On Friday 4 June 2021, the European Commission issued a final set of standard contractual clauses for international data transfers (“New EU Transfer SCCs”). The new clauses are one of the mechanisms that allow a lawful transfer of personal data under the EU General Data Protection Regulation (“GDPR”) to an organisation outside the European Economic Area (“EEA”).
The UK data protection regulator, the Information Commissioner’s Office (“ICO”), has been quiet so far on how – if at all – it expects UK organisations to use these New EU Transfer SCCs. Currently, the ICO only acknowledges older sets of SCCs for international data transfers as a mechanism that would satisfy the requirements of the UK GDPR following the UK’s departure from the EU on 1 January 2021. The EU GDPR and the older set of SCCs were effectively frozen in time on this date, so new developments do not carry across automatically. Could this be a sign of how easily the UK and the EU will diverge, even just temporarily?!
Are the New EU Transfer SCCs an improvement on what went before?
If the New EU Transfer SCCs were accepted for use by the ICO, they would offer UK organisations some helpful and important upgrades. Not least, the new clauses reflect the EU GDPR, not the previous data protection law.
Perhaps the most helpful element though, is the modular approach, which acknowledges that the world of data flows is complex and multi-layered. Organisations can now select from four options (being careful to delete the correct elements!): controller-to-controller, controller-to-processor, processor-to-sub-processor and processor-to-controller. Until now, many organisations have had to live with solutions that they’ve cobbled together by using the older set of SCCs. For example, they may have been using an EU processor that uses a non-EU sub-processor, or they may have been a non-EU controller asking an EU processor to send back personal data. There wasn’t a solution under the old SCCs to permit transfers of this kind, so organisations had to put in place something that – although it was not technically permitted – they hoped would be effective if tested.
The New EU Transfer SCCs also acknowledge that arrangements between parties will evolve over time. Contracting parties, activities, appropriate security safeguards and the assessment of the law and practice on the ground in each jurisdiction are all likely to change regularly. Therefore, the New EU Transfer SCCs include mechanisms to enable organisations to make these changes over time to reflect in contractual terms the actual reality of the processing at the time. This in turn will enable organisations to maintain compliance with the GDPR as their businesses and projects evolve. This will enable compliance on a much more practical level, but organisations will need to carry out more work upfront to document their practices. They will then need to ensure that they diarise and plan regular reviews to monitor changes and make any contractual updates that are required throughout the life of the arrangements. After effective systems are in place, our hope is that this will help organisations to practically manage compliance in these data-sharing and supplier arrangements. Historically, many organisations tended to do a one-off (and sometimes mediocre) job of documenting arrangements and then leaving the documents in a drawer, hoping that they would never have to be used.
The New EU Transfer SCCs also require organisations to document their assessment of the impact of the law and practice in the relevant jurisdiction on the rights and freedoms of individuals. The EDPB has just released its final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which will provide some clarity to EU organisations on how to complete such an assessment. These international data transfer assessments are critical to allowing compliant international transfers of personal data after the Schrems II case earlier this year. Organisations must also monitor these international data transfer assessments regularly to ensure that they are up to date. It’s worth noting that UK and EU regulators may ask for a copy at any time!
The ICO has promised its own SCCs this summer. At the same time, it may comment on whether the New EU Transfer SCCs are an appropriate mechanism for UK companies to use (with a view to avoiding multiple SCCs in one arrangement).
Usually, we all hope for a long summer, but in this context, we’d prefer a short one, where organisations receive some clear guidance before they are forced to take a view and sink costs into potentially unproductive sticking-plaster solutions.
Do organisations need to act straightaway?
The types of transfer that are involved will dictate when organisations will need to adapt their approach and enter into new agreements:
- If you are using the older set of SCCs for existing or new transfers out of the UK, then, at the time of writing, that continues to be permitted until the ICO or the UK government replaces them or issues guidance on next steps.
- If you are using the older set of SCCs for existing transfers out of the EEA, you have the next 18 months (until 27 December 2022) to replace them.
- If you are planning to use the older set of SCCs for new transfers out of the EEA, that is permitted only for the next three months (until 27 September 2021). After that point, the New EU Transfer SCCs must be used.
If you need help assessing your options or implementing the New EU Transfer SCCs, please let us know.
Do the New EU Transfer SCCs apply to organisations that are based outside the EEA?
Intriguingly, the New EU Transfer SCCs may not be appropriate if the EU GDPR applies to an organisation that is based outside the EEA.
Article 3(2) of the EU GDPR states that the Regulation applies to the activities of controllers and processors that provide services to – or monitor the behaviour of – data subjects in the EU. Consider two examples:
- The existing guidelines on territorial scope that the European Data Protection Board (“EDPB”) has issued give an example of a non-EU company providing HR management services to its EU-based employees. The EDPB states that HR management services “cannot be considered as an offer of a service within the meaning of Article 3(2)(a)”.
In this scenario, the EU GDPR does not apply to the processing by the non-EU company, and the New EU Transfer SCCs can be used.
- To elaborate on the problem, another example might be where a US data storage provider holds EEA personal data on behalf of an EEA consumer software provider. Here, the US company is a processor that processes the personal data of data subjects in the EEA in relation to the offer of services by the EEA software company.
In this scenario, the EU GDPR does apply under Article 3(2)(a), so (according to Recital 7 of the European Commission’s decision) the New EU Transfer SCCs are not appropriate.
In theory, this means that a vast swathe of processing activities by organisations outside the EEA would not qualify for the requirement to use the SCCs. This is a huge leap to take without significant fanfare or guidance from the regulators, so we hope that the ICO will pass comment soon (if only to clarify its own existing statements in the context of restricted transfers after Brexit). It has confirmed that it is currently working on bespoke UK SCCs, and it intends to go out for consultation on those in the summer. We also hope that the EDPB will issue its own opinion soon on the interplay between territorial scope under Article 3 and the transfer restrictions under Chapter V of the EU GDPR.
If you need help considering how to transfer personal data lawfully between jurisdictions, or in implementing the New EU Transfer SCCs, please let us know.