Request a demo

After Schrems II and Brexit: data protection regulations between EU and a third country

More security for companies on urgent data protection issues: the EU Commission has renewed the standard contractual clauses and issued an adequacy decision for the UK thus declaring the UK's data protection equivalent to that in the EU.

In July 2020, the European Court of Justice terminated the EU-US Privacy Shield in its "Schrems II" decision but it ruled that the standard contractual clauses (SCCs), which are another mechanism for transferring the data out of the EEA, remain valid. However, they need to be accompanied by additional measures (e.g. encryption), if not enforceable in the country receiving the data. The SCCs remain the most important data transfer method.

Standard contractual clauses updated

On June 4, 2021, the EU Commission published two new sets of standard contractual clauses. These are designed to help businesses clarify some of the thorny issues raised by the "Schrems II" ruling.

One set of the new standard contractual clauses covers data transfers between controllers and processors within the EEA, creating a type of standard data processing agreement. The use of this set of SCCs is not mandatory.

The other set regulates all possible types of transfers of personal data to a third country. It takes into account the requirements of the General Data Protection Regulation (GDPR) and the "Schrems II" ruling of the European Court of Justice and ensures a high level of data protection, the Commission said. These standardized SCCs are intended to provide companies with an easy-to-implement template to comply with data protection requirements. 

The new SCCs for data transfers out of the EEA follow a modular approach. They cover data transfers between two data controllers, controller-processor, processor-processor and processor-controller by choosing the applicable modules.

Free flow of data even after Brexit

In addition, Brexit, which was completed at the end of the year, created uncertainty for data transfers. This is because the United Kingdom became a third country vis-à-vis the EU, and data transfers had to be reorganized.

With its latest decisions, the European Commission has provided more clarity for companies. In its adequacy decision of June 28, 2021, the EU Commission stated: The level of data protection applicable in the UK is equivalent to that of the EU GDPR. Even after Brexit, personal data can therefore flow unhindered from the European Union to the United Kingdom. However, there is a sunset clause that terminates the decision after four years in order to reassess the UK’s data privacy legislation.

A new Schedule 21 to the UK Data Protection Act 2018 regulates: Transfers of personal data from there to the EEA, Switzerland and Gibraltar are covered by the UK adequacy rules. Therefore, no further safeguards or exemptions are needed here for such transfers.

What does the recent EU decision on data protection adequacy in the UK mean for your business? What could it mean for your EU and non-EU customers? Find answers in the guide International Transfers - where are we now? by UK law firm Clayden Law.

Read more about Compliance with DocuWare.