After much anticipation, the European Commission recently published two new sets of Standard Contractual Clauses. We take a look at what this means practically for EU and UK businesses.
Under GDPR, transfers of personal data to countries outside of Europe must have safeguards in place (the most popular of which is Standard Contractual Clauses (“SCCs”) - in particular since Privacy Shield was invalidated for transfers of data to the US last year. SCCs are essentially template contracts which businesses can use, together with a risk assessment, to legitimise transfers of data to outside the EU to countries that are not considered to have adequate privacy laws.
In short, yes.
Although the UK has left the EU, GDPR has effectively been carried over into UK law as at Brexit. We are now waiting to see if the UK’s regulator, the ICO, will also update the “UK” version of the SCCs to retain consistency with the EU. It probably will – see below for more.
Up until now, the European pre-approved templates that businesses have been working with were published pre-GDPR and haven’t been updated since.
On 4 June 2021, the European Commission published two sets of SSCs:
1. The “new international transfer SCCs” – these SCCs replace the current SCCs (the “old SCCs”). They provide more flexibility for complex processing chains, by adopting a “modular approach” and by allowing more than two parties to use the clauses. The old SCCs had separate sets of clauses for different processing arrangements (although these did not deal with all scenarios), whereas the new international transfer SCCs are more versatile and are designed to deal with a broad range of transfer scenarios in one document.
2. The “data processor SCCs” – these SCCs apply regardless of whether there is an international transfer and are intended to be a template agreement for the mandatory clauses under GDPR that should be in contracts between controllers and processors.
For those of you who aren’t familiar with the name, Max Schrems is an Austrian lawyer and GDPR campaigner who has brought a number of legal challenges to the EU’s data privacy regime. His legal complaints have focussed on the exporting of EU data to the US. He originally made a complaint about Facebook to the Irish data protection regulator that made its way through the Irish legal system and was ultimately referred to the CJEU, the EU court. As a result of his case, which considered the validity of the old SCCs, in July 2020 the CJEU ruled that the EU-US Privacy Shield was invalid. This followed a similar ruling in 2015, in which the CJEU had also decided that the old EU-US “Safe Harbour” system was also invalid.
Amongst other things, one of the issues that the Schrems litigation dealt with, was the concern over personal data transfers to non-EU countries (specifically to the US) that routinely permit government agencies to access the data. In that case, the CJEU held that the old SCCs were a valid legal mechanism for transferring personal data outside the EEA but that businesses were required to carry out on a case by case basis risk assessment as to whether, in practice the old SCCs were sufficient to safeguard the data in a particular country, or if additional safeguards should be implemented.
The new international transfer SCCs have been drafted to try and address some of the concerns with transfers of data to third countries. Saying that, these are contractual safeguards and don’t remove the practical issues which may arise where European individuals’ personal data is transferred to a country which doesn’t afford the same protection to individuals. Businesses will therefore still need to undertake a risk assessment to determine whether there are any additional steps (i.e. security/encryption or other protections) that they need to put in place. This risk assessment is likely to become more important going forwards and regulators will expect them to be clearly documented.
Here are some dates for your diary as you think about your implementation plan:
Businesses can continue use the old SCCs for the moment as long as they are finalised in the next three months. The obvious advantage is that these are familiar and there is currently no practical guidance on how the new international transfer SCCs will operate.
However, if an agreement which is being negotiated now is likely to extend beyond December 2022, the old SCCs will need to be replaced in any event, so you may want to put the new international transfer SCCs in place now, to save yourself some work in future.
The ICO (the UK regulator) has confirmed that it intends to consult and publish its own SCCs during the summer of 2021.
It may make sense for UK businesses to wait and see what the ICO says as it is not clear whether the new international transfer SCCs will apply (which would be the most logical scenario), whether they will rely on the old SCCs, or whether the ICO will put a completely new template in place. Some UK businesses may still find themselves subject to GDPR and needing to enter into the “European” new international transfer SCCs.
Businesses should conduct a review of their data transfers and work out which of those are reliant on the old SCCs.
In the immediate short term (and, for UK businesses, pending what the ICO says about the correct form of SCCs to use for international transfers), for arrangements that are currently being negotiated, companies should work out whether they will use the old SCCs or move to the new international transfer SCCs (which may be most appropriate where the arrangement is likely to continue beyond December 2022).
Businesses should also allow time to update any old SCCs before December 2022.
If you would like a copy of our “cheat sheet” which sets out all of the data privacy documents you may need for your business as well as when you need them, please get in touch and we can send it over to you.
M: +44(0)7876 821371
M: +44(0)7909 926921