Rules on Cross-Border Data Transfers become (a little) clearer

White & Case LLP

White & Case LLP

In recent weeks, there has been a series of important developments affecting cross-border data transfers. First, on 21 June 2021, the European Data Protection Board ("EDPB") published its final, much-anticipated Recommendations 01/2020 on supplementary measures to ensure compliance with EU data protection laws. Second, on 27 June 2021, the European Commission's new standard contractual clauses ("SCCs") came into effect. Finally, on 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK.

The EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the Schrems II decision, in which the Court of Justice of the EU ("CJEU") invalidated the EU-U.S. 'Privacy Shield' pact, and also held that organisations must put in place "supplementary measures" in order to continue to rely on SCCs. In summary, the Recommendations provide a six-step process to assist data exporters with assessing the level of data protection offered in third countries and in determining whether additional supplementary measures are needed for data transfers. Examples of technical, contractual and organisational measures are included within the Recommendations.

In addition, the European Commission's new SCCs for international data transfers came into effect on 27 June 2021, following their publication in the Official Journal on 7 June 2021. The newly published SCCs resolve certain practical issues, create greater flexibility in terms of the scenarios that they cover, align the wording closer to the provisions of the GDPR, and introduce new obligations for data transfers to third countries (see our previous client alert for a more detailed analysis of the issues).

Most recently, the European Commission has adopted two adequacy decisions for the UK – one under the GDPR, and the other for the Law Enforcement Directive. This means that "personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law" (see our previous client alert for further detail). It is worth noting that these adequacy decisions (like all adequacy decisions) have a shelf life of four years, after which they may or may not be renewed. If, during the initial four-year period, the UK diverges from the EU's approach to data protection, then the Commission can intervene and ultimately revoke the adequacy decisions. In addition, as noted above, adequacy decisions can be overturned by the CJEU.

Zoe Harvey, a Trainee Solicitor at White & Case, assisted in the development of this publication.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.