In recent weeks, there has been a series of important developments affecting cross-border data transfers. First, on 21 June 2021, the European Data Protection Board ("EDPB") published its final, much-anticipated Recommendations 01/2020 on supplementary measures to ensure compliance with EU data protection laws. Second, on 27 June 2021, the European Commission's new standard contractual clauses ("SCCs") came into effect. Finally, on 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK.
The EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the Schrems II decision, in which the Court of Justice of the EU ("CJEU") invalidated the EU-U.S. 'Privacy Shield' pact, and also held that organisations must put in place "supplementary measures" in order to continue to rely on SCCs. In summary, the Recommendations provide a six-step process to assist data exporters with assessing the level of data protection offered in third countries and in determining whether additional supplementary measures are needed for data transfers. Examples of technical, contractual and organisational measures are included within the Recommendations.
In addition, the European Commission's new SCCs for international data transfers came into effect on 27 June 2021, following their publication in the Official Journal on 7 June 2021. The newly published SCCs resolve certain practical issues, create greater flexibility in terms of the scenarios that they cover, align the wording closer to the provisions of the GDPR, and introduce new obligations for data transfers to third countries (see our previous client alert for a more detailed analysis of the issues).
Most recently, the European Commission has adopted two adequacy decisions for the UK – one under the GDPR, and the other for the Law Enforcement Directive. This means that "personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law" (see our previous client alert for further detail). It is worth noting that these adequacy decisions (like all adequacy decisions) have a shelf life of four years, after which they may or may not be renewed. If, during the initial four-year period, the UK diverges from the EU's approach to data protection, then the Commission can intervene and ultimately revoke the adequacy decisions. In addition, as noted above, adequacy decisions can be overturned by the CJEU.
Zoe Harvey, a Trainee Solicitor at White & Case, assisted in the development of this publication.