updated on 14 September 2021
Question
EU data protection law has recently seen new standard contractual clauses published: what are they, why were they changed and what does this mean in practice? And what about the UK?Background
Businesses might transfer personal data to third parties to help their business ‘run’ – such as using cloud storage providers to host their client data. This constitutes a ‘transfer of data’, which is particularly significant when it happens across borders (ie, an international transfer of data). This is important because not every country has the same level of protection for individuals’ data.
As a result, some countries or regions put in place mechanisms and structures to protect personal data going from theirs to another country or region. The most prominent example is the EU.
There are various ways the EU ensures that international data transfers are safeguarded. For example, it has adequacy decisions through the GDPR. This is where the EU determines that the legal framework of another country, territory or sector provides adequate protection for personal data. If a country, territory or sector is not on that list, you must rely on other appropriate safeguards, the most common being standard contractual clauses (SCCs) under the GDPR.
SCCs ensure the transfer of data (as part of the business’s interactions) will be made under standard data protection clauses that are in accordance with the EU regime. They contain obligations for both the data exporter and importer, as well as explaining the rights of the individuals whose personal data is being transferred. They effectively protect the personal data being transferred to another country in the same way you would expect protection within the EU.
Old SCCs showing their age
For some time, the EU had implemented the same old SCCs. However, these had many cracks that needed to be filled. They were created before the GDPR and therefore were not a true reflection of the current legislative environment (eg, referencing out-of-date law).
They were also not very flexible – they didn’t consider the fact that parties, within their business relationships, might take up multiple data roles for different data transfers (eg, you may be a controller for one aspect but a processor for another). The old SCCs more or less ignored this scenario, which meant that the same data importers and exporters might need multiple SCCs for their transfers. This, unsurprisingly, has proven burdensome and has added an unnecessary layer of complexity to already complex relationships.
‘Schrems II’
These cracks grew following the case of ‘Schrems II’. Max Schrems, a now infamous privacy activist from Austria, complained to the Irish Data Protection Commissioner about Facebook Ireland and its reliance on SCCs to safeguard international data transfers to Facebook in the US. The case was referred to the European Union Court of Justice (ECJ), with the main questions being whether the use of just SCCs was appropriate and whether the privacy shield itself was still valid.
The privacy shield was an EU-US arrangement that allowed transfers of personal data from the EU to the US, where the US organisations involved had self-certified that they could adhere to certain data protection principles and safeguards.
In a surprise judgment, the ECJ ruled that the use of the privacy shield was invalid due to US laws continuing to grant powers to authorities to potentially access and use EU personal data without sufficient safeguards in place.
The old SCCs, on the other hand, were still treated as just about valid, but this victory came with significant blows to their credentials. The ECJ ruled that the old SCCs can only be relied on by data exporters where they are satisfied that the laws of the country to which personal data is being transferred offer an appropriate level of protection to the data in question. This increased scrutiny of the old SCCs and really provided a clear pathway to changes – particularly as the old SCCs did not really cater for evaluating third country laws.
A breath of fresh air – the new SCCs take centre stage
Taking all of this into account, the new EU SCCs were released on 4 June 2021, with organisations having 18 months from then to transition from the old SCCs to the new ones.
These new SCCs dealt with the problems already outlined and provided a much-needed new coat of paint. For example, the new SCCs put greater emphasis on what data importers should do if they receive a request from a government in relation to access to personal data. These include obligations to notify the data exporter of the request, assess the legality of the disclosure request itself and use best efforts to minimise any eventual data disclosure (in line with Schrems II).
They also implemented extensive obligations to carry out a data transfer impact assessment on the relevant third-country laws, and the circumstances of the transfer itself. This is to determine whether any additional safeguards are actually needed (again, in line with Schrems II). The New SCCs also align with the GDPR throughout, containing all clauses needed to comply with the GDPR’s obligations on data processors.
Other changes include a modular approach to parties having multiple roles within their data relationships. Rather than having different SCCs for different data relationships between exporters and importers, this can now all be housed within one set of modular SCCs. The new SCCs also identify new data relationships, such as processor to processor and processor to controller. They recognise the modern complexities of data relationships and cover gaps that have existed for a while – we no longer have to try to fit square pegs into round holes, which is always good news.
There are many more changes with the new SCCs. While they may create more work in practice for organisations (eg, transitioning contracts to the new SCCs), they offer much needed improvements, and a deeper level of protection for individuals whose data is transferred across borders.
What about the UK?
The European Commission granted the UK ‘adequacy’ status on 28 June 2021. As a result, data transfers from the EU to the UK can continue without the need for contracts implementing the new SCCs. However, transfers of personal data from the UK to a third country are not covered by the new SCCs – they are EU-specific. As of now, the current position is that UK organisations must continue to rely on the previous EU SCCs and must not use the new EU SCCs. Despite this, the data protection regulator for the UK, the Information Commissioner’s Office, has stated that it is working on bespoke UK SCCs (called an international data transfer agreement (IDTA)), as well as a UK addendum to attach to EU SCCs (a consultation paper was launched earlier this month for both).
While things take shape, it is likely that multinational organisations will prefer to continue to use the EU SCCs, and instead implement the UK addendum in addition to that, as opposed to adopting the IDTAs as their base cross-border transfer document.
What happens in the future remains to be seen, but organisations should ensure they pay close attention to the formation of the UK’s international data transfer structure, as well as how the new EU SCCs are implemented and work in practice.
Junior Mbulu is a trainee solicitor in the commercial team at TLT.