After many years of waiting, the hotly anticipated new standard contractual clauses have been published by the European Commission in regards to international data transfers.
What are standard contractual clauses?
Standard contractual clauses (SCCs) are a set of pre-approved clauses, which have historically formed one of the most popular tools to demonstrate General Data Protection Regulation (GDPR) compliance when transferring data out of the EEA.
Following the demise of the Privacy Shield under Schrems II, many businesses turned to SCCs for peace of mind when transferring data. There was just one problem: they were completely out of date (adopted under the EU Data Protection Directive enacted in 1995 and implemented in 1998) and did not mirror the obligations of the new GDPR.
What has changed?
The European Commission list the main innovations in the new SCCs as being:
- Updated in line with the General Data Protection Regulation (GDPR);
- One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary.
What do organisations need to know?
Organisations may continue to use the current SCCs in new contracts for three months following the date the SCCs are published on the Official Journal of the European Union.
Existing contracts can continue to rely on the current SCCs for a further 15 months, “provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards”, during which time they are expected to get the new SCCs in place.
The new SCCs will not form part of retained EU law and the UK may need to consider whether to adopt them by way of regulations under the Data Protection Act 2018. The UK Information Commissioner’s Office (ICO) is working on bespoke SCCs under the UK GDPR and plans to consult on them this summer.
The current European Commission SCCs will however continue to be available to UK businesses and will be particularly relevant for businesses with customers in Europe who will expect to see the latest European Commission SCCs from their providers. We would encourage businesses to consider their position now rather than waiting for the ICO SCCs.
In the meantime, organisations will inevitably need to embark on a review exercise to ensure all data transfer agreements and intra-group agreements contain the new standard contractual clauses where needed if personal data is transferred internationally.
At Stephens Scown, we are experienced in assisting clients with their data sharing and processing obligations and agreements. We aim to work collaboratively with you to ensure your data protection obligations and risks are highlighted and addressed appropriately.
If you think your international transfers of data may be impacted by the introduction of the new standard contractual clauses, then we recommend you seek legal advice to make sure the deadlines outlined above are met.