Transfers of personal data to countries outside the EEA are subject to GDPR safeguards. In the past the European Commission has made “adequacy” decisions regarding the security and respect for data protection rights offered by particular countries (for example New Zealand, Switzerland, Jersey and Guernsey). In the US there is no general data protection law but the EU recognised a “Safe Harbor” scheme which data controllers and processors located in the US could sign up to on a voluntary basis.

In 2015 the efficacy of Safe Harbor was challenged successfully in the European Court as not offering appropriate security and respect for data protection rights and was subsequently replaced with a “Privacy Shield” scheme with more oversight although the underlying principles remain the same.

In addition there are Standard Contractual Clauses approved by the European Commission as offering protection for personal data transferred from the EU to countries outside the EU. These contract terms impose obligations on both the transferor and transferee of the personal data.

There is currently a challenge to the Standard Contractual Clauses in the European Court of Justice on the basis that this data transfer mechanism does not offer data subjects adequate protection for their data protection rights and freedoms in the US as required under EU data protection law.

This challenge could have serious consequences as many organisations based in the UK rely on US systems hosts and apps.

In December 2019 a view was given to the Court by the EU Attorney General on the issue which will be influential in the final decision of the Court. The Attorney General’s opinion was that the Standard Contractual Clauses provide adequate protection but has cast doubt on the validity of Privacy Shield due to the surveillance powers in the US and the lack of effective remedies for EU citizens in the US under the scheme.

The Court will give its decision this year. There is little that we can do to prepare for the sudden loss of Privacy Shield or a ruling that SCCs are ineffective to protect personal data transferred outside the EU. Our reliance on these mechanisms is endemic. When Safe Harbor was invalidated in 2015 the Information Commissioner provided speedy guidance on next steps and we would be requiring similar assistance and support again in 2020 should Privacy Shield fall. In preparation we advise that UK based organisations should ensure that their records are up to date and specific about data transfers outside of the UK.