The New Standard Contractual Clauses: Understanding Changes to your International Data Transfers
Introduction
International transfers of personal data have been a hot topic for a long time now in Europe – and rightly so. The downside of being the “reference point for data protection laws” is that other jurisdictions do not accord the same level of protection to personal data as the European Union does. After a lengthy process involving recommendations from the European Data Protection Board and the European Data Protection Supervisor, the European Commission finally adopted updated Standard Contractual Clauses.
What are the Standard Contractual Clauses?
Personal data is protected in the European Economic Area (the EEA) by the General Data Protection Regulation (EU) 2016/679 (the GDPR).
Under the GDPR, any country that is not a part of this bloc is automatically deemed to be a “third country” and deemed to not provide the same or similar level of protection to personal data as is accorded under the GDPR. These third countries have to therefore rely on one of the safeguards under Chapter V of the GDPR.
One of these safeguards is the Standard Contractual Clauses, or as they are more commonly referred to, the SCCs.
The SCCs are model clauses drafted and adopted by the European Commission which set out the obligations and rights between data importing and data exporting parties, to be used when personal data is being transferred from the EEA to a third country. This is a safeguard mechanism to ensure that such EEA personal data will be treated in the same way in the third country it is transferred to, as it is treated in the EEA – i.e., in compliance with the GDPR.
Why have they been changed?
As mentioned above, there has been an ongoing conflict between the high-level protection accorded to personal data under the GDPR, and the national security and data access laws in third countries.
This conflict came to a boil in the Schrems II case last year, where the Court of Justice in the European Union invalidated the EU-US Privacy Shield regime, and added some clarity to the use of the SCCs.
This included an obligation on the parties to assess the legal regime of the recipient country and the likelihood of data disclosure requests from these third countries’ public authorities. For example, in the Schrems II case, originally invoked in Ireland by privacy activist Schrems against Facebook, the US was seen as problematic due to the wide data capture rules under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, which conflicts with the GDPR.
Accordingly, the European Commission has now published new SCCs which address the issues highlighted in Schrems II. The new SCCs have also been aligned to the GDPR, since the previous versions date back to over a decade ago.
When do the new SCCs take effect?
The European Commission published its Implementing Decision on 4 June, which introduced two new sets of SCCs:
1. SCCs for the transfer of personal data to third countries - also known as Transfer SCCs, or just the SCCs, which replace the old SCCs used for international personal data transfers; and
2. SCCs for use between controllers and processors - also known as Article 28 Clauses, which are a new creation covering controller-processor obligations under Article 28 of the GDPR.
The SCCs entered into force on 27 June 2021 and all new deals involving international data transfers occurring after 27 September 2021 need to incorporate the new SCCs.
If you have already signed the old SCCs with your personal data transfer partners, you have an 18-month grace period from the implementation date to migrate your existing SCCs to the new SCCs, so until 27 December 2022.
Brexit:
The European Commission also recently adopted an Adequacy Decision for the United Kingdom, which means that the UK has been deemed to provide an adequate level of protection to personal data as is accorded under the GDPR. Coupled with the Adequacy Regulation granted by the UK to the EU under the Brexit trade agreement, this means that entities sharing personal data between the UK and the EEA will not be required to rely on another mechanism under Chapter V of the GDPR - and will not have to enter into SCCs for such transfers.
Aside from UK-EEA personal data transfers, if you are a data exporter in the UK who wants to transfer personal data to organisations outside of the UK, the EEA, and organisations not based in one of the 12 countries given an adequacy decision by the UK, then you should continue to use the old SCCs, not the new Transfer SCCs. The Information Commissioner’s Office has stated that it shall be releasing new SCCs under the UK GDPR, which shall then replace the old SCCs under the GDPR.
Find out more about the new SCCs, what they contain and how they need to be drafted in our upcoming blog post.
Final comments:
As international personal data transfers are the bread and butter of many industries today, it is important to stay on top of your compliance requirements and ensure you migrate to the new regime as soon as possible, and in any case, no later than the end of 2022.
Here at Gerrish Legal, we are in the process of creating a new automation tool to help you with such SCCs and other agreements – so keep an eye on our website for this!
In the meantime, if you have any questions, please do not hesitate to contact us!