On 4 June 2021, the European Commission published the finalised version of the new Standard Contractual Clauses (the “New EU SCCs”). Standard Contract Clauses govern the transfer of data from the EU to third countries deemed by the European Commission to provide “inadequate” levels of data protection.
Key features of the New EU SCCs include:
- Providing for data transfers involving multiple parties and complex data processing chains.
- Following the guidance set out in the Schrems II judgment, (see our blog here) by requiring parties to initially assess the risk of transferring personal data to a third country.
- Consistency with the General Data Protection Regulation (“GDPR”) by, for example, ensuring that the obligations on data processors now include all elements required under Article 28 GDPR.
When do they come into effect?
Businesses can start using the New EU SCCs from 27 June 2021 (the “Effective Date”). For three months from the Effective Date, businesses will still be able to enter into new contracts using the existing Standard Contractual Clauses (the “Old SCCs”). The Old SCCs will be repealed on 27 September 2021. Existing data transfers based on the Old SCCs can continue to take place for a further 15 months, until 27 December 2022.
What do businesses need to do now?
Businesses in the EU should commence updating their template supplier contracts and other data export agreements, as well as updating their systems and processes, to ensure that they are compliant with the New EU SCCs before the end of September. Businesses can use the 18-month grace period from the Effective Date to identify all existing data transfers based on the Old SCCs and update them with the New EU SCCs.
Will the New EU SCCs be adopted in the UK?
It is not yet clear how the adoption of the New EU SCCs will affect transfers to and from the UK. The Information Commissioner’s Office (the “ICO”) announced at the start of May 2021 that it is working on new Standard Contractual Clauses to facilitate transfers of personal data outside the UK (the “New UK SCCs”). These are expected to be consulted on this summer. Until these come into force or until the ICO decides to recognise the New EU SCCs as a valid transfer mechanism, the ICO will only recognise the Old SCCs.
Businesses in the UK should therefore continue to use the Old SCCs for the time being but, taking into account the requirements of Schrems II, should be reviewing whether they provide sufficient protection for data subjects and if necessary taking additional measures.
Is there any update on the position on UK-EU transfers?
Following Brexit, the UK became a “third country” for data flows from the EU. In draft decisions published in February 2021, the European Commission deemed the UK to be “adequate.” This means that the European Commission has provisionally accepted that the UK data protection regime affords adequate protections for data subjects in the EU.
In April 2021, the European Data Protection Board (“EDPB”) assessed the alignment of the UK Data Protection Act to the EU GDPR and to the Law Enforcement Directive. Whilst it found that, in many aspects, the UK Data Protection Act was essentially equivalent to the EU data protection framework, the EDPB called for the UK to clarify its position on laws that allow government agencies to collect bulk data, such as internet and phone use.
Last month, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy in line with the opinion of the EDPB. The European Parliament does not, however, have the ability to block the adoption of any adequacy decision made by the European Commission. Before a final decision can be reached in relation to the UK’s adequacy status, the European Commission must seek approval from representatives of each EU Member State. A final decision is due to be reached later on this year.
We shall keep you informed of the latest developments. In the meantime, until 1 July 2021, transfers of personal data from the EU to the UK can continue unrestricted.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.