The ICO says that the judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd (Schrems II) has wider implications than just the invalidation of the EU-US Privacy Shield. “It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK”, it says. The ICO notes the publication by the European Data Protection Board (EDPB) of its FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs) (see item above), and emphasises that this guidance still applies to UK controllers and processors.
Further work is under way by the European Commission and EDPB to provide more comprehensive guidance on extra measures that may need to be taken. In the meantime, the ICO advises organisations to take stock of the international transfers they make and react promptly as guidance and advice becomes available.
The EDPB has recommended that organisations should conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist with this.
The ICO says that it is considering carefully its role in the oversight of international transfers in the light of the judgment and that it will continue to apply a risk-based and proportionate approach in accordance with its Regulatory Action Policy. It also says that it understands the many challenges UK businesses are facing at the present time and will therefore continue to provide practical and pragmatic advice and support. To read the ICO’s updated statement in full, click here.