October 28, 2020

Volume X, Number 302


October 27, 2020

Subscribe to Latest Legal News and Analysis

October 26, 2020

Subscribe to Latest Legal News and Analysis

Double Trouble For Data Transfers Post-Brexit And Post-Schrems II?

The recent landmark Court of Justice for the European Union (CJEU) case C-311/18 (Schrems II), and the end of the Brexit transition period on 31 December 2020, will have a significant impact on the smooth running of international business.

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor. It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield selfcertification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

As a consequence of Schrems II, companies with operations in Europe must now check whether or not their suppliers, and any of their suppliers’ subcontractors or vendors, were relying on Privacy Shield. If they were, those businesses must now use an alternative method of legal compliance.

The most popular method of alternative compliance is the use of Standard Contractual Clauses (SCCs). These are form contracts published by the European Commission and executed between data exporters and data importers. They permit the lawful export of personal data from the European Union and essentially provide that personal data is protected to a European standard. SCCs contain a provision that requires the exporter and importer to check that there is no local law or other circumstances that could adversely affect the protection of the personal data.

The CJEU also ruled in relation to these SCCs. Companies must now assess each SCC to make sure there are no local laws that can adversely affect the protection of personal data to European standards. Many companies will have thousands of these contracts in place. Although it is often easier for the data importer to undertake this assessment, as they will have the same contract in place with many of their European customers, under law it is the data exporter, or the customer, that is responsible for this assessment being done correctly and on a case by case basis.


Technically, the United Kingdom has already left the European Union. Practically, however, the United Kingdom is in a transition period, during which all laws remain as they were until 31 December 2020. After this date, no EU laws, including the General Data Protection Regulation (GDPR) will form part of UK law. One key feature of the GDPR is that it permits the free flow of personal data amongst EU Member States.

Although the UK Government has already passed the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019, which will ensure that, on 1 January 2021, the UK data protection regime is essentially equivalent to the GDPR, this will not on its own be sufficient to allow the free flow of personal data from the European Union to the United Kingdom. What is required is for the European Commission to determine that UK data protection law is “adequate”.

This will require a complex and comprehensive assessment, made more complex because, like the United States, the United Kingdom has extensive legislation allowing for bulk surveillance of communications. The EU assessment will therefore need to examine not just that legislation, but also the ability for individuals in Europe to have adequate redress against the UK Government where their consider that their European data protection and privacy rights have been infringed.

In a recent communication, the European Commission recognised that an adequacy determination by December 31 is unlikely, and that companies should immediately take compliance steps to ensure that personal data can be legally transferred from the European Union to the United Kingdom, and that personal data previously received from the European Union is protected. The most obvious compliance mechanism are the SCCs, but as we now know from Schrems II, rather than just signing these contracts, companies must undertake a case by case assessment. 

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 267



About this Author


Ashley Winton focuses his practice on global data protection and privacy, information governance and cybersecurity compliance. He has particularly in-depth knowledge of cyber breach response, cybersecurity in the context of payment systems, the lawful interception of data, and the conflict of laws in relation to corporate and government investigations and international litigation. Ashley frequently represents major corporations, trade associations, charities and government entities on a range of data privacy and cybersecurity issues and he has significant experience in...

Dr. Laura Scaife Data Protection Attorney McDermott Will & Emery London, UK

Dr. Laura Scaife focuses her practice on data protection, data monetization and law governing social media. She has in-depth experience within the media industry, advising on strategic policymaking, regulatory implementation and relations with external auditors including the Law Commission and the Information Commissioner’s Office.

Laura has advised on some of the most high profile information security breaches, liaising with the Serious Fraud Office and the Financial Conduct Authority amongst others. Laura has advised clients across the sports and media industries, as well as advising FCA regulated entities, technology companies, ultra-high net-worth individuals and investment banks.

Laura has also advised on the implementation of GDPR across a number of global organisations, undertaking data protection audits and impact assessments and ensuring handling and care of all personal data. Laura has key experience in lobbying draft amendments through the European Commission for e-Privacy regulation as well as working with the House of Lords and the shadow cabinet to obtain key amendments to the draft Data Protection Act 2018.

44 20-75776934