declared non-compliant, in the UK there has been no such regulatory action taken by the ICO yet.

    4. When can we expect the guidance on TRAs to be finalised and published from the ICO?

    Soon – we hope!  Emma Bate, Legal Director, at the ICO said, when speaking at a techUK event on 17 October 2022, that the release of the guidance had been delayed whilst they reviewed it against the new data transfer provisions in the Data Protection and Digital Information Bill. But we should expect it in the coming weeks.

    For an overview of discussions about key changes proposed by the Data Protection and Digital Information Bill at an Ashurst Roundtable, please see our previous article (available here).

    5. Is President Biden's Executive Order the green light for transatlantic data flows? 

    Not quite but this does seem like a significant turning point.

    On 7 October 2022,  President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("EO").  Under which:

    • restrictions are imposed on signals intelligence (unless they are in pursuit of a 'legitimate objective');
    • bulk collection of signals intelligence are also restricted and shall only be authorised based on a determination; and
    • numerous safeguards and protections have been implemented for any US signals intelligence activities. These include a requirement for Intelligence Communities to update their policies and procedures to implement privacy and civil liberties safeguards and to appoint senior-level legal, oversight and compliance officials; and the creation of a new redress mechanism to review and consider complaints of US violations.

    This EO is laying down the foundation and paving the way for a new EU – US Data Privacy Framework (a new Privacy Shield) as announced by President Biden and European Commission President von der Leyen in March 2022. This new framework is intended to act as an 'appropriate safeguard' under GDPR and if approved, would negate the need for the New EU SCCs and is also likely to be replicated for the UK. With that being said, if Max Schrems' initial response is anything to go by, we predict he will try to bring down this framework also! 

    In the meantime however, when completing a TIA/TRA for transfers of personal data to the US you should be able to point to the measures and safeguards outlined in the EO in your jurisdictional risk assessment. It will now be easier to reach a conclusion that personal data from the UK and EU is protected to a sufficient degree, even if the importer in question is not signed up to the privacy shield as this is a commitment and restriction on the activities of intelligence agencies generally, not just in relation to companies who are signed up to the privacy shield.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest