The European Commission's new Standard Contractual Clauses (SCCs) provide welcome certainty for businesses transferring personal data to countries outside the European Economic Area (EEA). But they come at the cost of extra compliance burdens for those already dealing with the fallout of the Schrems II ruling of July 2020, increased regulatory activity within the EU, and a UK position which remains fluid, despite the Commission's recent UK adequacy decision.
In this Insight, we pull together the various strands influencing cross-border data transfers and pick out what businesses need to know, and what action they can consider taking , right now.
1. Businesses can use the new SCCs now – but may be able to wait
The new SCCs will replace the old SCCs (though not necessarily in the UK – see section 6). The old SCCs had become the go-to mechanism for most organisations looking to legitimise personal data transfers from the EEA and UK to data importers outside those territories that haven't had the benefit of an adequacy decision, in accordance with both the EU and the UK's General Data Protection Regulation (GDPR). Organisations have been able to use the new SCCs in their data transfer arrangements since 27 June 2021.
However, there is a phased approach to implementation, giving businesses the option of delaying implementation in some cases. When entering into new contracts, companies can continue to include the old SCCs until 27 September 2021. For existing contracts, companies have a transitional period of 18 months to replace the old SCCs with the new SCCs, ending on 27 December 2022, unless the data processing operations that are the subject matter of the contract change in the meantime, at which point the new SCCs would have to be used instead.
Actions to consider: Review the provisions of the new SCCs; determine the situations in which new SCCs will be required; ensure you can comply with the provisions in the new SCCs; plan the introduction of new SCCs for new transfer arrangements; and then update customer and vendor agreements with the new SCCs where appropriate.
And what action can be taken on existing agreements? Identify agreements that currently use the old SCCs; consider whether any processing operations have changed; plan replacement of agreements incorporating the old SCCs.
2. The new SCCs align more closely with the realities of modern data processing
Aside from introducing long-overdue updates as a result of the entry into force of the GDPR in 2018, the new SCCs cater better for the realities of modern data processing by encompassing more complex processing scenarios – and also reflect the Schrems II ruling. They adopt a modular approach, which provides more flexibility, including processor-to-(sub)-processor clauses, as well as covering transfers from an EEA processor back to a non-EEA controller. These scenarios were not covered by the old SCCs.
Actions to consider? Understand your data transfers; assess which modules will be most appropriate for each type of data transfer (including scenarios which were previously not covered by the old SCCs).
3. The new SCCs cannot be used where the data importer is directly subject to the EU GDPR
For the first time, the new SCCs can also be used by exporters who are located outside the EEA (assuming that the EU GDPR applies to their processing). However, one aspect that has already given rise to some debate is the meaning of wording in Recital 7 of the Commission's Decision which adopts the new SCCs. This states that the new SCCs cannot be used if the importer is directly subject to the EU GDPR in respect of the transfer in question. Given the extra-territorial application of the EU GDPR combined with its restrictions on transfers, the effect of this wording in the Commission's Decision is unclear and for now makes it harder for companies to know exactly when to use the new SCCs – particularly for intra-group data transfers. It is expected that the European Data Protection Board (EDPB) will provide more clarity on this point in due course.
Actions to consider? Determine whether the new SCCs are actually required, including the extent to which the EU GDPR applies to intended third-country data recipients; monitor for further guidance from EDPB; consider whether to take a lower risk approach and use the new SCCs for all relevant transfers.
4. Clarity on transfer impact assessments and supplemental measures
Since the Schrems II decision, there has been a renewed focus on assessing transfers relying on data transfer tools (including those using SCCs) on a case-by-case basis to determine whether personal data will be adequately protected by SCCs, or whether supplementary measures are needed. The new SCCs provide some welcome clarity for businesses on what form these impact assessments should take, but place significant additional – and ongoing – obligations on exporters (and importers, who must assist) in such assessments and ongoing monitoring. Exporters must consider the following issues in their impact assessments, which must be documented and made available to any competent supervisory authority on request:
- the specific circumstances of the transfer, including the length of the processing chain; the number of actors involved; the transmission channels used; the purpose of the processing; the categories and format of the data, as well as its storage location; and the economic sector in which the transfer occurs;
- the law and practice in the country of destination relevant to the specific circumstances of the transfer, including those requiring disclosure of data to, or enabling access to data by, public authorities; and
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards in the SCCs.
The new SCCs also align with the EDPB's Recommendations on supplementary measures. The Recommendations highlight the importance of assessing not only whether the laws of the destination country meet EU data protection standards, but also examining the practices of the third country's public authorities and whether these impact on the effectiveness of the safeguards contained in the new SCCs (or other transfer tools). If the answer to either of these questions is no, the exporter must suspend the transfer or implement adequate supplementary measures. These issues will be important early considerations for any business planning to transfer personal data outside of the EEA.
Actions to consider? Establish a process for the required data transfer impact assessment, reflecting the six step roadmap set out in the Recommendations; create a template or tool for the risk assessment and prepare internal stakeholders; decide how to implement the (extended) obligations under new SCCs; start discussions with the other party in each data transfer scenario to obtain their input for the data transfer impact assessment.
5. Data transfers are increasingly a target for EU regulators
As there has been no enforcement action by the UK Information Commissioner's Office (ICO) in this area, it would be easy for UK-based organisations to overlook the risks involved in carrying out data transfers without ensuring compliance with the new obligations. However, recent enforcement action by national data protection authorities in the EU – notably in Germany, Portugal, France and Ireland – shows that there is an appetite to enforce the Schrems II ruling and data transfer obligations more generally. For example, in Germany several state data protection authorities announced recently that they would be contacting selected data controllers and asking them to complete questionnaires eliciting detailed information about aspects of their data transfers, with a view to checking Schrems II compliance.
The possibility of scrutiny and action by public interest groups (such as Max Schrems' non-profit privacy organisation) must not be overlooked, especially since much of the enforcement action already taken resulted from complaints lodged with supervisory authorities. Whilst the focus seems to have been on data transfers to the U.S. so far, and we have yet to see heavy fines, the uplift in enforcement action looks set to continue and we are likely to see further developments in this area.
Actions to consider? Act now to ensure you are able to comply with the impact assessment requirements in the new SCCs – and to put any necessary supplementary measures in place – in time to be able to start using them in new contracts at the end of September 2021. Failure to do so risks exposure to targeted enforcement action across the EU.
6. The new SCCs are not yet recognised in the UK
The new SCCs have not replaced the existing SCCs in the UK and so are not a valid transfer mechanism for transferring personal data caught within the scope of the UK GDPR. The ICO is currently considering whether to recognise the new SCCs as a valid transfer mechanism under the UK GDPR and this would require a change in law and therefore likely to take some time. It also plans to consult on bespoke UK SCCs in summer 2021. In the meantime, businesses may have to use two sets of clauses: the old SCCs for transfers out of the UK, and the new SCCs for transfers of personal data out of the EEA.
Actions to consider? As part of the recommended information-gathering actions in respect of the new EU SCCs, look at what changes would be needed to switch from use of the old SCCs to any bespoke UK SCCs. Consider whether you need to double up until the UK position becomes clearer, using old SCCs for transfers out of the UK, and the new SCCs for transfers out of the EEA.
7. No need to use the new SCCs to legitimise data transfers from the EEA to the UK… for now
On 28 June 2021, the Commission announced that it had adopted a GDPR adequacy decision for the UK, meaning that personal data can flow freely from the EEA to the UK without the need for SCCs (or other legitimising mechanisms).
In the short term that decision provides welcome certainty for businesses who have been relying on interim data transfer arrangements for the last six months. But the UK is the first country to receive a decision, which includes a "sunset clause" that stipulates it will automatically expire four years after its entry into force. In the medium to longer term, therefore, any divergence between the UK and EU data protection regimes risks jeopardising renewal of the decision, or, in a worst-case scenario, leading to the Commission suspending, repealing or amending its decision before the four year term has expired.
It remains to be seen how the new UK data protection regime will evolve compared to the one that is now in place. However, it is likely that data protection laws will remain a key area of focus as the UK government explores its new-found regulatory and trade freedoms. For example, a recent report from the Taskforce on Innovation, Growth and Regulatory Reform recommended replacing the UK GDPR with a new, more proportionate UK Framework of Citizen Data Rights to give people greater control of their data, while allowing for the data to flow more freely and drive growth across healthcare, public services and the digital economy. While these are just early stage proposals, the recommendations provide an interesting insight into the possible direction of travel for UK data protection laws.
Actions to consider? Consider whether contracts need to include mechanisms for handling future uncertainties in this area of regulation, be it the consequences of a future Commission decision not to reverse the UK adequacy decision, the introduction of bespoke SCCs by the UK, or further actions by privacy activists.
For a more detailed overview of aspects of the new SCCs, see our introductory article here.