In an increasingly interconnected world, preserving the free flow of data across borders is crucial to the prosperity of businesses operating in every industry. But over the last year, there have been a number of important data protection developments in Europe that have a direct impact on the supply chain and distribution arrangements operated by organizations. These developments are restricting the ways in which businesses can share personal data within their organizations and with counterparties internationally. They include:
- Brexit – While the Brexit transition period ended as 2021 began, the continued free flow of personal data between the European Union (“EU”) and the United Kingdom (“UK”) was paramount to the survival of many businesses operating in Europe. The EU-UK Trade and Cooperation Agreement provided for a further transitional period of up to six months from January 1, 2021, (the “Additional Transition Period”). During this time, the UK is not a third country for the purposes of the European General Data Protection Regulation (“EU GDPR”). But the European Commission must pass a decision that the UK offers an adequate level of data protection before the end of this deadline if transfers of personal data are to continue between businesses operating in the EU and UK in the medium to long term without having to overcome additional restrictions.
- Schrems II – A significant Court of Justice of the European Union (“CJEU”) decision which, alongside subsequent European Data Protection Board (“EDPB”) guidance, has altered how international data transfers between businesses must be evaluated and undertaken (for a further analysis of the judgment see our Legal Update and further commentary).
- New standard contractual clauses for international data transfers (“New SCCs”) – Following Schrems II, the European Commission (“EC”) has published a draft of New SCCs (see our Legal Update), which will govern the sharing of personal data between businesses inside and outside of the EU.