On 4 June 2021, the European Commission published the new Standard Contractual Clauses for international transfers (new SCCs). The old (existing) SCCs pre-dated the General Data Protection Regulation (EU) 2016/679 (GDPR) and so it was necessary to update the SCCs to bring them into line with GDPR concepts and requirements, as well as to try to take into account Schrems ii-related developments. The aim of the new SCCs is to ‘ensure that the level of protection of natural persons guaranteed by Regulation (EU) 2016/679 [aka the GDPR] is not undermined where personal data is transferred to third countries, including cases of onward transfers.’
The new SCCs are modular, designed to offer more flexibility and reflect the reality of the digital economy, where in practice many parties may be involved in complex processing chains. The four modules available now cover:
There is also the docking clause (clause 7), which allows additional parties to sign up to the new SCCs with the agreement of the parties and to do so by completing the Appendix (with details of the transfer, technical and organisational measures implemented and a list of sub-processors where relevant) and signing Annex 1.A.
The Schrems ii provisions, namely clauses 14 and 15, are a welcome addition to the new SCCs and provide further detail as to what is expected and how you can evidence compliance when transferring data to third countries who do not hold EU adequacy.
Lots has been written already about the new modular structure of the new SCCs as well as about the new content (for instance the additional transparency obligations). In this article we explore some of the more strategic planning considerations that the new SCCs raise.
What are the timeframes?
The new SCCs were published in the Official Journal on 7 June 2021, which means they come into force, and are usable, on 27 June 2021.
Three months after that, i.e. 27 September 2021, the old (existing) SCCs are repealed.
If, however, old (existing) SCCs have been put in place at any point prior to the September date you can still rely on those old SCCs for a further 15 months, i.e. until 27 December 2022, provided that there are no changes to the ‘processing operations that are the subject matter of the contract’ and ‘reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards’.
This is some welcome flexibility from the European Commission and gives some time for controllers and processors to work out what is what and what approach to take.
Of course, there is no right and no wrong answer to the approach to take, it will depend largely on what data you are transferring, what is the purpose of the transfer, when and where you are transferring the data and how you do so, and looking at this in conjunction with your contracts, projects and plans for the coming 18 months. You also need to factor in where you have got to in the last 11 months re your Schrems ii remediation: it may be that you have just executed 30 different Transfer Risk Assessments backed up by old SCCs and related supplementary measures. You might not be in the mood therefore to look at the new SCCs for a while. We do also wait with baited breath for the European Data Protection Board (EDPB) to finalise their Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data after the EDPB’s Plenary session on 18 June 2021.
It may be however that other parties spoil even your best laid plans by putting in motion signing up to the new SCCs before you had planned (e.g. we do expect some of the big Cloud, SaaS and PaaS players to be updating their contracts sooner rather than later).
Can we use these new SCCs for extra UK and extra Swiss transfers?
It will take some thought to determine the best strategy, particularly as we are yet to hear what the UK and Switzerland plan to do. We may find ourselves in a position after 27 September 2021 of still having the old SCCs for extra UK and extra Swiss transfers and the new SCCs for extra EEA ones! That is not a place any of us hope to be and thankfully the ICO stated at the Data Protection Practitioners’ Conference on 5 May 2021, that they will be consulting on the UK SCCs in ‘Summer 2021’, and there is also the expected announcement from the Department for Digital, Culture, Media and Sport, again in ‘Summer 2021’, on the recognition of transfer tools from other countries, where the example given was the EU SCCs.
As for Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) has adopted the EU SCCs as a valid transfer mechanism in the past, and given that the Swiss adequacy status is under review – along with all other countries that were granted EU adequacy under the pre-GDPR regime (albeit currently postponed in light of the Schrems ii decision) – many feel that the FDPIC will not rock the boat as they will want to demonstrate their equivalent protections. Therefore, it is likely the new SCCs will be approved for use for data flowing from Switzerland to countries outside the EEA or third countries with no adequacy decision.
The quirk of Recital 7
One quirk that has been getting a lot of attention is Recital 7 which appears to say that if the data importer is outside of the EEA but subject to the GDPR (by virtue of Article 3(1) and or Article 3(2) GDPR) then the new SCCs cannot be used. What can this possibly mean? Is this saying as both parties are subject to the GDPR then there is no international transfer? It would be a brave person who runs with this analysis, as to follow it through to its natural conclusion anyone who is subject to the GDPR would not require any transfer mechanism, and that just doesn’t sound right at all! It will be interesting to watch how practice develops in this area; although similar guidance from the ICO relating to their definition of ‘restricted transfers’ did not result in an avalanche of brave first adopters saying there was no need for international transfer protections in situations x y and z. We suspect the same may be the case here.
What should I do now?
The key message here is pause, take stock of where you are and what your plans are before taking action. Here are some things you might like to consider, but it is by no means an exhaustive list.