What's happened?

On 4 June 2021, the European Commission adopted a set of new and improved standard contractual clauses (SCCs) for personal data transfers from controllers or processors in the European Economic Area (EEA) to controllers or processors established outside the EEA. The EEA comprises the EU countries plus Iceland, Liechtenstein and Norway.

Then just a couple of weeks later on 28 June 2021, the European Commission approved two final adequacy decisions in favour of the UK, one under the EU General Data Protection Regulation (EU GDPR) and another under the Law Enforcement Directive, securing the UK's status as an adequate destination for the export of EEA-origin personal data.

What's changed?

  • UK adequacy

At least as far as the UK's relationship with the EU is concerned, nothing will be changing in the foreseeable future in that transfers of personal data from exporters located in the EEA to importers located in the UK will be allowed to continue uninterrupted. This follows months of wrangling at EU-level to finalise a permanent solution to EU-UK data flows following the fragile interim arrangements concluded under the Trade and Cooperation Agreement (which were due to expire on 30 June).

No doubt this will be music to the ears of many as it ultimately means that, for those businesses in the UK receiving personal data from the bloc, no further action will be needed for the time being. For the business-minded this is surely a silver cloud; a much more straightforward relationship here means less time spent with lawyers, less time worrying about GDPR compliance and more dry powder in the keg. Of course, UK adequacy should really always have been a foregone conclusion, but at least a decision here finally provides some certainty on the issue.

  • EU SCCs

As the most flexible and frequently used variety of "appropriate safeguards" in the context of international data transfers, SCCs continue to be a key mechanism under the EU GDPR for transferring personal data from the EEA to non-adequate third countries. They have become a particularly useful tool following invalidation of the Privacy Shield framework which, prior to what has become known as the 'Schrems II' decision [1], was another available avenue for transatlantic data flows.

However, the new SCCs will now be replacing the existing SCCs for purposes of the EU GDPR, serving to align contractual transfer provisions with the regulation and address shortcomings raised in Schrems II. EEA exporters of personal data can only validly sign contracts with the existing SCCs up until 27 September 2021. They then have a grace period until 27 December 2022 to amend contracts which incorporate the existing SCCs. The new SCCs technically became available to use from 27 June 2021, firing a starting pistol on the race to review data sharing relationships, determine which agreements (or parts of agreements) implicate transfer provisions under the EU GDPR, and then negotiate and finalise amendments to those contracts.

As part of a major design overhaul being welcomed by industry and practitioners alike, the new SCCs adopt a combinative approach including both general and modular components. The result of this is the flexibility to allow a more tailored approach to data sharing relationships that caters for a wider range of transfer scenarios: controller to controller; controller to processor; processor to processor; and processor to controller. No doubt this far exceeds the mechanical constraints of the existing SCCs which to date have not allowed for processor to processor or processor to controller transfers, much to the frustration of practitioners who have for years been left to devise creative solutions to deal with a long-recognised and accepted problem.

The EU GDPR, its international transfer provisions and therefore the new SCCs will now apply in any case where:

  • personal data is processed in the context of the activities of an establishment of a controller/ processor in the EEA, regardless of whether the processing takes place there; and
  • personal data of EEA data subjects is processed by a controller/processor not established there, where the processing activities relate to the offering of goods or services to EEA data subjects (irrespective of any payment) or the monitoring of their behaviour in the EEA.

Brexit, adequacy and SCCs – what does it all mean?

  • UK adequacy

There's no doubt that a permanent solution on adequacy has automatic benefit in the clarity it brings to business, but unfortunately (and as often is typically the case in the legal world) there is a caveat and in this case it's not an insignificant one; once granted, an adequacy decision can be withdrawn at any time. In addition and not dissimilarly to Privacy Shield, decisions are also susceptible to legal challenge meaning that the UK's status isn't automatically shielded from judicial activism.

On a technical level one can imagine potential concerns over state surveillance activities under the UK's national security regime and the compatibility of those activities with the EU community acquis. Certainly that does appear to have been a key topic of discussion during the assessment process. However, there are also the wider political implications to think about as the UK forges ahead with its own global innovation agenda and national data strategy. In particular, with the UK exercising its own adequacy assessment process post-Brexit, there's scope for disagreement over the treatment of other jurisdictions. Plus, as is the case below, divergence between the two GDPR regimes over time appears to be increasingly likely.

So while adequacy is a positive development overall, it's not necessarily a happily ever after ending to the story and businesses are still advised to watch this space. Indeed, with politicians currently squabbling over sausages, who knows whether trust gained will stand the test of time. If it comes to pass that the UK's permanent adequacy status isn't so permanent after all, then contingency planning will be the key to a well-managed transition with the new SCCs likely taking centre stage.

  • EU SCCs

Putting aside the UK's adequacy adventure, one of the effects of Brexit was that some businesses based in the UK but operating in the EU became subject to dual regulation in any event. In particular, a UK business offering goods or services to consumers in both the UK and the EU is now subject to the UK GDPR in the context of those activities occurring in the UK and to the EU GDPR in the context of activities occurring in the EU. Any divergent treatment under those separate regulatory regimes then poses the risk of complicating compliance, including with respect to international data transfers.

Now that new EU SCCs have been introduced but the UK continues to operate on the old SCCs pending UK-specific clauses being released by the ICO (arrival of which we are told is expected later this summer), this now means that in the future different SCCs may need to apply to different data flows. For instance, when a UK company combines EU sales data with UK sales data and exports that mixed dataset to its parent company or cloud storage provider in the US, different SCCs would need to be applied to the data being transferred based on origin.

In reality what this means for affected UK businesses is that they'll need to re-examine their incoming data flows to ensure that the right SCCs are applied to the right data for any onward transfers being executed, with relevant contracts renegotiated accordingly. Somewhat frustratingly, the same exercise is then likely to arise with respect to the implementation of new UK SCCs. This effectively leaves businesses with a choice; do they go through the process and cost of addressing new EU SCC requirements now, or wait to see if that exercise can be combined with the arrival of UK-specific SCCs later this year (or potentially next year)?

Practical advice and how we can help

With courts and European data protection authorities exercising greater scrutiny of international transfers, this is already an active area. But, with new SCCs now being approved, that scrutiny intertwines with the requirement on businesses to respond to the changing landscape compliantly. To avoid unwanted attention in this respect, affected firms should now be revisiting their data flows and associated transfer arrangements, ensuring that they are ready to incorporate the new SCCs and migrate the existing SCCs as appropriate. Given the changes between the two, it is essential that sufficient time and resource is allocated to the task, including when it comes to ongoing or upcoming contract negotiations. Details set out in existing arrangements should be reviewed to ensure that they remain up-to-date.

This is a particularly complex area affecting a range of sectors, so wherever you operate if you have any queries or need assistance with your data protection compliance, then please do not hesitate to contact one of our data protection experts below. We will continue to monitor and report on developments.

Other key features of the new SCCs

Set out below are some of the other key features of the new SCCs/points to note:

  • They can be used by multiple parties and there is an optional 'docking clause' which provides that, with the agreement of the parties, other entities may accede to the SCCs.
  • Parties are free to include the new SCCs in a wider contract and to add other clauses or additional safeguards, provided they do not contradict the SCCs or prejudice the fundamental rights or freedoms of data subjects.
  • The new SCCs contain specific provisions to address concerns raised by Schrems II, including the requirement to conduct and document a transfer risk assessment, taking into account the specific circumstances of the transfer, the laws and practices of the third country of destination, and any relevant supplementary measures. The EDPB has this week published its final recommendations on supplementary measures, to guide exporters in lawfully transferring personal data to third countries while guaranteeing that it is afforded a level of protection essentially equivalent to that guaranteed within the EEA.
  • There is no need for a separate data processing agreement because the minimum processor terms required under the EU GDPR are included.
  • The new SCCs are not to be confused with the non-mandatory separate set of SCCs published on the same day for use between EEA controllers and processors.

Footnote

1 See our earlier briefings here and here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.