Victoria Hordern and Michael Charalambous examine the implications of new European recommendations for organisations transferring data outside the EU.

Does your organisation use a US vendor for data processing? Do you regularly share information about your employees, customers or supporters with parts of your organisation based outside the EU or with partners outside the EU? If so, you are making international data transfers. The area of international data transfers has recently become more complex, requiring quite a bit of hard thinking.

For a start, the European Data Protection Board has recently issued new recommendations for organisations who export data outside the EU. Additionally, the European Commission has published draft new Standard Contractual Clauses for organisations to use when exporting data outside the EU (also relevant for organisations based in the UK involved in data exports).

These developments follow on from the European court case known as Schrems II, which ruled the EU-US Privacy Shield invalid and highlighted weaknesses with the current Standard Contractual Clauses. The court also ruled on the ability of the SCCs to protect European personal data from international interference (specifically, the US) where government/ law enforcement authorities seek access to European personal data.  Essentially, the European regulators expect EU exporters to consider the addition of supplementary measures when making international data transfers.

These developments will be of interest to any organisation (including those in the UK) which transfer personal data outside Europe. The European Commission’s new draft SCCs will, once finalised, become the new clauses that EU (and UK) exporters will rely on.

Victoria Hordern and Michael Charalambous have published an article on this tricky area in this month’s edition of PDP (Privacy and Data Protection journal).