Following the public consultation in November 2020 by the European Commission and feedback from the European Data Protection Board (“EDPB”) on the draft version of the new standard contractual clauses for international personal data transfers from the European Union to third countries (the “New SCCs”), the European Commission formally adopted the New SCCs on 4 June 2021. The consultation itself stemmed from Schrems II where the CJEU concluded that while the existing standard contractual clauses (the “Old SCCs”) were still valid, underlying transfers must be assessed on a case by case basis.
The adoption of the New SCCs will impact many businesses since use of standard contractual clauses has been the most relied upon route for businesses to transfer personal data to third countries whilst still maintaining compliance with their obligations on personal data transfers set out in the EU General Data Protection Regulation (“GDPR”).
Modular: The Old SCCs only envisaged personal data transfers from controller-to controller and from controller to processor. The New SCCs cover the following transfers:
Multi-Party: The New SCCS are structured so as to permit transfers of personal data between several parties and so formalise how the Old SCCs were often used. In addition, the New SCCs include a “docking” clause – this allows for additional parties to be added over time (particularly useful for large companies with evolving intra-group structures to manage).
Obligations: The New SCCs are more onerous than the Old SCCs as the New SCCs build on the Old SCCs by imposing new obligations which stem for the EU GDPR (which was not in force when the Old SCCs were drafted). The New SCCs effectively impose a form of the EU GDPR on data importers and so, coupled with the step change in regulatory and civil litigation risk for non-compliance in recent times, mean that the New SCCs will not (as was common with the Old SCCs) be able to be simply signed and filed away.
Of particular note are the clauses included as a result of Schrems II as these require the parties to carry out transfer impact assessments (a copy of which must be supplied to the supervisory authority on request) to determine the risk of transferring personal data to a third country and take appropriate action if access to that data is sought. If the data importer›s local laws or practices change, the data exporter must update the transfer impact assessment.
In addition, there are new obligations imposed concerning the access to personal data by public authorities.
The EDPB is expected to finalise its recommendations on compliance with Schrems II shortly and therefore it remains to be seen how those recommendations and the New SCCs will interact and whether additional provisions will be required once those recommendations are published.
The Old SCCs may still be entered into for a 3 month period after the Commission Decision entering into force and existing transfers papered under the Old SCCs will be grandfathered for an 18 month period starting from the Commission Decision entering into force.
The UK ICO is due to issue a consultation this summer on its own standard contractual clauses. Pending the outcome of this consultation it is clear is that the Old SCCs can still be used as the Old SCCs do remain valid under English law and will be unaffected by the New SCCs.
In order for the New SCCs to be valid for transfers from the UK, the UK would need to recognise the New SCCs as they are not automatically valid.
Whilst the transition period is generous, identifying existing international personal data transfer arrangements that will persist post the end of the grandfathering period and repapering them will be an extremely labour intensive project for many (especially large) businesses.
With regards new transfers of personal data, companies will need to formulate a strategy as to how they will implement the New SCCs and determine which Module applies to each category of personal data transfer both in terms of intra-group transfers as well as third party transfers. Such plans will also need to take into account any guidance to be issued by the EDPB regarding Schrems II as outlined above.
At Garfield Smith – Technology & Data Lawyers data protection is at the heart of our business. We are available to assist businesses navigate these new waters and can help shape projects to ensure robust compliance with the New SCCs is achieved in a time effective way.