Ryan Mitchell | 28th June 2021

EU standard contractual clauses (SCCs): recent changes explained

SHARE

Ryan Mitchell | 28th June 2021

EU standard contractual clauses (SCCs): recent changes explained


Since the implementation of the GDPR in May 2018, certain international transfers of personal data have required additional protections.

The EU’s approved set of standard contractual clauses (SCCs) are one of the ‘appropriate safeguards’ (approved forms of protection) which you can rely upon to transfer personal data internationally without breaching data protection law. The SCCs work by imposing contractual obligations on the receiving party which broadly reflect the rules set out in the GDPR.

EU standard contractual clauses

The EU has recently approved a new set of standard contractual clauses. This article explains which version of the SCCs should be used when transferring personal data outside of the UK and EU.

Data transfers between the UK and EU post-Brexit

The UK and the EU operate separate lists of ‘safe’ countries which are deemed to have legal systems which adequately protect personal data. Transfers to countries not on those lists will generally require an appropriate safeguard (such as the SCCs) to be put in place by the individual or organisation transferring the personal data.

The EU member states are listed on the UK’s list of ‘safe’ countries. This means that personal data transfers from the UK to the EU haven’t required the use of appropriate safeguards. That isn’t expected to change.

On 1 January 2021, the UK was temporarily added to the EU’s list of ‘safe’ countries because the UK GDPR closely mirrored the original EU GDPR and therefore offered comparable levels of protection for personal data. You can see the full list of countries here. As a result, the SCCs (or indeed the use of any other appropriate safeguards) haven’t been required when transferring personal data from the EU to the UK since 1 January. That temporary status ends on 1 July 2021 but the EU has now approved adding the UK to its ‘safe’ list on a more permanent basis. This is expected to take effect before 1 July, meaning data transfers from the EU to the UK won’t be interrupted.

The EU also recently approved a new set of SCCs which will soon take effect.

What impact will the ‘new’ EU  standard contractual clauses have?

The new EU SCCs consolidate the various old EU SCCs into one document. The document has a modular structure making it easier to include the sections which apply to your data processing.

The rules on which SCCs you need to use will depend on which way the personal data is being transferred and when you are entering into the SCCs.

For transfers of personal data from the UK to third countries (i.e. countries not on the UK ‘safe’ list) you can use either:

  • The ‘old’ EU SCCs which we adopted in the UK following Brexit. These would need to be amended to refer to UK GDPR rather than EU GDPR meaning it’s easier to instead use the ICO’s updated versions (see next bullet).
  • Download the UK SCCs published by the ICO following Brexit. These versions have built-in guidance to help you complete them.

You cannot use the new EU SCCs for transfers of personal data coming from the UK. This is because they only apply to transfers coming from EU member states.

The UK government is expected to start work on a more modern set of UK SCCs in the not-too-distant future. In the meantime, UK entities are limited to using the EU SCCs which were retained following Brexit (which include the ICO’s updated versions which are mentioned above).

For transfers of personal data from EU member states to third countries (i.e. countries not on the EU ‘safe’ list) you can use:

  • The old EU SCCs until 27 December 2022, provided they were entered into before 27 September 2021. From 28 December 2022 the old SCCs must be replaced by the new SCCs.
  • The new EU SCCs from 27 June 2021. You can find a copy of the new SCCs by opening the Commission’s decision. The new SCCs start at the Annex after Article 4.

A reminder on risk assessments

An EU decision in July 2020 (Schrems II) clarified the law on using the SCCs. Following the decision, data controllers must carry out a risk assessment to check that the SCCs, once signed by each party, are going to effective in practice. This assessment particularly focuses on whether state surveillance in the receiving party’s country might undermine the protections set out in the SCCs.

Having carried out the assessment, if you’re not confident that the SCCs will be effective in practice then you will need to put in place ‘supplementary measures’ to protect the personal data. There are a range of supplementary measures and one example is implementing strong encryption of the data. Failing to implement a supplementary measure may mean the transfer is unlawful.

Even though the Schrems II decision was an EU one, the UK regulator has confirmed that it applies to transfers from the UK following the end of the Brexit transitional period. At time of writing, we are waiting for official guidance from the ICO on how to conduct risk assessments and on what supplementary measures are available. The European Data Protection Board has published a guidance document. This document isn’t legally binding on transfers from the UK but it is a helpful guide whilst waiting for the ICO’s own guidance to be published.

Navigating the rules on international transfers of personal data can be tricky. If you would like any assistance with your data transfers, or with data protection matters generally, then please email or call  me.