UK data protection legislation sets out the rules for transferring personal data from the UK to a third country, including the US. For general processing, and unless a derogation can be relied upon, transfers are typically made either on the basis of an adequacy decision of the European Commission in respect of the third country or by using one of the so-called “alternative transfer mechanisms”, such as “Standard Contractual Clauses” or “Binding Corporate Rules”.
On Thursday 16 July the Court of Justice of the European Union handed down its judgment in the case known as “Schrems II”. The Court invalidated the EU’s “Privacy Shield” adequacy decision and it is therefore no longer a valid basis for the transfer of personal data from the UK to the US. The Court also concluded that “Standard Contractual Clauses” remained a valid legal mechanism for international transfers, where such clauses can, in light of the wider circumstances, secure the level of protection required under the GDPR.
The UK Government is working with the Information Commissioner’s Office and international counterparts on the implications of the judgment and to update guidance on international data transfers as soon as possible.
During the transition period the CJEU’s decisions are binding on the UK. From the end of the transition period, the UK will be responsible for the means by which personal data may be lawfully transferred to countries outside of the UK, including adequacy decisions and alternative transfer mechanisms.