- For organisations transferring personal data from the EEA, the new form of model clauses must now be used for any new transfers agreed as of 27 September 2021.
- Existing arrangements using the “old” European model clauses have until December 2022 to be replaced with one of the new versions.
- The Information Commissioner’s Office (ICO) is consulting on the form of model clauses that will be used in the UK for personal data transfers but, until the final form is approved, the old form European clauses (as modified for the UK) should continue to be used.
27 September 2021 was an important milestone for international personal data transfers. The last few months have seen significant developments in this area as the legal framework around regulating such data transfers in Europe and the UK has changed markedly. The key issue for EU/EEA-based organisations is that as of Monday 27 September any new data transfers that need to be regulated by Standard Contractual Clauses (SCCs) must use the new format approved by the European Commission earlier this year. For those SCCs already in place, there is a much longer period, until 27 December 2022, for them to be replaced.
What about UK-based businesses – do they need to take action to replace their existing SCCs? The answer is no. Although many UK-based businesses will have in place SCCs to regulate transfers of personal data to countries outside the EEA, the fact that the UK is no longer part of the EU means these changes to the SCCs do not apply to transfers from the UK. Instead, the UK is undergoing a different process to update its SCCs, with an ongoing consultation from the ICO on a new International Data Transfer Agreement, which would replace the current SCCs. The consultation closes on 7 October and there will be a period of review before a final version is issued. Therefore, it will be some time yet before the UK has in place a new form of SCCs. In the meantime, organisations in the UK will have to continue to use the now outdated version of SCCs. The ICO has done some work to bring the terminology in line with UK laws and language but it remains the case that current SCCs for the UK do not really address the key issues, particularly the question of assessing local laws in addition to putting SCCs in place.
SCCs form part of the package of measures the European Union has in place to regulate international personal data transfers. The EU Data Protection Directive of 1995 created the notion of adequacy – that transfers could move freely between the EU Member States (and EEA) because their laws were based on the same foundation, and that other countries could be added to this club by being deemed ‘adequate’. This was replicated in the General Data Protection Regulation (GDPR). Importantly, the UK has, following its exit from the EU, been deemed adequate and so personal data transfers between the UK and EU (both ways) can continue to flow freely without other measures being put in place. For those transfers where adequacy was not possible then other mechanisms were put in place, most notably SCCs that regulate the transfers in a way that seeks to provide similar protections, most notably for data subject rights.
Last year, the European Court of Justice considered the validity of SCCs as a transfer mechanism in the case of Schrems II. Although the case centred on the US-EU Privacy Shield, the court also looked at SCCs. The court made it clear that it was not simply enough to put such clauses in place – the data controller making the transfer had to assess local laws and any additional measures that had been put in place in order to take a view as to whether, as a whole, the personal data would be properly protected. For example, in the US the government surveillance laws would suggest that that use of an old version of the SCCs alone would not be sufficient.
The introduction of the GDPR in 2018 meant that the SCCs should have been updated to reflect the new laws. However, this was not done until earlier this year, when the European Commission finally published its proposals to update the SCCs. The new SCCs sought to take account of the GDPR, but also to try to address some of the issues raised by Schrems II. Following a period of consultation, they were approved in June this year.
One of the many criticisms of the old SCCs was that they did not reflect current business models. For example, they only applied to controller-to-controller or to controller-to-processor transfers but not processor-to-controller or processor-to-sub-processor transfers. The new SCCs address this by having multiple options which ensure that the SCCs best reflect the reality of the contractual relationship between the transferring parties.
To address the question of reviewing local laws, the new regime for SCCs requires a separate data transfer assessment to be documented before the transfer is made. This is a significant imposition on businesses, particularly SMEs, which will not have the resources to undertake such a review every time they propose to transfer to a new third party/new country. This requirement is also reflected in the UK consultation – although the ICO has helpfully provided for comment an international risk assessment tool that would operate alongside the IDTA.
The ICO consultation recognises that under certain circumstances there may be a benefit to UK-based organisations using the new European SCCs. For example, when transfers from the UK form part of a series of transfers involving transfers from EEA states as well. Part of the ICO’s consultation is a draft Addendum to the EU SCCs that would make appropriate adjustments to the SCCs to allow them to be used in a UK context.
It is clearly important that the UK updates its SCCs to reflect current business models, however the requirements around transfer assessments are onerous. Although the ICO is doing its best to assist with this process by providing an international risk assessment tool statements in the UK Government’s recently launched consultation, Data – A New Direction, makes it clear that it sees flexibility in the use of transfer mechanisms as key to driving data use and boosting the economy.
While Brexit does mean the UK can go it alone in terms of seeking new transfer partnerships and developing more flexibility around the transfer regime, such activity does not happen in a vacuum. The UK’s adequacy approval from the EU was, unusually, only given for four years’ duration and, even then, if the EU deems the UK to have taken steps that may cause it to revisit its decision it would not have to wait four years to do so. There is no doubt the UK Government’s stated aim of facilitating “more detailed, practical support for organisations on determining and addressing risks” is to be applauded as businesses struggle with these new requirements. However, losing the adequacy approval would have a different, though equally significant, impact on UK businesses.
In the meantime, all organisations should audit their international data transfers, if they have not already done so, to ensure they comply with the GDPR/UK GDPR. If you have questions on your data transfers and what steps you need to take to ensure they are compliant with data protection laws, please contact one of our data protection team for a consultation.