Do you Transfer Data from the EU? EU Makes Significant New Developments for SCCs

Last updated 4pm, 12 January 2021

In this article, we focus on two developments that will be significant for businesses who transfer personal data from the UK or the EEA.

1. A Bit of Background

Under GDPR, it is unlawful to transfer personal data from the EEA to a third country, unless you have appropriate measures in place to safeguard those transfers. This is also relevant to Brexit. The UK-EU Co-Operation Agreement permits the free-flow of data from the EEA to the UK for a six-month period following the end of the Brexit transition. However, we await whether the UK gets an adequacy decision in its favour that permits the continuation of this free-flow of data following the expiry of that six-month period. .   See our comments on Brexit data issues, including data transfers, here.In July this year, the European Court of Justice (“CJEU”) handed down its seismic judgment in the “Schrems II” case, which invalidated data transfers from the EEA to the US under the former EU/US Privacy Shield.The decision also called into question the validity of Standard Contractual Clauses (“SCCs”), which are a common method used by businesses to ensure data transfers from the UK/EEA to third countries are lawful under GDPR.In the wake of the Schrems II decision, the EU has moved to modernise how businesses may ensure their data transfers from the UK/EEA are lawful under GDPR.First off, it has issued a set of Recommendations that guide organisations on whether to add supplementary measures to their tools for rendering data transfers lawful.Secondly, it has issued a set of draft SCCs for consultation, with the consulting period ending in December 2020. The EU intends these draft SCCs to replace the current versions (on which many businesses rely to cover their cross-border data transfers).We summarise these developments below, including how businesses should respond to them. 

2. The new Recommendations in Brief

The European Data Protection Board (“EDPB”) issued the Recommendations because Schrems II said organisations should assess whether the data they transfer to a third country will be adequately protected by the third country's laws.The Recommendations therefore set out six steps to determine whether your business needs to apply supplementary measures to its transfers, to ensure the transferred data is protected:

• Step 1: Know your Transfers. To protect your data flows, you must first identify where your data is going. You must also determine whether your transfers of data are adequate, relevant and limited for the purpose for which you are transferring the data from the EEA.
• Step 2: Verify which tool your Transfer relies on. Has the EU Commission deemed the third country to which you are transferring data to have “adequate” data laws? If not, you need to select a mechanism to legitimise your transfers. These mechanisms could include (for example) using SCCs, entering into intra-group Binding Corporate Rules, or relying on the (narrow) exemptions available under the GDPR.
• Step 3: Does the third country's law impinge on the tool you use to transfer? You should evaluate whether the third country's legislation adversely affects your transfer, especially in relation to the ability of public authorities in that country to access the data. For example, do the surveillance and counter-terrorist authorities in the country have powers that conflict with GDPR? Are the local laws clear, precise and accessible? Are they necessary and proportionate? Are there independent oversight mechanisms? Do individuals have effective rights under the local law? You should also document your due diligence in this area.
• Step 4: Identify and implement supplementary measures that bring the transfer into line with EU law. You will need to do this if you decide that the third country's laws impinge on your data transfer. The EDPB's guidance sets out a number of potential supplementary measures, which you can use alone or in different combinations. These range from technical measures (eg: encryption of data), to contractual clauses, to organisational measures (i.e, policies and procedures governing the data transfer). If none of the measures or combinations of measures bring the transfer into line with EU law, then you must suspend or terminate the transfer.
• Step 5: Take any necessary procedural steps that your chosen measures require. If you are relying on SCCs (as many businesses do), you do not need to undertake further steps unless your chosen supplementary measures impact the terms of the SCCs themselves.
• Step 6: Keep your transfers under review. As a general point, you should keep your measures under review, in case you need to take further steps in future.

The Recommendations are not “hard law” (such as legislation). However, expect EU data regulators to use them when interpreting whether your data transfers comply with GDPR.

3. New Draft SCCs: What is Changing?

The EU Commission has also released the following for public consultation:

• a draft set of new SCCs to cover personal data transfers from the European Union to third countries; and
• a draft set of contractual terms which organisations can use to document their data processing arrangements with processors under Article 28 GDPR.

The EU's new draft SCCs introduce the following key changes to the current SCCs:

• The new draft SCCs cover different transfer scenarios. The new SCCs adopt a “modular” approach, which caters for a wide range of transfer scenarios between controllers and processors. This is a welcome change, as the previous SCCs did not take account of “processor to processor” or “processor to controller” transfers.
• More than two Parties can sign up to the SCCs. This is helpful, because it means companies may not need to enter into multiple separate SCCs when onboarding new vendors or service providers, cutting down on paperwork.
• The terms deal with the fall out from Schrems II. The data exporter and importer will now have to assess whether the data importer can guarantee an adequate level of data protection to the transferred data, bearing in mind the laws of the country in which the data importer is located. As part of this, the data importer may have to tell the data exporter or affected individuals if a public authority in the data importer's country has accessed the transferred data, or is seeking access to it. The data importer will also be required to resist the access request if there are grounds to do so under the relevant country's laws.

4. So, what does this all mean for my Organisation?

These developments, whilst helpful in the long run, will also impose a shorter-term burden on organisations trying to deal with their cross-border data transfers. This could be particularly so if they import data o the UK, in the event that the UK does not get an adequacy decision following the six-month transitional period for data transfers that the UK-EU Co-operation Agreement introduced.:

• Businesses will need to carry out an assessment of the local laws in the third countries that receive their personal data transfers from the EU, using the Recommendations as a guide. This potentially costly exercise might also involve an assessment of UK law, if the UK becomes a “non-adequate” third country country post-Co-Operation Agreement transition period for data transfers.
• Businesses that rely on SCCs to legitimise their data transfers from the UK/EEA will need to replace their current SCC contracts with the final versions of the new draft SCCs. We expect the EU to adopt the new draft SCCs in early 2021. Expect the deadline for implementing the new SCCs to your network of international data transfers to be early 2022.

---

Head to our Brexit Exchange where you will find all the latest updates and developments from our experts, regarding Brexit and how that affects businesses and individuals in a range of areas.