Under data protection law in the UK, organisations cannot transfer personal data outside of the UK or the EEA without ensuring that the personal data is safeguarded in the same way that it would be if it remained in the EEA. There are some exceptions to this (such as where the individual has provided explicit consent to the transfer, after being made aware of the risks), but most large-scale transfers rely on one of following methods of securing equivalent protections.
The first of these is where the EU has issued an "adequacy decision" - which means that the EU has assessed the laws of the relevant country, and declared that they provide sufficient protections to allow a transfer.
Other options include Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs), both of which seek to place contractual safeguards on data being transferred, which offer equivalent protections.
The US does not have an adequacy decision as such, but it did have the 'Privacy Shield' - a voluntary code that US organisations could sign up to, which purported to ensure that information would be protected to EU standards.
Mr Schrems challenged the adequacy of the SSCs with the European Court. The Court found that the SSCs are still valid (in principal at least) but invalidated Privacy Shield.
The Court found that the law in the US around surveillance and general privacy of citizens meant that, effectively, US organisations could not guarantee equivalent protections to personal data, even when complying with the shield.
The effect of this decision is that organisations in the EEA (and the UK), cannot rely on the shield to transfer personal data to the US. Organisations can still rely on SCCs and BCRs in principle. However, organisations are required to carry out an assessment to ensure that safeguards are in place and put in place supplemental measures where appropriate.
The European Data Protection Board (EDPB - a body which provides advice and guidance on European data protection law) has stipulated that this risk assessment must be carried out whenever SCCs or BCRs are used, which may mean that organisations have to seek legal opinions on the protections offered by the laws of any country to which they are intending to export data.
The EDPB has said that the assessment should be made on "a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection."
However, there is no guidance on what such an assessment might look like or indeed what sorts of safeguards should be put in place. The EDPB has stated that it is "looking further into what these supplementary measures could consist of and will provide more guidance."
The ICO had initially suggested that, if an organisation used Privacy Shield prior to the court decision, it could continue to do so in the short term. However, that guidance is no longer available on the ICO's website.
Organisations will therefore need to consider SCCs or BCRs unless the transfer falls within one of the limited exemptions.
All international transfers that rely on SCCs or BCRs will need an assessment of the protections offered by the law of the recipient country, with a conclusion that the level of protection offered by the SCCs or BCRs is equivalent to that provided by the GDPR, or details of additional safeguards that have been put in place.
However, it is unclear what such additional safeguards will look like. There has been suggestions that safeguards should include encrypting data such that it cannot be accessed in the destination country or including additional contractual safeguards requiring the recipient of the data to resist requests from law enforcement agencies. However, such options may not be practical in many cases. For example, encryption may work if the data is simply being stored in the USA but not if it needs to be accessed or viewed there.
As noted above, the EDPB has referred to producing guidance on what "additional safeguards" might look like if you need them in addition to the SCCs or BCRs, but at the time of writing, no such guidance has been published. The ICO has confirmed that it will continue to regulate using a risk based proportionate approach, and is considering the effect of the decision.
In the absence of any specific guidance, therefore, organisations could consider taking stock of their international transfers, and review any that might be high risk. Where personal data is clearly at risk, action should be taken to mitigate this where possible, such as encrypting the data.
We expect many organisation to adopt a 'wait and see' approach and continuing to rely on SSCs and BCRs, even if this runs the risks of technical non-compliance whilst waiting for further clarification from the ICO and the EDPB.
Finally, (and this applies more generally and not just in regard to international transfers) where you engage large corporations to store or transfer data (such as Google or Microsoft), look out for specific updates relevant to the services that you use. Often, these will require you to take some form of action to ensure that they are valid and apply to your agreement, so be aware that you may have to click a link, or request a specific agreement/set of terms in order to comply.