New rules for international data transfers

24 Jun 2021

On 4 June 2021, in a long awaited and very welcome development, the European Commission published a new, modernised set of contractual clauses to allow for international transfers of personal data (the “New Clauses”).
The GDPR prohibits the transfer of personal data out of the EEA except in very narrow circumstances. In many cases the only practical way to transfer personal data in accordance with the GDPR has been to use the “standard contractual clauses” adopted by the European Commission under the old Data Protection Directive. This includes transfers of personal data to the US, China and India, amongst other countries.
Why do we need the New Clauses?
The old standard contractual clauses (“SCCs”) predate the GDPR and so do not always mesh well with the post-GDPR regulatory environment. They also failed to anticipate the complexities of modern data flows. For instance, there were no SCCs suitable for the transfer of personal data from a processor in the EEA to a sub-processor outside the EEA, or from a processor in the EEA to a controller outside the EEA. This often resulted in the SCCs being used where they did not quite fit, for lack of a better alternative, leaving data exporters and data importers unsure of whether they were fully compliant with their obligations under the GDPR.
There is also the impact of the Schrems II decision of the Court of Justice of the European Union from July 2020, which has had a far reaching impact on data protection law and practice. The Court pointed out that the laws and practices of certain countries outside the EEA (and the US in particular) can sometimes override the effect of the SCCs, which means that data subjects whose data is transferred to those countries under the SCCs would not have a sufficient level of protection. Where this occurs, the data exporter and data importer must put in place supplementary measures to protect the rights of the data subject, failing which they must suspend the transfer of personal data outside the EEA.
The New Clauses
The New Clauses are a great improvement on the SCCs. Particular benefits include:
  • Using a new modular system, they can be adapted for transfers from: (i) controller to controller; (ii) controller to processor; (iii) processor to processor; and (iv) processor to controller;
  • Unlike the SCCs, the New Clauses can be used where the data exporter is established outside the EU but is still subject to the GDPR under Article 3(2) (e.g. where a non-EU business offers goods and services to customers in the EU);  
  • The New Clauses address the requirements of the Schrems II decision, including a new Annex which lists examples of possible technical and organisational measures to be adopted to ensure the security of the data transferred; and
  • The New Clauses can be put in place between more than two parties, which will be especially useful for intra-group transfers involving multiple parties in different jurisdictions. They also allow for new parties to be added beyond the initial signatories (the so-called “docking clause”).
How does this affect UK businesses?
At the time of writing (June 2021) the New Clauses are not valid for transfers of personal data from the UK because they came into force after the UK’s exit from the EU. UK businesses will therefore need to continue using the SCCs until either:
  1. the Information Commissioner’s Office adopts its own version of the standard contractual clauses - and we expect to see a draft published this summer for consultation; or  
  2. the UK government adopts the New Clauses for use by UK businesses by way of regulations under the Data Protection Act 2018 (“DPA 2018”).
This is likely to cause confusion for UK businesses, which will be faced with questions such as:
  • What do we do if a customer or supplier asks to replace the SCCs with the New Clauses?
  • We operate in several countries and are bound by both the EU GDPR and the UK GDPR. How does this affect our ability to use the New Clauses and/or obligation to update the SCCs before the deadline?  
These questions are not straightforward. We recommend that legal advice is sought to ensure that your business is complying with the UK rules as well as those EU laws which may still apply.
Can we continue using the SCCs?
The New Clauses come into force on 27 June 2021. However, for businesses subject to the EU GDPR the SCCs can continue to be used:
  • for “new” data transfers until 27 September 2021; and
  • for existing data transfers until 27 December 2022, providing that processing operations remain unchanged and are subject to appropriate safeguards.
Businesses which are currently using the SCCs and are bound by the EU GDPR will need to replace them with the New Clauses at some point before 27 December 2022. However, we recommend that businesses review their  international data transfers before 27 September 2021 to check whether they need to implement the New Clauses before the earlier deadline.
UK businesses not bound by the EU GDPR can continue to use the existing SCCs, but should be alert to the fact that they could be replaced by new versions in the near future.
How we can help
If you have any questions about data protection compliance, please don’t hesitate to get in touch.  The services we offer include:
  • advising on whether a business has to comply with the EU GPDR as well as or in addition to the UK GDPR;
  • helping to put in place the new SCCs;
  • advising on international data transfers;
  • preparing data processing addendums for use with customers or suppliers;
  • drafting intra-group data sharing agreements; and
  • carrying out a full data protection audit to identify any deficiencies in your organisation’s compliance processes and documentation.

Further reading

Controversy surrounds remote Will witnessing amidst rising inheritance disputes

The once lawful practice of remotely witnessing Wills is to be removed due to a surge in contentious inheritance disputes
Read more Read

Changes at Companies House The Economic Crime and Corporate Transparency Act

The Economic Crime and Corporate Transparency Act 2023 (the “Act”) aims to deliver a range of reforms to tackle economic crime and improve transparency over corporate entities.
Read more Read

The Body Shop; once a pioneering ethical brand, now in administration

Frank Bouette, Restructuring and Insolvency Partner, provides commentary on the Body Shop Administration and the fragility of the high street
Read more Read

DMH Stallard advises on St Barnabas and Martlets Hospice merger

The merger is described by St Barnabas as a move that ‘aims to create a stronger, more sustainable and comprehensive hospice care organisation...'
Read more Read
  • Brighton - Jubilee St

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Brighton - Old Steine

    47 Old Steine


    East Sussex

    BN1 1NW

  • Gatwick

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Hassocks

    32 Keymer Road


    West Sussex

    BN6 8AL

  • Horsham

    3rd Floor

    Afon Building

    Worthing Road


    West Sussex

    RH12 1TL

  • London

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Make an enquiry

    Make an enquiry


    Or head to our Contact us page