International data transfers: time to update to the new standard contractual clauses

What is happening?

Retailers which rely upon standard contractual clauses for transferring personal data outside of the European Economic Area (EEA) will need to update their agreements to the new SCCs. This would apply, for example, to the following data transfers:

• a retailer which transfers its European entity’s employees’ personal data to its US headquarters
• a retailer’s European entity which hosts its CRM database with a US-based cloud vendor, and
• a retailer’s European entity which uses a market research agency in Asia to collect survey data from consumers about their preferences.

Note: below we consider the position for data transfers outside of the UK.

The old SCCs provided pre-approved contractual clauses that could be incorporated into contracts as an option to enable compliance with restrictions on transfers of personal data outside of the EEA. They were introduced under the regime of the 1995 Data Protection Directive and required updating to reflect the new terminology and requirements of GDPR. Also, the suitability of the old SCCs was thrown into question following the EU Court of Justice’s (CJEU) 2020 decision in Schrems II, in which the CJEU invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield Framework. Thankfully, standard contractual clauses’ validity as a data transfer mechanism was maintained but the CJEU questioned the efficacy of the old SCCs in providing sufficient protection for personal data without further investigation by data exporters. The new SCCs incorporate provisions to help to address the concerns raised in Schrems II. Remember also that, as a result of the decision in Schrems II, ‘supplementary measures’ may be required in respect of the data transfer, in addition to putting in place the SCCs, to ensure a GDPR-equivalent level of protection (this is addressed in the new SCCs – see below).

Some of the key changes in the new SCCs include:

• one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses. Namely, there are ‘modules’ which contain the contractual terms relevant to the
  following transfers:
  • controller to controller
  • controller to processor
  • processor to processor
  • processor to controller

the new ‘modular’ approach gives greater flexibility for complex processing chains by offering the possibility for more than two parties to join and use the clauses

• more detailed information on the data processing activities for the parties to complete in the Annexes, compared to the more generic requirements under the old SCCs, and
• the new SCCs contain examples of possible ‘supplementary measures’, such as encryption, that retailers could take where needed to comply with the Schrems II decision.

As discussed above, the new SCCs will become mandatory for new transfers on 27 September 2021, and the transitional period for the old SCCs used in existing agreement ends on 27 December 2022, after which all new and old agreements involving the transfer of personal data outside of the EEA will have to incorporate the new SCCs.

“When asked in a poll, 45% of respondents told RPC that the biggest challenge of incorporating new SCCs would be identifying what supplementary measures might be needed on top of the Schrems II clauses; another 42% said finding time to project manage the process and review the third party documents they’d receive.”

Why does it matter?

The new SCCs aim to give companies further flexibility over their data transfers, in particular in relation to complex data chains. The new toolkit launched alongside the new SCCs by the European Data Protection Board also enables easier compliance following Schrems II.

However, considering Brexit, the new SCCs do not form a part of the retained EU legislation in the UK, as they were implemented after the end of the Brexit transitional period. Even so, the UK Information Commissioner’s Office (ICO) is looking to adopt new, bespoke standard contractual clauses in the UK. It has proposed the following:

• a template addendum to the new SCCs (UK addendum), allowing organisations to adapt the new SCCs in order to work for transfers under the UK GDPR. This would mean that companies could use the new SCCs for data transfers from the UK subject to completing the addendum
• a standalone International Data Transfer Agreement (IDTA) which will be the UKs equivalent to, and replace, the SCCs. Companies could use the IDTA for data transfers covered by UK GDPR (only).

We expect many companies to favour putting in place the new SCCs with the UK addendum, so that data transfers outside the UK and EEA are covered “in one go” (unless they are a smaller company or it is a one-off arrangement, and the data flows are only ever expected to be from the UK, in which case the IDTA would be the appropriate solution).

Until such time as the above UK versions of the SCCs are finalised (likely later this year), technically businesses will have to keep using the old SCCs for transfers outside of the UK, and the new SCCs for transfers outside of the EU. The ICO’s consultation on the UK SCCs closes on 7 October 2021.

The adoption of the new SCCs also follows on from the EU granting the UK adequacy for EEA-UK data transfers on 28 June 2021. The adequacy decision allows for data to continue to move freely between the EEA and the UK, and businesses can therefore avoid having to put in place measures to receive data from the EEA, such as the new SCCs, saving an estimated £1.6bn in extra costs for businesses.

What action should you consider?

Retailers that transfer personal data from the EEA or the UK to a third country should consider the following:

• reviewing existing data protection agreements and transfer arrangements to check that:
  • you have a clear understanding as to which arrangements involve data transfers that are subject to (i) UK GDPR and (ii) EU GDPR, and which are subject to both, and
  • any processing operations subject to EU GDPR remain unchanged and are subject to appropriate safeguards to benefit from the transition period (ie until 27 December 2022 for those agreements already using the old SCCs)
• for transfers subject to EU GDPR, ensure that the new SCCs are incorporated into your new data protection agreements where necessary (ie from 27 September 2021), and
• for transfers subject to UK GDPR, keep alert to the publication of the final version of UK SCCs later this year. In the meantime, we continue to see the old SCCs being used for UK GDPR transfers (though some clients subject to both regimes have adopted the new UK addendum as a means of trying to streamline documents and future-proof as far as they can, whilst recognising that there may be changes to the draft)
• we expect that the larger “one to many” providers (eg global cloud hosting providers) are likely to issue you with their own template of the new SCCs, so you may decide to prioritise smaller partners first, and issue them with your own ‘paper’. There is no guarantee that the big providers will do this so we suggest diarising a long stop date (eg June 2022 – six months to the deadline) to follow up with them. Whether you adopt a partial “watch and wait” approach may be determined by how many data importers you have identified in your review, as no one wants to be cramming large volumes of contract reviews and negotiations into a short timeframe
• don’t forget that, as noted above, the Schrems II decision requires an analysis of all third country data transfers that rely on a contractual mechanism such as the SCCs, and adopting SCCs (even the new SCCs) without undertaking the required Transfer Risk Assessment will not be a compliant approach.

This article was written by Rachel Ellis and Jon Bartley as part of RPC's Retail Compass Autumn edition 2021.