Using the new EU standard clauses to enable cross-border data export

From 27 June 2021, organisations will be able to adopt new ‘standard contractual clauses’ (SCCs) to permit lawful export of personal data from the EU to ‘third countries’. This post:

  • recommends what companies should do now
  • describes the background to the EU’s data export rules
  • explains how the new SCCs differ from prior versions
  • considers the implications for data transfers in and out of the UK

What should you do now?

Recommendations

Organisations should:

  1. use the new SCCs for all new contracts entered into after 27 June 2021*.
  2. review all existing agreements using SCCs and formulate a plan to replace the old SCCs with new SCCs by 27 December 2022.

*Whilst the old SCCs can be used for new contracts until 27 September 2021, they will become invalid after 27 December 2022, so the new SCCs should be used for new contracts as soon as possible to minimise the number of contracts needing to be updated.

Transition timelines

Existing (old) SCCs:

  • can validly remain in place until 27 December 2022
  • be entered into until 27 September 2021

New SCCs:

  • can only be used after 27 June 2021

Background to personal data export from the EU

If your business operates both in and outside the European Union (EU), you will likely want to move (i.e. export) personal data from the EU to a ‘third country’ (note: the UK is now a ‘third country’, EEA countries are not).

However European privacy law (specifically articles 44-50 of the General Data Protection Regulation (GDPR)) prohibits the export of personal data from the EU to a third country unless the data exporter can ensure that ‘the level of protection of natural persons‘ is the same after export as within the EU.

GDPR sets out alternative ways in which the legally required protection for exported personal data can be achieved:

  • first, the EU could find that the third country’s laws provide adequate protection (article 45 GDPR) and personal data may be exported on that basis. The EU has made an adequacy decision in respect of data export to AndorraArgentinaCanada (commercial organisations), Faroe IslandsGuernseyIsraelIsle of ManJapanJerseyNew ZealandSwitzerland and Uruguay and is considering adequacy decisions for the UK and South Korea
  • second, personal data may be exported where appropriate safeguards are put in place with enforceable data subject rights and effective legal remedies for data subjects are available (article 46(1) GDPR). GDPR specifies what appropriate safeguards may be used:
    • a legally binding and enforceable instrument between public authorities or bodies (art 46(2)(a))
    • binding corporate rules (art 46(2)(b))
    • use of standard data protection clauses adopted by the EU Commission (art 46(2)(c))
    • use of standard data protection clauses adopted by national regulator and approved by the EU Commission – i.e. SCCs (art 46(2)(d))
    • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(e))
    • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(f))
    • subject to approval by a national regulator, contractual clauses and/or cross border administrative arrangements (art 46(3)
  • Finally, there are limited derogations (art 49) which allow the export of personal data in the following circumstances. However, EDPB regulatory guidance makes it clear that these are ‘exceptional’ and should not be relied on for routine ‘business as usual’ data export.

Whilst SCCs (standard data protection clauses approved by the EU Commission) are only one of a variety of measures that can be used to enable lawful data export from the EU, in practice they are the most widely used by multi-national companies and organisations. The update to SCCs will therefore impact many international companies.

New EU standard contractual clauses from 27 June 2021

‘Old’ SCCs (2001, 2004 and 2010) currently in use

EU privacy law has a long history. Before GDPR came into force in 2018, the 1995 European Data Protection Directive prohibited data export unless the exporter could ensure an adequate level of protection. The European Commission published various sets of standard contractual clauses which, if adopted, provided companies with a presumption that they had ensured adequate protection for their data exports.

The ‘old’ SCCs, implemented to enable lawful data export under the Data Protection Directive, but still currently in use, are:

Despite GDPR coming into force in 2018 (and court cases on data export such as Schrems and Schrems II), the SCCs were not updated until 4 June 2021, when the European Commission published revised SCCs (2021 SCCs).

Differences between old SCCs and 2021 SCCs

So, what has changed? In short, quite a lot:

  • a new ‘mix and match’ modular structure catering for processor to controller and processor to processor data exports in addition to the controller to controller and controller to processor exports permitted under the old SCCs
  • provisions to address issues raised by the Schrems II court decision:
    • both parties to carry out and document an assessment of the data importing country’s laws and practices, with ongoing notification obligations on data importer
    • data importer to provide a point of contact to data subjects
  • GDPR updates
    • the ‘to processor‘ modules include all provisions required by GDPR, which should mean the end of supplemental ‘data processing addenda’ (DPA)s
    • technical and organisational measures to be adopted by the data importer should be included as a detailed description in the new SCCs
    • joint and several liability with indemnity provisions mirroring GDPR requirements
    • prescriptive requirements for importing data controllers with regard to the purposes for which they process data, their obligations to actively notify data subjects and onwards data transfer

Implications for UK businesses

Personal data from EU to UK

Now that the UK has left the EU it is a third country. Whilst the EU is considering whether to make an adequacy decision in relation to the UK’s data protection laws, without that decision in place organisations wishing to export data from the EU to the UK need to rely on alternative appropriate safeguards, and many are using SCCs, and should update to the new SCCs as discussed above.

Personal data from UK to EU

The ‘old’ SCCs remain valid in the UK (as part of EU retained law following Brexit) but their revocation and replacement in EU law has no effect in the UK, which means that UK organisations should continue to use the old SCCs for data export to the EU (and elsewhere).

It remains to be seen how the UK government and ICO will react to the new SCCs – the ICO has announced that they will be consulting on revised UK SCCs in the summer.