Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Transfers of EEA/UK data to the US and other “GDPR non-adequate countries”. What is required?

May 18, 2021By Preiskel & Co

On May 6, Microsoft released its plan to support customers by enabling them to “process and store all their data in the EU”, which should be ready by the end of 2022. Microsoft seems to be reacting to the market’s needs following the Schrems II decision (see below).  Microsoft is calling this plan the EU Data Boundary for the Microsoft Cloud.

Schrems II

On 16 July 2020, the EU Court of Justice issued a decision (so called “Schrems II”) invalidating the EU/US Privacy Shield and imposing tighter restrictions when using EU approved Standard Contractual Clauses (“SCCs”). This ruling was driven by concerns regarding surveillance by US agencies. Specifically, the court found, that the protections offered in the Privacy Shield agreement were not “essentially equivalent to those required under EU law”. The SCCs are a lawful mechanism for data exports, and are subject to a review of the recipient country’s laws, potentially adding the need for supplementary measures to ensure that the personal data exported from the EEA or the UK continues to be protected by equivalent standards to the ones in the EEA or the UK respectively.

Since the Schrems II decision, it has become increasingly difficult to be able to rely on SCCs to transfer personal data from the EEA or from the UK to the US. This is because the EU Court of Justice made it clear in the ruling, that reliance on SCCs without further assessment would not be permissible.

Whilst the UK GDPR is a separate regime and, at least in theory, the UK is free to make its own adequacy decision regarding the US, the UK is not expected to make such a finding unless the European Commission does.

Given Schrems II and the latest development around Brexit, companies would also need to ensure that they implement any necessary additional measures to ensure that any personal data that leaves the EEA/UK environment is adequately protected.

The European Data Protection Board (“EDPB”) Recommendations

In a Recommendation from the EDPB, it is recommended that exporters of personal data from the EEA (“EEA Data”) follow a number of steps when assessing third countries and identifying appropriate supplementary measures where needed.

This includes mapping the transfers of data outside the EEA, assessing if there is anything in the law or practice of the third country that may affect the effectiveness of the SCCs and adopting the formal procedural steps and supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.

As stated above, the UK Data Protection Regulator (the “ICO”) is likely to follow a similar criteria regarding transfers of personal data to from the UK to non-adequate countries.

What to do?

Storing data locally in the EEA or in the UK would certainly help to overcome the need for exporters of EEA or UK Data to follow the EDPB recommended steps when assessing third countries.

However, EEA and UK data exporters would still need to: (i) keep carefully assessing any transfers of personal data outside the EEA or the UK; (ii) implement adequate safeguards and follow the EDPB recommendations; and (iii) consider suspending such transfers when they cannot ensure level of protection of the personal data transferred equivalent to the GDPR requirements.

Please contact Jose Saras if you have any questions relating to data protection policies and procedures.

The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.

Latest Preiskel & Co blog posts
  • BEIS releases first annual report on NSIA 2021
    June 23, 2022
  • OFCOM’S GENERAL CONDITIONS CHANGES IN RELATION TO THE EUROPEAN ELECTRONIC COMMUNICATIONS CODE
    June 23, 2022
  • UK Government reveals Data Reform Bill
    June 22, 2022
  • A costly factor in enforcement action undermines the Rule of Law: UK Supreme Court Rules on CMA v Pfizer/Flynn costs appeal
    June 20, 2022
  • Artificial Intelligence and the Metaverse
    June 16, 2022
  • Record £9bn pumped into UK private tech firms in first three months of 2022, placing UK second behind the US globally
    June 13, 2022
  • EDPB: new sets of guidelines for consultation on the calculation of fines and use of facial recognition technology
    May 26, 2022
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022

The Preiskel Blog

  • BEIS releases first annual report on NSIA 2021 23 Jun 2022
  • OFCOM’S GENERAL CONDITIONS CHANGES IN RELATION TO THE EUROPEAN ELECTRONIC COMMUNICATIONS CODE 23 Jun 2022
  • UK Government reveals Data Reform Bill 22 Jun 2022
  • A costly factor in enforcement action undermines the Rule of Law: UK Supreme Court Rules on CMA v Pfizer/Flynn costs appeal 20 Jun 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • RT @VRobCompLaw: Speaker interviews - Competition Law in Conversation Cloud computing is becoming a new frontier for digital competition. W…4 days ago
  • RT @TC_4KBW: A precedent for paying songwriters and creators properly? https://t.co/VZ9E8eJvor6 days ago
  • RT @TC_4KBW: Have we lost the regulatory plot? Is it time to use “R vs Big Tech” when it comes to giving the Digital Markets Unit more powe…6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice