From today, organisations who rely on EU approved Standard Contractual Clauses (SCCs) as a transfer tool to transfer personal data outside of the EU, must use the new Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (New SCCs) for any new contractual arrangements. Existing contracts which incorporate the old SCCs will remain valid until 27 December 2022, after which they must be updated with the New SCCs.
The New SCCs have been modernised to reflect changes in data protection law introduced by the General Data Protection Regulation 2016/679 (GDPR) and take into account developments arising from the European Court of Justice (CJEU) ruling in Schrems II. Most notably the New SCCs require organisations to have a framework in place to conduct transfer impact assessments and assess whether supplementary measures are needed to ensure personal data is afforded essentially an equivalent level of protection wherever it is processed.
Modular approach. The New SCCs are modular in structure and cover four different transfer scenarios (or modules) which the contracting parties can select depending on the data transfer in question and the relationship between the parties. In addition to Controller to Controller transfers and Controller to Processor transfers, which are covered by the old SCCs, the New SCCs cater for Processor to Sub-Processor transfers and Processor to Controller transfers. The addition of Processor to Sub-Processor clauses is particularly welcomed as it addresses the long-standing problem of personal data being transferred by processors to external service providers located outside of the EU.
The modular structure of the New SCCs and the ability for parties to “accede” to the clauses during the contract term provides for greater flexibility and allows the New SCCs to better deal with the reality of the digital economy, where in practice it is common to see multiple data importers and exporters in long and complex processing chains.
Obligations of the parties. Each module sets out the obligations of the parties, which vary depending on which of the four modules apply. Broadly speaking, the New SCCs include obligations in line with the GDPR and cover familiar principles such as, purpose limitation, transparency, data minimisation and security. In line with the accountability principle introduced by the GDPR, each party must be able to demonstrate its compliance with its obligations. In particular, the data importer is required to keep appropriate documentation of its processing activities.
Local Laws. In Schrems II, the CJEU highlighted the need for data exporters to assess whether the laws and practices of the destination country provide adequate protection for the data being transferred, and where adequate protection cannot be guaranteed, to consider whether additional safeguards can be put in place to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EU.
In light of this, the New SCCs require both the data exporter and data importer to warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, will prevent the data importer from fulfilling its obligations under the New SCCs.
In giving this warranty, both parties are required to take into “due account” a number of factors concerning the transfer, including the specific circumstances of the transfer, the purpose of processing, the length of the processing chain, any intended onward transfers, the laws and practices of the third country of destination and whether any relevant contractual, technical or organisational safeguards are required to supplement the New SCCs.
Essentially this will require the parties to carry out a transfer impact assessment in order to assess whether the personal data being transferred can be adequately protected by the New SCCs or whether supplementary measures are required to ensure essential equivalence. When carrying out this assessment, the parties should take into account the European Data Protection Board’s final Recommendations 01/2020 on supplementary measures which were adopted on 18 June 2021.
Organisations who are subject to the UK GDPR are not able to rely on the New SCCs as an adequate transfer tool for international transfers of personal data out of the UK. However, the UK Information Commissioner’s Office (ICO) has been working on a bespoke set of UK SCCs to replace the old EU SCCs and, on 11 August 2021, finally published a set of draft documents for public consultation. The draft documents include an International Data Transfer Agreement (UK SCCs), a UK Addendum to the old EU SCCs, and a Transfer Risk Assessment tool which takes into account Schrems II considerations and must be completed before the UK SCCs can be entered into.
The consultation closes on 7 October 2021, following which changes are likely to be made to the draft documents. Until the New UK SCCs are officially adopted, organisations who operate in both the UK and the EU must continue to use the old SCCs for restricted transfers out of the UK and the New SCCs for restricted transfers out of the EU. Businesses relying on the old EU SCCs will also need to remember to review whether the old SCCs provide sufficient protection for data subjects and, if not, adopt additional measures to ensure essential equivalence. The ICO’s draft Transfer Risk Assessment is likely to be a useful tool to help with this assessment.
UK Adequacy Decisions
Whilst the new UK SCCs will no doubt be an important mechanism for transferring personal data out of the UK, the UK Government has acknowledged the importance of the UK granting adequacy decisions to third countries such as Australia, Columbia, Dubai, Singapore, South Korea and the US. Granting adequacy and supporting the continued free flow of personal data internationally will be an essential step in the Government’s plan to develop “a world leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”. However, as the UK will no doubt want to retain its own adequacy decision with the EU, the extent to which the UK will diverge from existing EU data protection standards when developing its own standards, particularly when it comes to its adequacy assessments of third countries such as the US, remains to be seen. No doubt any changes to the UK data protection regime will involve a careful balancing act between the UK’s own interests and those of the EU.
From today, organisations operating in the EU will need to ensure that it operates on the New SCCs for all new contractual arrangements. For existing arrangements that will continue past 27 December 2022 i.e. when the old EU SCCs cease to be valid, businesses may choose to switch to the New SCCs straight away, otherwise they should ensure they have a plan in place that allows them to transition to the New SCCs before the old EU SCCs are repealed. Any continued reliance on the old SCCs should be supported by a Schrems II style transfer impact assessment.
Organisations subject to the UK GDPR have a bit more time before the new UK SCCs are formally adopted (hopefully later this year), however should use this time to assess their data flows and current transfer arrangements and implement an action plan that allows them to transition across to the new UK SCCs, carry out the requisite transfer impact assessments in line the UK ICO’s guidance, and ensure ongoing compliance with the requirements of the UK SCCs.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.