Gary LaFever | December 28, 2020

ICO Alerts UK Companies That Supplementary Measures Are Recommended for Uninterrupted Data Flows with EU-EEA Customers

28 December 2020 - The ICO today issued a statement that:

"As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data."

EU and EEA organisations transferring personal data to UK processors and joint controllers have an immediate obligation under CJEU rulings to protect against unlawful processing of EU personal data. Today's statement by the ICO highlights that the "six-month extension" under the EU-UK arrangement does not eliminate these obligations.

Click here for the full ICO statement.

The Court of Justice of the European Union (CJEU) made its position clear in the Schrems II ruling involving the US (C-311/18) and subsequent rulings involving the UK, France, and Belgium (Case C-623/17; C-511/18; C-512/18; C-520/18) that even within the EU (prior to Brexit) legislative initiatives dealing with economic and national security issues do not override the constitutional rights of EU data subjects.

For predictability of operations purposes, data controllers are best served by technical and organisational measures that comply with CJEU rulings to " to safeguard against any interruption to the free flow of EU to UK personal data," including:

  • Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear; and
  • Remote Access to Data for Business Purposes. [1]

Companies can ensure predictability of operations ongoing use of data by establishing a defensible position by implementing compliant Supplemental Measures / Additional Safeguards to achieve desired business results while respecting and enforcing the fundamental rights of data subjects.

Learn About Compliant Supplementary Measures / Additional Safeguads

After holding several panels on Schrems II issues with the European Data Protection Supervisor (EDPS), None of Your Business (NOYB), Future of Privacy Forum (FPF), Promontory, Cooley, and Fieldfisher, we received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. We created a no-cost Briefing Portal in response to overwhelming requests from General Counsels and senior-level privacy professionals for additional information.

This Briefing Portal streamlines the process for interested professionals and provides a no-cost, self-paced educational platform. Access expert content, analysis, and discussion of the key concepts behind Schrems II, and learn how to support your clients or organisation to take action.

Register at to learn about Schrems II Compliant Supplementary Measures / Additional Safeguards and other matters pertaining to lawful international data transfers after Schrems II using SCCs and BCRs.

You may be interested in joining the Schrems II Linkedin Group focused on critical discussions and analyses related to using technically-enforced Supplementary Measures and SCCs, which you will not find elsewhere.

[1] See;; and

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.