The EU’s General Data Protection Regulation (GDPR) made headlines when introduced in 2018, and led to significant changes to how UK businesses handle data. This year – and even though the UK has left the EU – there are new EU data rules coming in, to which UK businesses may need to respond.
The latest changes are to the EU’s Standard Contractual Clauses (SCCs), and have been long-awaited. The SCCs govern the transfer of personal data from the EU to third countries and were recently approved by the European Commission. They come into force on 27 June 2021.
The new SCCs supersede previous versions of standard contractual clauses approved by the European Commission. After a transition period, use of the previous SCCs will no longer be valid.
The new clauses are a welcome update to the landscape of personal data exports from the EU and will require some work from affected organisations, particularly if they are required to migrate from the previous SCCs.
Following the UK’s departure from the EU, the new SCCs are not directly applicable here. However, it is expected that there will be a consultation on a UK equivalent to the new SCCs later this summer and the UK version of the new SCCs is then expected to come into effect shortly afterwards. This adds complexity to organisations who are subject to both UK and EU regimes – although there is likely to be a degree of harmonisation between the EU and UK rules.
At the moment, transfers from the EU to the UK will remain permitted under the EU-UK Trade and Cooperation Agreement until 30 June 2021. Before this point, it’s expected that the UK will receive an ‘adequacy decision’ from the European Commission to enable EU to UK data transfers to continue without additional safeguards being put in place.
However, if the adequacy decision is not obtained by 30 June, the UK will become a ‘third country’ as far as the EU is concerned: organisations exporting data from the EU to the UK will need to ensure there are ‘adequate safeguards’ in place – such as the new SCCs.
What are Standard Contractual Clauses?
Standard Contractual Clauses are contractual undertakings and a form of ‘appropriate safeguard’ referenced under GDPR that can be entered by parties to safeguard personal data when it leaves the EU.
The new SCCs are relevant to any data exporter currently using the previous clauses, or who will consider transferring personal data from the EU in the future. They apply to both data exporters within the EU and those located outside of the EU who are captured by the GDPR’s extra-territorial rules. This would include applicable US-based companies who offer goods and services to data subjects within the EU.
What has changed?
The new SCCs have been updated to deal with developments in the data protection landscape over recent years, notably the implementation of GDPR and the Schrems II decision. This decision, by the EU’s Court of Justice, held that the EU-US Privacy Shield (a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States) was invalid and the role of SCCs as an ‘appropriate safeguard’ was questioned.
There are a number of key changes to be aware of. Helpfully, the new SCCs are in a modular format which enable processors and controllers to select the relevant provisions that are applicable to them. Meanwhile, for the first time, the new SCCs acknowledge that data may be exported by data processors, either to a data controller or another data processor. This was a significant gap in the previous SCCs.
The new SCCs also contain the Article 28 controller to processor language, as required under GDPR, minimising the need for separate data processing agreements to deal with these GDPR requirements.
The new SCCs are also more flexible and allow for multiple-parties to be included in complex arrangements, and to be added or removed over time. The previous SCC were bipartite only, so these additional provisions will be welcomed by groups of companies – particularly for intra-group data transfers.
The new SCCs include language to address the issues raised in the Schrems II case, such as the requirement to document an assessment of laws in a destination country and a requirement to warrant there is no reason to believe that local laws will impact the parties’ ability to comply with the New SCCs.
They also recognise that data exporters established outside of the EU can still be subject to GDPR due to the GDPR’s extra-territorial scope in Article 3(2) – for example, cloud service providers located in the US.
When do the new SCCs come into effect?
Transfers of personal data using the previous SCCs will cease to be valid after two short transition periods: for new personal data transfers, the previous SCCs can only be used until 27 September 2021; for existing data transfers, the previous SCCs must not be used after 27 December 2022.
These transition periods recognise that new SCCs must be tailored for each use case and that this can be a time-consuming process.
It is likely that affected data controllers and data processors will need to undertake a remediation programme to ensure that the required appropriate safeguards are in place within the necessary timescales.
What do businesses need to do?
With rule changes coming in, UK businesses will need to check whether any international transfers of personal data in which they are involved will require appropriate safeguards to be put in place. It will also be important to look at the laws and practices of third countries to determine what, if any, additional contractual, technical or organisational safeguards are needed. Those businesses using the current SCCs will need a migration plan for transitioning to the new SCCs too.
As with any regulatory changes, the sooner businesses start to get to grips with how they’re affected, the better.