New rules for international data transfers

On 4 June 2021, in a long awaited and very welcome development, the European Commission published a new, modernised set of contractual clauses to allow for international transfers of personal data (the “New Clauses”).
 
Background
 
The GDPR prohibits the transfer of personal data out of the EEA except in very narrow circumstances. In many cases the only practical way to transfer personal data in accordance with the GDPR has been to use the “standard contractual clauses” adopted by the European Commission under the old Data Protection Directive. This includes transfers of personal data to the US, China and India, amongst other countries.
 
Why do we need the New Clauses?
 
The old standard contractual clauses (“SCCs”) predate the GDPR and so do not always mesh well with the post-GDPR regulatory environment. They also failed to anticipate the complexities of modern data flows. For instance, there were no SCCs suitable for the transfer of personal data from a processor in the EEA to a sub-processor outside the EEA, or from a processor in the EEA to a controller outside the EEA. This often resulted in the SCCs being used where they did not quite fit, for lack of a better alternative, leaving data exporters and data importers unsure of whether they were fully compliant with their obligations under the GDPR.
 
There is also the impact of the Schrems II decision of the Court of Justice of the European Union from July 2020, which has had a far reaching impact on data protection law and practice. The Court pointed out that the laws and practices of certain countries outside the EEA (and the US in particular) can sometimes override the effect of the SCCs, which means that data subjects whose data is transferred to those countries under the SCCs would not have a sufficient level of protection. Where this occurs, the data exporter and data importer must put in place supplementary measures to protect the rights of the data subject, failing which they must suspend the transfer of personal data outside the EEA.
 
The New Clauses
 
The New Clauses are a great improvement on the SCCs. Particular benefits include:

• Using a new modular system, they can be adapted for transfers from: (i) controller to controller; (ii) controller to processor; (iii) processor to processor; and (iv) processor to controller;
• Unlike the SCCs, the New Clauses can be used where the data exporter is established outside the EU but is still subject to the GDPR under Article 3(2) (e.g. where a non-EU business offers goods and services to customers in the EU);  
• The New Clauses address the requirements of the Schrems II decision, including a new Annex which lists examples of possible technical and organisational measures to be adopted to ensure the security of the data transferred; and
• The New Clauses can be put in place between more than two parties, which will be especially useful for intra-group transfers involving multiple parties in different jurisdictions. They also allow for new parties to be added beyond the initial signatories (the so-called “docking clause”).

 
How does this affect UK businesses?
 
At the time of writing (June 2021) the New Clauses are not valid for transfers of personal data from the UK because they came into force after the UK’s exit from the EU. UK businesses will therefore need to continue using the SCCs until either:
 

1. the Information Commissioner’s Office adopts its own version of the standard contractual clauses - and we expect to see a draft published this summer for consultation; or  
2. the UK government adopts the New Clauses for use by UK businesses by way of regulations under the Data Protection Act 2018 (“DPA 2018”).

 
This is likely to cause confusion for UK businesses, which will be faced with questions such as:
 

• What do we do if a customer or supplier asks to replace the SCCs with the New Clauses?
• We operate in several countries and are bound by both the EU GDPR and the UK GDPR. How does this affect our ability to use the New Clauses and/or obligation to update the SCCs before the deadline?  

These questions are not straightforward. We recommend that legal advice is sought to ensure that your business is complying with the UK rules as well as those EU laws which may still apply.
 
Can we continue using the SCCs?
 
The New Clauses come into force on 27 June 2021. However, for businesses subject to the EU GDPR the SCCs can continue to be used:

• for “new” data transfers until 27 September 2021; and
• for existing data transfers until 27 December 2022, providing that processing operations remain unchanged and are subject to appropriate safeguards.

Businesses which are currently using the SCCs and are bound by the EU GDPR will need to replace them with the New Clauses at some point before 27 December 2022. However, we recommend that businesses review their  international data transfers before 27 September 2021 to check whether they need to implement the New Clauses before the earlier deadline.
 
UK businesses not bound by the EU GDPR can continue to use the existing SCCs, but should be alert to the fact that they could be replaced by new versions in the near future.
 
How we can help
 
If you have any questions about data protection compliance, please don’t hesitate to get in touch.  The services we offer include:

• advising on whether a business has to comply with the EU GPDR as well as or in addition to the UK GDPR;
• helping to put in place the new SCCs;
• advising on international data transfers;
• preparing data processing addendums for use with customers or suppliers;
• drafting intra-group data sharing agreements; and
• carrying out a full data protection audit to identify any deficiencies in your organisation’s compliance processes and documentation.