The European Commission released their finalised Standard Contractual clauses (“SCCs”), which will become effective on 27th June 2021. SCCs are the most commonly used mechanism to export personal data outside of the EEA/UK to countries that have not been deemed to have an “adequate” level of personal data protection for individuals. Following the implementation of GDPR, thousands of companies entered a massive papering exercise to legitimise and document personal data exports through the use of SCCs. Three years on and another (re)papering exercise is in store.
Why new SCCs?
Previous SCCs were created under the Data Protection Directive, which was repealed and replaced by the GDPR. The new SCCs provide greater alignment with GDPR and address recent decisions by the ECJ. They:
- Allow for various types of transfers using a modular approach, including controller-to-controller; controller-to-processor; processor-to controller; and processor-to-processor. This includes the provision for controllers based outside the EU.
- Align with updated obligations specified under the GDPR.
- Address requirements brought about by Schrems II.
What’s the upside?
New SCCs were needed for a variety of reasons, especially as the Directive under which they had been drafted was replaced three years ago. The new SCCs give personal data export terms a GDPR refresh. Also, the modular approach which caters for different types of controlling and processing scenarios will benefit the vast majority of users, especially non-EU controllers (e.g. US-HQ’s).
What’s the downside?
Do you have the in-house knowhow and capacity to assess the laws of relevant third countries for the purpose of performing mandatory country risk assessments? Do you have a team that will contact joint controllers, processors and sub-processors with the most appropriate new SCCs relevant to the relationship, and then document, implement and track the new SCCs? If not, there is your downside.
The new SCCs also require comprehensive population of sub-processing details, as well as identification of the appropriate Supervisory Authority and specific security measures — a time-consuming, burdensome obligation. Brexit has also created uncertainty when it comes to use of the new SCCs for exporting personal data outside the UK.
When do I need to action?
If your organisation is in the EU, then the new SCCs will need to be used for new transfers from 27th September 2021: the sunset period for transitioning all transfers to the new SCCs ends on 27th December 2022 (provided processing operations remain unchanged and are subject to appropriate safeguards).
If your organisation is in the UK, it seems you need to hold tight. The ICO (the UK’s data protection regulator) are consulting over the summer on their own bespoke mechanism for exporting personal data outside the UK.
Prior to embarking on an onerous re-papering exercise, international group companies with entities in both the EEA and the UK may want to pause to see whether the new EC SCCs are approved as a valid transfer mechanism by the ICO. We hope to hear more about this towards the end of the summer.
Get in touch
For further information or to discuss how these changes may affect your business please get in touch.