Out with the old EU Standard Contractual Clauses (as of September 27th)
Organizations that use the European Union’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) to other countries should have September 27, 2021 circled in red in their calendars (or the virtual equivalent). That’s the date upon which any new SCC-based transfers must be done under the new version of the SCCs, which are discussed here.
Any “old” SCCs that were entered into prior to September 27th remain valid and can be used until December 27, 2022 to govern the covered transfers, provided that the data processing operations remain unchanged and reliance on the clauses ensures that the personal data is subject to appropriate safeguards. But as of December 27, 2022, organizations that are engaged in ongoing transfers (or simply still using previously transferred data) need to segue to the new SCCs.
And let’s not forget that everyone should be doing transfer risk assessments regardless of which version of the SCCs is being used. That’s required in the case of the old SCCs by virtue of the Schrems II decision (discussed here), as underscored by the European Data Protection Board’s guidance (discussed here). Transfer risk assessments are now also an express contractual requirement under the new SCCs, which require the parties to “warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.” The parties are expressly required to declare that they have considered the potential applicability of “the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards.” The parties to the new SCCs are also required to document their transfer risk assessment and make it available to the data protection authorities on request. So for US companies, that means delving into US national security laws.
Depending on how many SCCs your organization has in place, performing the necessary transfer risk assessments (which should be a top priority) and also transitioning to the new and much more detailed SCCs by December 27, 2022 may be a heavy lift. So one of the key Q4 2021/Q12022 work streams for the privacy team at larger organizations should be a review and reassessment of existing data transfers so you can start liaising with your data transfer partners about the new SCCs well in advance of the December deadline. This could also be a good time to check whether data minimization and security requirements are being met, as well as whether your related contracts with service providers also meet the GDPR Article 28 requirements (which are conveniently folded into the new SCCs, but not the old ones).
But what about data transfers from the UK?
So now it gets a bit complicated, particularly if a data transfer includes both UK and EEA personal data. The UK is still accepting the old EU SCCs – but not the new ones, which were adopted after the UK left the EU. The UK Information Commissioner’s Office (ICO) has clarified that the old EU SCCs still need to be used “as-is” except for wording changes that are necessary to refer to the UK’s data protection laws. Fortunately, the ICO has done that work already and has published its suggested UK version of the old EU SCCs – commentary and link to the UK version is here. (Like the EU, the UK also requires a transfer risk assessment.)
But things will change even more – and hopefully shift toward better EEA/UK alignment, at least in substance if not form – when the UK adopts its new international data transfer agreement for organizations to use when transferring personal data out of the UK to a country without an adequacy decision. We commented briefly on the UK’s consultation draft of the international data transfer agreement here. The draft agreement and information about the consultation is available here.
An initial review of the draft agreement shows that the UK has taken a fresh look at the contract terms that are needed to ensure adequate protection of transferred personal data to meet the UK GDPR standard (which is essentially the same as the EU GDPR at this point in time). The length of the consultation document is a bit daunting, clocking in at 66 pages in total, but much of that is dedicated to an FAQ and helpful glossary. Overall, the draft agreement is written clearly and addresses some additional data flow variations that are not expressly covered in the EU SCCs. Certain parts of the draft agreement are presented in a table format that some may find a bit odd, but the goal clearly is to take the reader through the agreement in an orderly manner, and the parties are permitted to turn the final product into a more traditional-looking agreement.
As we noted previously, the UK has explicitly asked for comments on the proposition that a transfer to a recipient outside of the UK who is nonetheless subject to the GDPR (under Art. 3(2)) should not be treated as a data transfer at all. This affects a large number of non-UK companies since it would apply to data processing in connection with offering goods or services to people in the UK, or monitoring their behavior (primarily, automatic online tracking of website and app users). It will be interesting to see the consultation responses to this question -- especially the response of the European Data Protection Board, who will presumably provide comments to the ICO either as part of the consultation process, via regulator-to-regulator communications, or (as they often do) simply by posting comments on their website.
The UK ICO’s consultation closes on October 7, 2021. Anyone can comment, including US organizations, so if your organization imports personal data from the UK, here’s your chance to have your say on the UK regime for international data transfers.
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.