4 June: EU Adopts New Standard Contractual Clauses
The first major development of the month saw the European Commission issue a new set of standard contractual clauses (“SCCs”) for the lawful transfer of personal data outside the European Economic Area (the “New SCCs”). Many organisations rely on SCCs to lawfully transfer personal data from the EU/ EEA. The Commission produced a draft version of the SCCs last autumn and we now have the final version.
So what changes?
Given that the previous versions of the SCCs were drafted in 2001, 2004 and 2010 (under the old EU Data Protection Directive), the New SCCs are designed to better reflect organisations’ obligations under the GDPR and the practical realities of data transfers as they have developed over time. For example, the New SCCs:
- Allow for a number of different ‘scenarios’ of transfer, including Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, and Processor-to-Controller data transfers. The previous SCCs only took into account the first two of these;
- Have been updated to reflect the requirements under the GDPR. In particular, controller data importers are more likely to be under detailed obligations concerning transparency and responding to data subject rights. Processor importers are now required to keep records of the processing activities they carry out on behalf of controllers;
- Allow for multiple parties to sign up to the clauses, and include a ‘docking clause’ to allow further parties to sign up at a later stage if required.
What about Schrems II?
Some of the key, and more onerous, updates in the new SCCs relate to the European Court of Justice’s Schrems II decision in 2020, which we have discussed before here, and to the responsibility of organisations to ensure that personal data is protected when it is transferred outside the EEA, including from public authorities that may wish to access it. Specifically:
- Under clause 14, the exporter (i.e. the transferor) must carry out a ‘transfer impact assessment’ in respect of the country or countries to which it is transferring personal data, taking into account (among other things): (i) the law and practice in that country; (ii) the type of recipient and details of onward transfers; (iii) the purpose of the processing and the nature of the data transferred; and (iv) the relevant economic sector in which the transfers occur. Such assessment must be documented and provided to the relevant supervisory authority (e.g. the ICO) on request.
- If the laws and practices of the recipient third country does not allow the parties to comply with the terms of the New SCCs (i.e. to provide a level of data protection essentially equivalent to the EU), then the exporter must suspend or stop the transfer, or implement ‘supplementary measures’ to ensure that the personal data is adequately protected.
UK organisations are not exempt from the implications of Schrems II now that the Brexit transition period is over. The ICO has confirmed that ‘The recent Schrems II decision will continue to apply if you are making a restricted transfer from the UK using SCCs.’
So what do we do now?
As of 27 June 2021, organisations in the EU/ EEA can use the New SCCs in relation to their data transfers. The previous SCCs will become invalid for all new agreements entered into from 27 September 2021 so it is prudent for organisations transferring personal data out of the EEA to start using the New SCCs from now on for any new agreements that they put in place.
If your existing agreements (those already signed) already incorporate the previous SCCs, you will have until 27 December 2022 to replace the previous SCCs with the New SCCs (assuming that your existing agreements will run on until after 27 December 2022).
The New SCCs are available for data transfers from the EEA. So logically, in their current form, it seems doubtful that UK exporters can rely on them (since the UK is not in the EEA). However, the Information Commissioner’s Office is due to consult on UK-specific SCCs this summer. It is possible that there will be some mechanism for UK exporters to rely on the New EU SCCs if confirmed as acceptable under UK law. In the meantime, the ICO has confirmed that organisations that are only transferring data outside of the UK can continue to use the previous SCCs.
For all international data transfers relying on SCCs, organisations must carry out transfer impact assessments.
18 June: EDPB Adopts Recommendations on Supplementary Measures
On 18 June, the European Data Protection Board (“EDPB”) built on the New SCCs by adopting its final version of the Recommendations on supplementary measures to ensure compliance with data protection laws when transferring personal data outside of the EEA (the “Recommendations”). The Recommendations were prompted following the Schrems II decision in order to help organisations understand what the ruling meant for their responsibilities to ensure personal data transferred outside the EU/ EEA remains protected.
Six Step Process
The Recommendations set out a six-step process that organisations should follow when transferring personal data out of the EEA, and also provide further guidance as to what supplementary measures organisations can put in place if they need to:
Step 1 – Know your transfers: Organisations must map their data transfers so they are aware of where they are transferring personal data.
Step 2 – Verify your transfer tool: Organisations must next make sure they have an appropriate transfer mechanism in place so that their transfers are lawful under the GDPR. This will often be SCCs, but may include any of the transfer mechanisms listed under Chapter 5 GDPR e.g. BCR, Certifications, Codes.
Step 3 – Conduct the transfer impact assessment (as described above in the section on the new SCCs): This should taking into account the law and practice of the country/ countries to which the personal data is being transferred.
Step 4 – Implement appropriate supplementary measures: If the transfer impact assessment reveals that the data protection law of the transferee country is problematic (i.e. if it prevents the parties from ensuring a level of protection that is equivalent to the GDPR, and/or does not meet EU standards on fundamental rights, necessity and proportionality) and that such legislation will apply to the personal data being transferred, then the exporter must either put supplementary measures in place to bring the level of protection up to essential equivalence or must not transfer the personal data. Examples of supplementary measures are set out in full in Annex 2 of the Recommendations, and include:
- Technical Measures, such as encryption or pseudonymisation.
- Contractual Measures, such as obligations on the data importer to implement the technical measures described above, to provide information about the law and practice in their country, and reinforced power for the data exporter to conduct audits of the data importer.
- Organisational Measures, such as internal policies with clear allocation of responsibilities for data transfers, documenting any requests received from public authorities (and the approach taken in each case), and data minimisation principles (in particular strict data access and confidentiality policies and practices).
Step 5 – Take any formal procedural measures that may be required: There may be further procedural steps in limited circumstances. For example, where the supplementary measures that you put in place contradict the SCCs, you will need to seek authorisation from the relevant supervisory authority.
Step 6 – Re-evaluate: Exporting organisations should monitor, on an ongoing basis, the developments in countries where they are transferring personal data (with the help of the data importer), and consider whether these affect their initial transfer impact assessment (and/or any subsequent supplementary measures that you may need to take).
So what do we do now?
As well as applying these steps to any future transfers out of the EEA and the UK, you should assess your existing international data transfers: where you are transferring personal data to and whether you need to implement any supplementary measures. Of course, this process will go hand in hand with the updating of your existing contracts to incorporate the New SCCs, prior to the ultimate deadline in December 2022.
28 June: EU Announces UK Adequacy
After months of speculation and with the end of the so-called ‘bridging period’ for EEA-UK data transfers looming, the EU has recently formally announced that the European Commission has adopted a decision to deem the United Kingdom ‘adequate’ for the purposes of international data transfers from the EEA.
What does it mean?
The upshot of this decision is that personal data can be freely transferred from the EEA to the UK, without the need for any transfer mechanisms such as SCCs or similar. There is also no requirement for transfer impact assessments where personal data is transferred from the EEA to the UK. The decision was widely expected given that the UK has adopted the EU GDPR in near-identical form, and the EU Commission has recognised that the same rules and protections apply in the UK post-Brexit as applied when the UK was an EU Member State.
What’s the catch?
The Commission’s decision did, however, contain within it a slight warning. For the first time, the Commission has included a ‘sunset provision’ in an adequacy decision, meaning that the UK’s adequacy status is only valid for a period of 4 years, after which it must be renewed. The Commission will also continue to monitor the legal landscape in the UK and can ‘intervene’ at any time if the UK’s data protection regime deviates too far from the level of data protection currently in place (which presumably means too far from the principles of the GDPR). This will be of real interest as the UK seeks to establish its own trading relationships with other nations around the world: if the UK allows for a more lax regime in order to facilitate data transfers with, for example, the US, will that have any bearing on the UK’s own adequacy in the future? Only time (and politics) will tell.
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of July 8, 2021.