UK: Transfers Of EEA/UK Data To The US And Other "GDPR Non-Adequate Countries". What Is Required?

On May 6, Microsoft released its  plan to support customers by enabling them to "process and store all their data in the EU", which should be ready by the end of 2022. Microsoft seems to be reacting to the market's needs following the Schrems II decision (see below).  Microsoft is calling this plan the EU Data Boundary for the Microsoft Cloud.

Schrems II

On 16 July 2020, the EU Court of Justice issued a decision (so called "Schrems II") invalidating the EU/US Privacy Shield and imposing tighter restrictions when using EU approved Standard Contractual Clauses ("SCCs"). This ruling was driven by concerns regarding surveillance by US agencies. Specifically, the court found, that the protections offered in the Privacy Shield agreement were not "essentially equivalent to those required under EU law". The SCCs are a lawful mechanism for data exports, and are subject to a review of the recipient country's laws, potentially adding the need for supplementary measures to ensure that the personal data exported from the EEA or the UK continues to be protected by equivalent standards to the ones in the EEA or the UK respectively.

Since the Schrems II decision, it has become increasingly difficult to be able to rely on SCCs to transfer personal data from the EEA or from the UK to the US. This is because the EU Court of Justice made it clear in the ruling, that reliance on SCCs without further assessment would not be permissible.

Whilst the UK GDPR is a separate regime and, at least in theory, the UK is free to make its own adequacy decision regarding the US, the UK is not expected to make such a finding unless the European Commission does.

Given Schrems II and the latest development around Brexit, companies would also need to ensure that they implement any necessary additional measures to ensure that any personal data that leaves the EEA/UK environment is adequately protected.

The European Data Protection Board ("EDPB")  Recommendations

In a Recommendation from the EDPB, it is recommended that exporters of personal data from the EEA ("EEA Data") follow a number of steps when assessing third countries and identifying appropriate supplementary measures where needed.

This includes mapping the transfers of data outside the EEA, assessing if there is anything in the law or practice of the third country that may affect the effectiveness of the SCCs and adopting the formal procedural steps and supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.

As stated above, the UK Data Protection Regulator (the "ICO") is likely to follow a similar criteria regarding transfers of personal data to from the UK to non-adequate countries.

What to do?

Storing data locally in the EEA or in the UK would certainly help to overcome the need for exporters of EEA or UK Data to follow the EDPB recommended steps when assessing third countries.

However, EEA and UK data exporters would still need to: (i) keep carefully assessing any transfers of personal data outside the EEA or the UK; (ii) implement adequate safeguards and follow the EDPB recommendations; and (iii) consider suspending such transfers when they cannot ensure level of protection of the personal data transferred equivalent to the GDPR requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.