On the 4 of June 2021 the European Commission adopted two new sets of standard contractual clauses: one optional set for use between controllers and processors (to cover Article 28 (3) and (4) of the EU GDPR obligations – the data processing contractual terms) (“the EC Article 28 SCCs”) and the other for international transfers of personal data (New SCCS). This update is about the New SCCs for international transfers.
The New SCCs come into force on the 27 of June 2021 and apply to the EEA and EU. Once in force, EU organisations will have 18 months to put the New SCCs into place for all new and existing contracts that used the previous set. But what does this mean for organisations in the UK that are transferring personal data outside of the UK?
Why were the New SCCs required?
The New SCCs have been updated to reflect the EU GDPR and the decision in the Schrems II case. The New SCCs also address some of the main defects in the previous sets of SCCs (Old SCCs) which many organisations rely on for their international personal data transfers.
Timeline for the new SCCs?
- Use of New SCCs: the new SCCs can be used as of 27 June 2021.
- Use of Old SCCs: organisations can continue to use the Old SCCs in their new contracts until 27 September 2021.
- Replacing Old SCCs: Organisations have a transitional period of 18 months ending on 27 December 2022 to replace all contracts containing the Old SCCs with the New SCCs.
The key points to note on the New SCCs:
- They are flexible. Instead of separate sets of clauses for different processing relationships, the international transfer clauses take a modular approach, covering controller-controller (C2C), controller-processor (C2P), processor-sub-processor (P2P), and processor-controller (P2C) transfers with interchangeable wording. The P2P and P2C are new and finally cover these transfer relationships.
- This approach provides more flexibility for increasingly complex processing chains and addresses gaps in data transfer protection.
- They can be Multi-party. The New SCCs permit more than two parties to sign up to them via a "docking" clause, including during the life of the contract. This is good news which addresses a large gap in the previous version.
- Contain provisions to address Schrems II. The New SCCs now include practical guidance to help organisations to comply with the Schrems II judgment, by providing:a summary of the different steps necessary to comply with the Schrems II ruling, in particular, the things a data exporter needs to factor into a transfer impact assessment; nd
- examples of possible ‘supplementary measures' (aka technical and organisational measures), such as encryption, that organisations may take to ensure the security of the data.
The UK position
The New SCCs are not yet recognised in the UK. The UK Information Commissioner's Office (ICO) only recognises the Old SCCs as an adequate transfer mechanism for international personal data transfers from the UK.
The ICO has stated that it is working on bespoke UK SCCs for international data transfers, which will be published in draft for consultation this summer. It has also previously stated that international data transfers would need to account for the impact of the Schrems II decision. Therefore, a different approach or substantial deviation from the EU’s approach to the New SCCs is unlikely.
Although earlier this year, the ICO also said that it is considering recognising transfer tools from other countries, such as the New SCCs it has not issued any more updates or guidance about this. Therefore, this means that, for now, UK organisations should consider waiting for further announcements from the ICO before taking any action.
For now, we are recommending that UK organisations continue to use the Old SCCs for all restricted transfers to countries outside the UK that do not have an adequacy decision until the ICO issues its new UK SCCS.
Actions to take now – the UK position
Concerning EEA to UK transfers and UK to EEA transfers, these are allowed to flow freely under the EU adequacy decision for the UK (see below) and the UK's adequacy decision for the EEA. However, to prepare for the UK SCC's, you should:
- map all your processing relationships with suppliers;
- identify all international transfers, in particular US transfers, using the Old SCCs, this should be in your record of processing activities spreadsheet; and
- prioritise transfers that will need to use the UK SCCs and plan on which would require updating according to their risk level.
Undertaking this preparatory work now will greatly assist your organisation in migrating over to the new UK SCCs once they are in place.
UK Receives Adequacy Decision
On 28 June 2021, the UK received its long-awaited adequacy decision from the European Commission.
For the UK, this means it has been added to a list of countries that are recognised as ensuring an adequate level of protection for personal data, including Canada, New Zealand, and Japan.
The adequacy decision means that personal data can continue to flow between the UK and the EU without restriction with one big 'but'.
For the first time, the EU Commission has included a ‘sunset clause’ into its adequacy decision, which strictly limits its duration. This means that the UK's decision only lasts for four years until 27 June 2025. After this, the adequacy decision expires at which point the adequacy findings might be renewed. But this is only if the UK continues to ensure an adequate level of data protection.
During the four-year term of the adequacy decision, the EU Commission will closely monitor the legal situation in the UK, including concerning onward transfers of personal data.
The EU Commission can intervene at any point, including to suspend, repeal or amend the adequacy decision, if the UK deviates from the level of protection currently in place. If the EU Commission decides to renew the adequacy finding, the adoption process would begin again.
Given the TIGGR report, it is possible the UK law could diverge over the next four years, creating uncertainty for the stability of EU-UK data transfers under this decision. Organisations should monitor the UK Governments approach to data protection laws closely.
Insight from Emily Pepin Data Protection Solicitor at Thorntons. For more information contact Emily on 03330 430350.