EU Adopts Revised EU Standard Contractual Clauses: What does this mean for Businesses transferring data from the EU?

 

The Headline News

After a long wait, the EU has adopted new standard contractual clauses to cover and legitimise data transfers from the European Union to third countries. 

Why is this important?

This news is very significant for businesses that import/export personal data between the EU and third countries internationally.  It may also be important for future EU-UK data transfers, depending on whether the UK gets an adequacy decision from the EU (see below).EU GDPR restricts transfers of personal data from the EU to third countries whose local laws do not provide “adequate” protection to EU personal data.  Most non-EU countries are deemed “non-adequate” for these purposes.This means that businesses transferring personal data from the EU to such “non-adequate” third countries need to implement alternative mechanisms to legitimise such transfers under EU GDPR.  One of the most common ways to do this is for the data exporter and data importer to enter into the current set of standard contractual clauses (“Current EU SCCs”) to cover the transfer.The EU has now adopted a set of standard contractual clauses that will replace the Current EU SCCs (“Revised EU SCCs”).  This means that businesses relying on the Current EU SCCs may have to “repaper” those arrangements by entering into the Revised EU SCCs. It also means that businesses will need to enter into the Revised EU SCCs in future, once the Current EU SCCs are repealed.We set out the timetable for this, plus more detail on the Revised EU SCCs, below. 

What are the Changes?

The Revised EU SCCs are drafted with the EU GDPR and recent “Schrems II” decision in mind.Some of the changes will make life easier. Others will impose extra burdens and responsibilities on organisations. Here is quick summary:First, the good news:

• The Revised EU SCCs are “modular”. This means that parties can now choose a wider range of “flavours” of standard contractual clause to suit their data transfer.  You now have the option to choose “processor to processor” and “processor to controller” transfers, in addition to the pre-existing “controller to processor” and “controller to controller” selections.

• The Revised EU SCCs incorporate Art 28 GDPR terms. This means you don’t have to go through the hassle of drafting and negotiating separate Art 28 GDPR data processing terms.

Now, the key extra burdens and responsibilities (especially on data importers):

• You will need to do a local law assessment. Both parties will have to warrant that they have carried out an assessment of the local laws in the jurisdiction in which the personal data will be transferred to under the Revised EU SCCs and have no reason to believe that the laws and practices in such jurisdictions will prevent the data importer from fulling its obligations under the Revised EU SCCs when taking into account the relevant safeguards put in place to supplement the safeguards in the Revised EU SCCs. They will also need to document this assessment.

• Data Importer has obligations regarding public authorities. The data importer will have to comply with certain provisions if it receives a legally binding request from a public authority for the disclosure of personal data that is subject to the relevant Revised EU SCCs.

• Data Importer submits to Supervisory Authority. The data importer must submit to the jurisdiction of the competent supervisory authority. This means responding to enquiries and audits, as well as complying with measures that the supervisory authority imposes.

 

What is the Timetable for these Changes?

Organisations will get a bit more time to deal with this change than was previously thought. Here are the timings to factor into your project planning:

• The Revised EU SCCs come into force 12 days after they are published in the Official Journal of the European Union (the “Publication Date”).

• The Current EU SCCs will then become obsolete three months after the Publication Date. After that point, organisations must enter into the Revised EU SCCs instead.

• Organisations get an 18 month grace period following the Publication Date to replace the Current EU SCCs they apply to their data flows with Revised EU SCCs.

 

So, what should I be doing about this?

If your organisation transfers personal data from the EU, you should identify the contractual data flows affected by this change and in particular those contractual flows that have more than 18 months to run.  You will then need to re-paper those contractual flows to take account of the Revised EU SCCs. 

…and what about the UK, post-Brexit?

At the time of writing, the Revised EU SCCs do not cover data transfers from the UK to non-adequate third countries.The UK’s data regulator (the ICO) is considering whether to recognise the Revised EU SCCs as being valid for transfers from the UK as well. It is hoped that the ICO confirms this shortly, for commercial certainty.UK businesses also await:

• The EU’s decision on whether to grant the UK “adequacy” status to continue to receive flows of personal data from the EU, without the need for standard contractual clauses at all.

• The ICO’s own set of “bespoke” UK standard contractual clauses (“UK SCCs”). The ICO is consulting on these over summer 2021.

As ever, data protection gives organisations plenty to think about. For information about the broader impacts of Brexit on data protection issues, see How will Brexit impact Data protection and what should we be doing? If you would like support with the issues discussed in this update, please do get in touch with one of Freeths’ team of GDPR specialists, who will be delighted to assist.

---

Head to our Brexit Exchange where you will find all the latest updates and developments from our experts, regarding Brexit and how that affects businesses and individuals in a range of areas.