Insights

Why Does Your Business Need to Pay Attention to International Data Transfers?

March 9, 2022

When it comes to moving personal data between countries with different rules, there’s a lot going on at the moment.  Countries with highly protective regimes (in particular, those in the European Union) want to ensure that their citizens’ data is protected, but many industries (and the tech sector in particular) are global and keeping data in one place is difficult.

What’s the background to all of this?

There have been controls on transferring personal data out of the EU since the first data protection directive back in 1995 (and even earlier in individual EU countries).  The GDPR bolstered the restrictions and over the past few years, Max Schrems (and, more recently, his privacy activist group NOYB) have been putting pressure on regulators to enforce the rules more strictly.  

In July 2020 the Court of Justice of the European Union issued a decision on the case of Data Protection Commission v. Facebook Ireland, Schrems – now commonly referred to as “Schrems II”.  The key finding of this ruling was that:

  • The EU-US Privacy Shield arrangement for sharing personal data was incompatible with the GDPR and could no longer be used as a mechanism to legitimise transfers to the US; and
  • Where the Standard Contractual Clauses (“SCCs”) mechanism was used to legitimise transfers to countries not recognised by the EU to have an adequate level of protection, the onus was on the party sending to the data to ensure that such a transfer could be compliant with the GDPR – i.e. before transferring, the data controller needed to confirm for themselves that the data would be adequately protected once it arrived in the other country, or put in place other protective measures.  

In short, as well as knocking the US Privacy Shield on its head, Schrems II said that SCCs on their own are not necessarily enough.  

Why do the EU regulators seem to have a vendetta against US companies?

In reality, they don’t.  The rules are the same for data transfers out of the EU/UK to all countries that don’t have a decision of “adequacy”, it’s just that with so many popular Internet services being hosted in the US, performing functions such as web analytics, cloud storage and CRM services, transfers in that direction are more difficult to avoid than elsewhere.

Since Schrems II there has, therefore, been much debate over whether transfers to the US, in particular, could ever meet the obligations that EU businesses have to their EU customers under the GDPR.  

The reasons for the level of uncertainty over the US are complicated, and will be one of the topics for our webinar on 1st April 2022 but (as reported in a recent expert opinion by the German Courts) it seems to boil down to the fact that the US government could compel a wide variety of companies located in (or storing data in) the US to hand over that data – in some cases even if the data itself is stored in a different country.  There is also a concern over the lack of ways for data subjects (individuals) to enforce their rights once their data has been sent to the US.

What’s happened to Standard Contractual Clauses recently?

Following Schrems II, with limited alternative options available, most businesses have relied on the SCCs to legitimise transfers of personal data out of the EU/UK.  

As of right now, there are two versions of the SCCs:

  • Transfers from the EU use the ‘new’ EU SCCs which were published June 2021; and
  • Transfers from the UK use the “UK SCCs”, which are effectively the pre-June 21 EU SCCs (the UK didn’t adopt the new EU SCCs in June 2021 because it had left the EU by then).  

From 21 March 2022 the UK SCCs will be replaced by the UK international data transfer agreement. Contracts that incorporate the UK SCCs and that conclude on or before 21 September 2022 will need to be updated to the new international data transfer agreement by 21 March 2024.

Great!  Shiny new Standard Clauses!  Now we can transfer to the US, right..?

Errm…  Nope! (sorry…)

For quite a while following Schrems II there was a LOT of head-burying and hoping that the regulators would overlook the fact that data was being transferred to the US with no additional protection.  However, over the past few months, NOYB has filed 101 complaints with data protection authorities across Europe and the decisions relating to these complaints are now starting to be published. Right now the challenge for businesses is getting harder to overcome rather than easier.

For example, the Austrian data protection authority recently found that the use of Google Analytics (in that case, by a relatively small organisation) was not compatible with EU data protection laws.  

This is significant for two reasons:

  • Almost every business in the EU/UK that has a website uses Google Analytics.  If all the decisions on the 101 NOYB complaints go the same way, ALL of these websites could effectively be deemed illegal.
  • The problem is not only with Google Analytics but with sharing data to the US in general which captures so many other commonly used services that ultimately stores personal data in the US.  

It is thought that, as the other decisions come through, other EU regulators will follow suit, although even if they do, this ruling will not apply in the UK as a consequence of Brexit.  However, given the factors considered by the Austrian Data Protection Authority, it is hard to see how the UK data protection authority (the Information Commissioner) could come to a different conclusion, leaving many data protection practitioners thinking it may only be a matter of time until such a ruling would apply in the UK.

Should businesses just stop transferring data to the US?

This is one solution, but hugely impractical to the majority of businesses.  Since the US is home to some of the largest tech companies in the world, many EU (and UK) businesses rely on US companies for services that are not easily replaceable, and for which transferring personal data is unavoidable.  Examples of this include marketing technology, cloud service providers, social media engagement and software services.

Businesses could try limiting transfers to the US to only non-personal data such as business information, and aggregate information that cannot identify the individual.  This could mean something like using cookies that collect aggregate information (e.g. how many visitors the website has) rather than individual personal data (e.g. tracking what each individual visitor does).

Other measures are likely to be out of the hands of most businesses.  These could include:

  • Big US tech companies like Google may convince the European Courts that they can put enough measures in place to satisfy the transfer rules (which may simply not be possible with the current set of laws at play) or can manage UK/EU data without transferring it the US at all in a way which would not capture the data under US surveillance laws;
  • new international transfer mechanism to be agreed. Whilst talks are constantly underway between officials to make an alternative to the EU-US Privacy Shield, there is no guarantee that this can be agreed or how long this could take (and until the US laws change, each alternative mechanism is likely to be challenged as non-GDPR compliant). However, if this happens it might at least buy some time;
  • the US changing its surveillance laws.  

Here at Stephenson Law, the flock isn’t holding its breath for any of the above!  However, if you’re planning to wait and see whether any of these options materialise, check back in with us regularly or subscribe to our newsletter – we’ll be sure to tell you if it happens.

What should businesses do now?

We recognise that the constant legal developments around international transfers put many businesses somewhere between a rock and hard place.  It’s more important than ever to keep a careful record of your personal data and who you share it with so that you can stop any transfers that are likely to prove risky and are ready to react to new developments as they arise.

In the meantime, UK companies can start identifying which agreements need to use the new UK International Data Transfer Agreements (the new UK SCCs) and prepare to replace their old documentation.

The legal experts in our data protection team are always on hand to talk about your business’s options.  Join us on 1 April 2022, when we will be discussing “Where is your data going? And why does it matter?” with Jayaram Law, based in New York and Chicago.

We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content