Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case.
Anyone transferring personal data internationally will have been watching the recent judgment of the CJEU with some trepidation. International data transfers, that are so vital for the global economy, suddenly became open to question.
The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.
The European Data Protection Board (EDPB) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs), and this guidance still applies to UK controllers and processors.
Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.
The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.
The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.