Schrems II and new SCCs
The rules on international transfers of personal data have become increasingly complex since the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case in July 2020.
In Schrems II, the CJEU ruled that:
- The Privacy Shield Framework, one of the lawful mechanisms for transferring personal data from the UK and EEA to the US, is incompatible with the General Data Protection Regulation (“GDPR”) and is invalid, so it can no longer be used for data transfers from the UK or EEA to the US; and
- Where businesses rely on one of the other lawful mechanisms for transferring personal data outside the UK and EEA, such as the Standard Contractual Clauses (“SCCs”), there is an additional requirement that the data exporter, in conjunction with the data importer, carries out a transfer risk assessment (“TRA”) to verify that the laws and practices of the data importer’s country meet GDPR standards in respect of the transferred data and, where they do not, to implement supplementary measures to protect the transferred data.
In June 2021, the EU Commission’s new EU SCCs came into force which are designed to tackle three key points:
- They deal with known deficiencies in the old EU SCCs, such as catering for data transfers involving multiple parties and from processors to sub-processors;
- Whereas the old EU SCCs allowed the parties to meet their obligations under the repealed Directive 95/46, the new EU SCCs are consistent with the GDPR; and
- The new EU SCCs take account of Schrems II.
Further in March 2022, the UK government’s own post-Brexit version of the EU SCCs, known as the “UK International Data Transfer Agreement” (“IDTA”) and “UK Addendum” came into force, which must be used instead of the EU SCCs for international transfers of “UK personal data”.
Following Schrems II, the European Data Protection Board (“EDPB”) and the UK Information Commissioner’s Office (“ICO”) issued their respective guidance on how to carry out TRAs and what supplementary measures organisations should implement to protect the transferred data.
Whilst the guidance is helpful, it makes the process of transferring personal data overseas a complex and time-consuming task, and full compliance is often not possible.
Further, even where organisations follow the guidance very closely, there are no guarantees that their transfers will be compliant because the level of compatibility of overseas laws and practices with the GDPR, and the suitability of any supplementary measures introduced to protect the data, is ultimately subjective and a matter of opinion.
We are therefore seeing some organisations take a more risk-based approach to their international data transfers, particularly where the data being transferred is non-sensitive and low risk. The process they are following is:
- Instead of analysing the laws and practices of the data importer’s country in detail, they use a proxy index to assess the overall risk profile; and
- Instead of analysing each individual data flow, they assign the data to smaller and more manageable groups and then risk assess each data group.
The aim is that in most cases the organisation can conclude the actual risk to the data is low and can proceed with the transfer by putting realistic supplementary measures in place to protect the data.
Whilst this approach has not been approved by the UK or EU regulators, it gives organisations a more pragmatic way to proceed with some of their business-as-usual international transfers.
New EU SCCs
The new EU SCCs follow a modular approach so organisations select the appropriate module for their transfer – controller-to-controller (module 1), controller-to-processor (module 2), processor-to-(sub)processor (module 3) and processor-to-controller (module 4). There are annexes that need to be completed with the details of the transfer and the security measures implemented to protect the data.
The key dates for the new EU SCCs are:
- They came into force on 4 June 2021;
- From 27 September 2021 they must be used for all new transfers of EU personal data;
- By 27 December 2022 all existing contracts on the old EU SCCs must have been moved over to the new EU SCCs.
UK IDTA and Addendum
The UK IDTA contains similar clauses to the new EU SCCs. However, an important difference is that the UK IDTA does not use the modular approach. Instead, it is a “one size fits all” contract that is used in full for all data transfers.
As with the new EU SCCs, the UK IDTA has various tables that need to be completed with the details of the transfer and the security measures implemented to protect the data.
One of the key concerns when the UK IDTA was first proposed was that multinational organisations handling both EU and UK personal data would have to enter into two separate contracts for their international transfers – the new EU SCCs for their transfers of “EU personal data” and the UK IDTA for their transfers of “UK personal data”.
The UK government’s solution is the UK Addendum, which is a bolt on to the new EU SCCs, and allows the new EU SCCs to be used for international transfers of both EU and UK personal data.
The key dates for the UK IDTA and Addendum are:
- They came into force on 21 March 2022;
- From 21 September 2022 they must be used for all new transfers of UK personal data; and
- By 21 March 2024 all existing contracts on the old EU SCCs must have been moved over to the UK IDTA or Addendum.
What you should do now
All organisations involved in international transfers of personal data should conduct an audit of their data flows to understand where the data comes from and where it goes to.
Once the data flows have been mapped, organisations should carry out and document TRAs and identify what supplementary measures need to be put in place to protect the data to GDPR standards.
Organisations should also review their commercial contracts to make sure they incorporate the new EU SCCs or UK IDTA / UK Addendum as appropriate by the dates set out above.