Cross-Border Transfers of Personal Data: The Post-Schrems II and Brexit Landscape Begins to Take Shape
In the wake of the landmark judgment in Schrems II in July 2020 (which invalidated the EU-US Privacy Shield with immediate effect, as reported by us here), the European Commission has recently adopted a number of hotly anticipated (at least in the privacy world!) decisions that re-adjust the framework for transferring personal data from the European Economic Area (the “EEA”) to countries outside the EEA (“third countries”) and the United Kingdom.
These decisions include:
- an implementing decision which approves a new form of Standard Contractual Clauses (the “New SCCs”) for legitimising transfers of personal data that is subject to the GDPR outside the European Economic Area (the “EEA”) to third countries not recognised as having an adequate level of protection for personal data (e.g., the U.S.); and
- two implementing decisions confirming that the UK provides an adequate level of protection for personal data originating in the EEA, and which permits the continued free flow of personal data from within the EEA to the UK.
In the UK, the Information Commissioner’s Office has also published a number of draft documents for consultation which indicate how transfers of personal data outside the UK to third countries might be legitimised going forward.
This Kirkland Alert summarises, at a high level, the key impacts and significance of these developments and outlines the practical steps that businesses should now be taking to ensure continued compliance with the European and UK rules applicable to cross-border transfers of personal data.
The New SCCs — Background
As reported by us here, in July 2020, the Schrems II decision determined that the Standard Contractual Clauses (the “SCCs”) remain valid as a data transferring mechanism subject to: (i) the data exporter assessing, analysing and verifying that the personal data being transferred will be adequately protected in the country to which the personal data is being exported (this is now commonly referred to as carrying out a ‘Transfer Impact Assessment’), and (ii) adopting supplementary measures to safeguard the transfer.
In light of: (i) the Schrems II decision and (ii) the outdated nature of the previous SCCs (which were adopted years before the entry into force of the GDPR), the European Commission published a discussion draft of New SCCs which, following consultation, were formally approved by the European Commission on 21 June 2021.
The New SCCs — Key Clauses and Changes
The New SCCs are intended to address the inadequacies of the previous SCCs and reflect the findings of the Court of Justice of the European Union in Schrems II, by including the following key changes:
- Modular Format: Whereas the old SCCs could only be implemented on a controller-to-controller and controller-to-processor basis, the New SCCs adopt a modular format which accommodates four different data processing relationships: (a) controller-to-controller (“C2C”); (b) controller-to-processor (“C2P”); (c) processor-to-processor (“P2P”); and (d) processor-to-controller (“P2C”). Depending on the relationship between the parties, different ‘modules’ will apply, however, certain clauses will apply to all data processing relationships.
- Data Processing Terms: A pragmatic feature of the New SCCs is that the C2P clauses contain the list of terms mandated by Article 28(3) GDPR. This means that, exporters and importers entering into the New SCCs do not need to enter into an additional data processing agreement in satisfaction of Article 28(3) GDPR, however, the parties may nonetheless opt to do so.
- Exporting Party: The New SCCs can be entered into whenever the exporter is subject to the GDPR even if the relevant exporter is not established in the EU for the purposes of Article 3(1) GDPR (i.e., is subject to the GDPR by virtue of the extra-territorial applicability provisions under Article 3(2) GDPR as it is offering goods or services or monitoring, EU data subjects). Such exporters are required to implement the New SCCs when onward transferring any personal data that is subject to GDPR (e.g., to other controller or processors based outside the EEA).
- Schrems II and Third Country Surveillance Laws: The New SCCs take into consideration the Schrems II decision and contain specific safeguards to assist exporters and importers to comply with the obligations mandated by this decision.
- Accession: The New SCCs can be entered into by multiple parties and notably contain a “docking” clause which enables additional parties to accede to the New SCCs. This reflects the fluid nature of many corporate structures and negates the requirement to re-execute new clauses, each time a new entity is added to the arrangement.
The New SCCs — Key Dates and Deadlines
Businesses should note that:
- From 27 September 2021, new data transferring arrangements, if legitimised on the basis of SCCs, can only be legitimised on the basis of the New SCCs (i.e., from this date the previous SCCs cannot be entered into for new EEA data transferring arrangements); and
- From 27 December 2022, all data transferring arrangements (old or new) legitimised on the basis of SCCs, must be entered on the terms of the New SCCs. This means that businesses will have until this date to replace (or ‘repaper’) all previous versions of the SCCs with the New SCCs.
UK Adequacy
Following the adoption of the New SCCs, the European Commission has also issued two adequacy decisions in favour of the UK. This much awaited decision means that personal data can continue to flow freely between the EEA and the UK without there being a need to put in place additional safeguards.
The decision in favour of the UK (which must be renewed every four years) came with a number of qualifications, namely that: (i) the European Commission is able to “intervene” at any point if it decides that the UK has deviated from the level of protection for personal data that it currently has in place; and (ii) the UK adequacy decision will not be renewed by default in four years (i.e., the level of protection of personal data provided by the UK may need to be re-assessed at the time).
Key Impacts for Businesses and Next Steps
As outlined above, businesses will now need to review their data flows and consider how various exports of personal data to different regions can be legitimised going forward.
- EEA - US Transfers: For transfers of personal data from the EEA to the US (and to other third countries), where such transfers are based on the SCCs (in their previous form), businesses will now need to take steps to replace these with the New SCCs within the timeframes specified above.
- EEA - UK Transfers: For transfers of personal data from the EEA to the UK, thankfully no further action is needed for the time being. Over the coming years, however, as UK data protection laws begin to diverge from the EU GDPR, businesses should continue to monitor and consider any commentary or decisions published by the European Commission regarding the sufficiency of UK data protection laws.
- UK - EEA Transfers: For transfers of personal data from the UK to the EEA, for the time being, such transfers can continue without needing to implement any additional arrangements.
- UK - US Transfers: For transfers of personal data from the UK to the US (and to other third countries), the old SCCs can continue to be relied on; however, the UK Information Commissioner’s Office has published a draft ‘International Data Transfer Agreement’ and ‘UK Addendum’ for consultation. The intention is that, once approved and finalised: (i) the International Data Transfer Agreement may be used (in place of the old form SCCs) for transfers of personal data outside the UK; and (ii) the UK Addendum can be appended to the New SCCs for transfers of personal data outside the UK and the EEA (i.e., to avoid businesses having to execute multiple data transferring agreements).