There have been a plethora of blogs and articles about the new Standard Contractual Clauses (SCCs) since they were issued by the European Commission in June 2021. This is not surprising, bearing in mind the significant role they play in relation to the transfer of personal data from the EU to third countries. In fact, the SCCs are probably the most popular transfer mechanism relied upon by organisations in the EU when sending personal data around the world.
The former SCCs were based on old, out of date law, having been implemented as a result of the Data Protection Directive 95/46/EC, which was enacted in the EU back in October 1995, and had not been updated when the EU General Data Protection Regulation (EU 2016/679 EU GDPR) became enforceable in May 2018. Also, the former SCCs did not take account of the important ruling delivered by the Court of Justice of the European Union (CJEU) in Schrems II in July 2020. Further, the previous SCCs did not cater for processor to sub-processor transfers which are a common occurrence in many supply chains.
Consequently, the updated SCCs are a welcome new tool for organisations throughout the EU and, understandably, they have generated a great deal of interest. In this blog, we take a look at the practical effect of the new SCCs and consider how they apply in real terms. Do they place an unnecessary burden on exporters of personal data or are they justifiably robust? Can we use them in the UK or do we need to wait until the Information Commissioner’s Office (ICO) has finalised a UK version?
Do the New SCCs apply to the UK?
The new SCCs only apply to organisations within the EU, unless officially adopted elsewhere and, as the UK is no longer part of the EU and has not officially adopted the new SCCs, this means that they do not apply in the UK. For the time being, organisations in the UK need to continue using the old SCCs. Whilst the old SCCs relate to the repealed law of Data Protection Directive 95/46/EC, they have been recognised in UK law pursuant to paragraph 7(2) of Schedule 21 to the Data Protection Act 2018 and, as such, they can be used to create legally binding instruments. Further, the ICO has created post-Brexit templates using the old SCCs for UK organisations, ensuring that they read correctly in the context of the UK now being independent of the EU. The templates can be downloaded from the ICO’s website.
In terms of new SCCs for the UK, these will be incorporated into a document known as an International Data Transfer Agreement (IDTA). On 11th August 2021, the ICO issued a draft IDTA, together with a draft International Data Transfer Risk Assessment and Tool (TRA) and draft guidance. The ICO has opened a public consultation on the IDTA guidance which will remain open for comments until 5 pm on Thursday 7th October 2021 and we hope to see the final versions available for use at some point following this. We’ll be publishing a blog on draft IDTA in the near future.
For organisations outside the UK but within the EU, read on.
It’s important to be familiar with the following key dates:
The new SCCs came into effect on 27 June 2021 and can be used from this date onwards. However, there is no legal obligation to use the new SCCs from this date and the old SCCs can continue to be used when entering into new contracts up until 27 September 2021.
From 27 September 2021, the new SCCs must be used when entering into any new contracts, where this transfer mechanism needs to be relied upon.
Any contracts based on the old SCCs must be converted to the new SCCs by 27 December 2022.
As the long stop grace period for moving old SCCs over to the new SCCs, is 18 months, this may suggest that there is no particular urgency to attend to this task. However, the process is not simply a matter of discarding the old SCCs and replacing them with the new SCCs without much thought. As explained below, this is not a straightforward administrative task but one that requires careful consideration and in-depth research by skilled personnel familiar with the data protection legislation and the structure of contracts.
Each transfer must be assessed on a case-by-case basis, following the formal recommendations issued by the European Data Protection Board (EDPB). This exercise is likely to take a great deal of time, depending on how many contracts are already in place, how many are in the pipeline and where in the world the personal data will be transferred to. Therefore, businesses should start taking steps to update relevant agreements now.
Content of the SCCs
Taking a look at the new SCCs, it can be seen that they take a very different format to the former SCCs. The new SCCs have a modular structure, enabling the user to adopt the appropriate clauses for their particular set of circumstances, as follows:
- Module 1 – for a controller to controller contract
- Module 2 – for a controller to processor contract
- Module 3 – for a processor to sub-processor contract
- Module 4 – for a processor to controller contract
The SCCs also include the option to include a ‘docking clause’ which enables additional parties to be added to the contract at a later date, whether that party is an exporter or an importer of personal data. This is useful for those occasions when projects develop such that it is necessary or commercially desirable for the original parties to include additional organisations for the benefit of all concerned. If this situation presents itself, the docking clause provides that the new party simply needs to complete the Appendix and sign Annex I.A.
When considering the SCCs, whilst all of the clauses are important, clause 14 is crucial. Clause 14 entitled, “Local law and practices affecting compliance with the Clauses”, states that both the data exporter and the data importer have no reason to believe that the law and practices in the third country, to which the personal data is being transferred, prevent the data importer from complying with the SCCs. The effect of this clause is that both parties provide a mutual warranty that the country of destination provides an adequate level of protection for the personal data being transferred.
Clause 14 goes on to describe the elements to be taken into consideration before this warranty can be provided, including:
- The specific circumstances of the transfer
- The contractual, technical and organisational measures in place and
- The laws and practices of the third country destination including any that allow public authorities to access the data.
One of the main purposes of considering item 3 above, is to address the type of scenario seen in Schrems II. This case highlighted that an American organisation which is subject to mass surveillance laws, such as section 702 of the Foreign Intelligence Surveillance Act (FISA), is legally obliged to allow government access to the data they are processing if so requested, no matter what the contract between the exporter and the importer says. Under clause 14 of the new SCCs, such laws need to be identified and an assessment needs to be made to ascertain whether these laws are “necessary and proportionate in a democratic society” or whether they “impinge on the effectiveness” of the transfer mechanism relied upon.
At this stage, it becomes clear that the new SCCs need to be read alongside the EDPB’s Recommendations 01/2020 on measures that supplement transfer tools, issued by the European Data Protection Board (EDPB) on 18 June 2021. Under these Recommendations, the EDPB suggests that when proposing to transfer personal data to a third country, organisations should follow six steps, namely:
Step 1 – Know your transfers
Identify where in the world you are transferring personal data to. A Record of Processing Activities (ROPA) will assist with this step.
Step 2 – Identify the transfer tools you are relying on
Are you relying on an adequacy decision, SCCs, Binding Corporate Rules etc.
Step 3 – Assess whether the transfer tool is effective
Carry out a Transfer Impact Assessment (TIA) to establish whether the transfer mechanism you are using or propose to use will be effective in safeguarding the personal data.
Step 4 – Adopt Supplementary Measures
If the TIA indicates that the personal data is not afforded adequate protection when relying solely on the transfer mechanism, supplementary measures must be adopted.
Step 5 – Take Any Procedural Steps Needed for the Supplementary Measures
Carry out any practical steps required to implement the supplementary measures.
Step 6 – Re-evaluate at appropriate intervals
Keep the situation under regular review and stay up to date with guidance from the regulators.
Therefore, clause 14 of the new SCCs relates directly to Step 3 of the EDPB’s Recommendations 01/2020, which indicates that a TIA needs to be carried out when assessing if the chosen transfer mechanism is appropriate when sending personal data to the third country in question.
Recommendations 01/2020 advise that the TIA must be based, first and foremost, on legislation that is publicly available and if the TIA reveals that the third country has “problematic legislation”, the transfer may need to be suspended or supplementary measures may need to be implemented to safeguard the personal data. This means that if the personal data will not be provided with an “essentially equivalent” level of protection as it is afforded in the EU because of the “problematic legislation”, then the parties may decide not to proceed with the transfer unless suitable supplementary measures can be implemented to protect the personal data.
That said, Recommendations 01/2020 go on to say that the practices of the third country can also be taken into account because they may suggest that the third country does not normally apply the “problematic legislation” identified. In such circumstances, the parties may decide to proceed with the transfer. However, Recommendations 01/2020 make it clear that such decisions must be clearly demonstrated and documented in detail within the TIA.
In addition to the legal framework, Recommendations 01/2020, indicate that other information may also be taken into account for the purposes of the TIA and numerous sources of information are listed within Annex 3. The Recommendations state that the importer should provide the exporter with relevant sources of information but that, in all cases, the sources and information should be “relevant, objective, reliable, verifiable and publicly available”. The practical experience of the importer may be taken into consideration as well, but only in certain circumstances.
In working through a TIA, the parties will also need to take into account Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (EEG), issued on 10 November 2020 by the EDPB. These Recommendations provide elements to examine whether surveillance measures used by public authorities to access personal data can be regarded as a justifiable interference or not. There are four different guarantees to consider namely:
The processing should be based on clear, precise and accessible rules.
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
There needs to be an effective, independent and impartial oversight system in place.
Effective remedies need to be available to the individual.
Whilst an analysis of the EEG falls outside the scope of this blog, reference to them has been included, in order to highlight just how much needs to be taken into account when conducting a TIA.
What does this mean, in practice?
There is a great deal of time-consuming, detailed work to be carried out when conducting a TIA before the new SCCs can be entered into. Organisations will be expected to conduct this exercise within a matter of weeks or perhaps even days, as part of their commercial business but is this reasonable or even possible, bearing in mind that the European Commission often take years deliberating over such decisions? Whilst it is essential to safeguard personal data and individuals’ rights, the task appears onerous.
Further, there may be a danger that, as organisations are left to conduct their own assessments on third-country laws and practices, and with likely varying risk appetites amongst these organisations, the outcomes of the TIAs may differ across the board, leading to a lack of consistency on the application of data protection within the EU, which the GDPR was meant to avoid.
No TIA is necessary in respect of transfers of personal data to America as in the Schrems II case the CJEU confirmed in its judgment that the US mass surveillance laws do constitute “problematic legislation” and as such, personal data should not be transferred to organisations in America that are subject to these laws, unless appropriate supplementary measures are implemented. The difficulty then turns to identifying and implementing such measures.
Some critics take the view that the European Commission is abdicating responsibility for deciding whether international transfers are consistent with EU data protection law and leaving controllers in the difficult position of having to apply a very complex framework of guidance. It is certainly possible to see the merits in this argument.
Perhaps, the answer is localisation ie: keep the personal data within the EU and avoid the complications of third country transfers. This sounds like a logical answer, but will organisations be open to this idea? With regard to America, much of the world’s electronic communications pass through America as, traditionally, this has been the most cost-effective route, allowing organisations to scale and the bulk of the world’s internet infrastructure is based in America. Will it be too cumbersome or too expensive to change the setup? Only time will tell.
If you need help identifying your transfers, planning for the migration to new EU SCCs, carrying out TIAs and planning for the UK’s proposed IDTAs we can help. Please contact us for a free consultation or to request more information.