EU data transfers – pre-2021 SCCs cannot be used after 27 Dec 2022
The transition period for using the pre-2021 Standard Contractual Clauses (“SCCs”) for transferring personal data from the EU to third countries, expires on 27 December 2022. UK businesses with group companies in the EU need to act now to update their contractual arrangements with processors. UK businesses also need to start the process of reviewing their arrangements. With the UK GDPR’s potential fines of £17.5million or 4% of annual global turnover, whichever is higher, (€20million or 4% of annual global turnover under the EU GDPR), businesses must ensure any international data transfers are lawful and have appropriate safeguards.
This article outlines the immediate steps businesses in the UK and EU should be taking.
What are SCCs?
Any international data transfers must have appropriate safeguards in place for the transfer.
Now that the UK’s Brexit transition period has ended, any transfer of personal data from the UK to the EU, and vice versa, is considered a “third country” transfer requiring safeguards.
Broadly speaking, the following options are available:
– An adequacy decision with the third country
– Standard Contractual Clauses (in the UK, this is via either SCCs with a UK Addendum or an International Data Transfer Agreement)
– Binding Corporate Rules
– Derogations for specific situations
There is currently an adequacy decision in place, both for transfers from the EU to the UK and from the UK to the EU.
Why and how are SCCs used?
In the absence of an adequacy decision, many organisations use SCCs to transfer personal data between the EU and other countries. New SCCs were introduced in June 2021 (the “New SCCs”) and these must be used for transfers of personal data from the EU to third countries from 27 September 2021, in respect of contracts entered into on or after that date. Until 27 December 2022, there is a transition period allowing contracts signed before 27 September 2021, using the SCCs available prior to June 2021 (the “Old SCCs”), to remain valid. However, from 27 December 2022, the New SCCs must be adopted for all future and ongoing data transfer arrangements from the EU to third countries.
The New SCCs cover various data transfer arrangements depending on whether each party is a controller or a processer. There are different SCCs available for transfers from:
– controller to controller
– controller to processor
– processor to controller
– processor to processor
The New SCCs relating to processors also cover processors’ requirements under Article 28 of the GDPR, including processing data only on documented instructions from the controller, imposing confidentiality obligations on its personnel processing the data and ensuring security of the data.
The New SCCs outline each party’s obligations (whether as a controller or processor) under the GDPR. The New SCCs specifically address the issues raised in the European Court of Justice’s decision in Schrems II.
How to update SCCs
When adopting the New SCCs, organisations must check their processing meets the requirements of the New SCCs, which are more comprehensive than the Old SCCs.
The Schrems II decision heightened the importance of transfer risk assessments. Organisations must review the laws and practices of the importing country that could result in personal data being disclosed to public authorities. This assessment requires the contracting parties to “warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses”. The parties must expressly declare this and document their transfer risk assessment and make it available to the data protection authorities on request.
How do the New SCCs affect data transfers from the UK?
The deadlines above specifically apply to data transfers from the EU. However, data transfers from the UK relying on SCCs are still impacted, although organisations have more time to prepare.
The New SCCs are not valid in the UK without the UK Addendum. This is included alongside the New SCCs to satisfy the UK’s requirements for transferring personal data from the UK to third countries.
Alternatively, companies can use an International Data Transfer Agreement (“IDTA”). This is a stand-alone agreement that can be used when personal data is transferred from the UK to third countries.
The UK GDPR requires existing and ongoing data transfers agreements to third countries to be switched to the new arrangements (the New SCCs + UK Addendum or the IDTA) by 21 March 2024.
What should you be doing now?
If your organisation operates both in the UK and the EU, it is subject to both the EU GDPR and the UK GDPR. If you rely on SCCs for the transfer of personal data, you will need to take action in respect of both the EU and UK GDPR. Different timescales apply to each:
– If you transfer personal data from the EU to third countries, you must update your current SCC arrangements by 27 December 2022
– If you transfer personal data from the UK to third countries, you should begin to review your arrangements. You should ensure you use either the UK Addendum + New SCCs or IDTAs and that you have these in place by 21 March 2024 at the latest
Although there is still time to update practices for transfers outside the UK, steps should be taken now to account for any changes in data transfer or security methods needed and when negotiating on any new contracts, especially if any other organisation in the group is relying on the Old SCCs.
This article was posted by our UK member firm Doyle Clayton on 12 December 2022. International data transfers are complex. If you require any assistance to review your current arrangements, please contact either Piers Leigh-Pollitt, Partner & Compliance Officer for Legal Practice, Mike Hibberd, Senior Associate, or Jonny Robinson, Legal Advisor, at Doyle Clayton.