Your questions answered on the international data transfer component of GDPR
On Friday, 4 June 2021, the European Commission published the long-awaited Standard Contractual Clauses (SCCs) to help European companies transfer data outside of the EEA.
Organisations can carry on using the current SCCs for a further 3 months and 20 days, until 24 September, 2021. Then there will be 18 months and 20 days to get the new SCCs in place. This means that GDPR organisations must ensure that all vendor contracts and intra-group agreements contain the new SCCs by 24 December, 2022.
What was published?
Two sets of SCCs were published. One for use between controllers and processors, and one for the transfer of personal data to third countries. Previously there were only drafts of such documents, and these final versions took into account the opinions of the European Data Protection Board and European Data Protection Supervisor.
What is the difference?
The old SCCs focused only on controller to controller or controller to processor transfers. However under the new SCCs, there are also module clauses for processor to processor transfers and processor to controller transfers. This is useful for companies in particular who are data exporters outside of the EEA, but are still subject to GDPR.
“Practical experience” can be taken into account when analysing the legality of data transfers. This is weaker than the “objective analysis” the European Data Protection Board wanted, and should make it easier for most businesses who are not regularly subject to data requests by foreign intelligence bodies.
There’s also a new docking clause, allowing parties that are joining the processing operation to be part of the same contract, instead of signing a whole range of individual agreements with organisations.
What else is included in the SCCs?
The new clauses retain the annex requirement which must be completed for SCCs to be valid. The annex includes an overview of all the parties involved, descriptions of the transfer as well as the technical and organisational security measures implemented to protect the transfer. SCCs must also include an overview of the subprocessors involved in the operations. The annex must be readily available to the data protection authority on request.
Why the need for new SCCs?
Firstly the old SCCs predated GDPR. Secondly, The European Court of Justice decision known as Schrems II which invalidated the EU-US Privacy Shield specifically pointed to the SCCs as needing work. The additional work required was for the companies using the SCCs themselves to ensure the recipient country has an equivalent data protection regime to that of the EU. This required a nuanced and in-depth analysis of the recipient country. The new SCCs enable different elements to be considered as part of an overall assessment of risk, likely making it easier to justify international transfers.
Has liability changed?
Yes. The new SCCs establish joint and several liability of the parties regarding data subjects, and each party must indemnify the other for the portion of liability corresponding to its responsibility. This essentially reflects the liability provisions set out in Article 82 GDPR.
What about notification requirements?
The new SCCs strengthen some notification requirements beyond what is required by GDPR in certain scenarios. For example, the new SCCs require both data exporters and data importers to notify their counterparty if they become aware that transferred personal data is inaccurate or outdated. To comply with this provision in practice, data importers may need to proactively monitor the accuracy of the data they receive under the SCCs.
In a controller to controller scenario, data importers must notify the data exporter and the supervisory authority of a personal data breach if it is likely to result in a risk to the rights and freedoms of natural persons. This goes beyond the draft version of the SCCs which only required notification if the personal data breach was likely to result in significant adverse effects.
Do the new SCCs address all the data protection concerns?
Not exactly. SCCs are not merely the ‘sign and forget’ process they used to be. Companies must do a transfer impact assessment of the third country they are planning to transfer data to. If the conclusion of that assessment is that no measures would properly protect personal data against the risk of government interference, then the data transfer cannot take place.
When should we switch to new SCCs?
New transfers can still be undertaken under the old SCCs until 24 September, 2021, with existing transfers allowed under the old SCCs until 24 December, 2022. While that might seem some time away, it is best to change to the new SCCs as quickly as possible.
Do UK businesses need to implement the new SCCs for international transfers?
At the moment no. The old SCCs remain valid for UK-international data transfers under the Data Protection Act 2018. UK-EU transfers are unaffected until there is an adequacy decision from the EU. The UK may decide to update its legislation and adopt the new EU SCCs regardless, although the ICO is planning to consult and may propose UK-specific SCCs later in the year. If there is a favourable adequacy decision, then UK-EU transfers should not need to rely on SCCs.