Since the implementation of the GDPR in May 2018, certain international transfers of personal data have required additional protections.
The EU’s approved set of standard contractual clauses (SCCs) are one of the ‘appropriate safeguards’ (approved forms of protection) which you can rely upon to transfer personal data internationally without breaching data protection law. The SCCs work by imposing contractual obligations on the receiving party which broadly reflect the rules set out in the GDPR.
The EU has recently approved a new set of standard contractual clauses. This article explains which version of the SCCs should be used when transferring personal data outside of the UK and EU.
The UK and the EU operate separate lists of ‘safe’ countries which are deemed to have legal systems which adequately protect personal data. Transfers to countries not on those lists will generally require an appropriate safeguard (such as the SCCs) to be put in place by the individual or organisation transferring the personal data.
The EU member states are listed on the UK’s list of ‘safe’ countries. This means that personal data transfers from the UK to the EU haven’t required the use of appropriate safeguards. That isn’t expected to change.
On 1 January 2021, the UK was temporarily added to the EU’s list of ‘safe’ countries because the UK GDPR closely mirrored the original EU GDPR and therefore offered comparable levels of protection for personal data. You can see the full list of countries here. As a result, the SCCs (or indeed the use of any other appropriate safeguards) haven’t been required when transferring personal data from the EU to the UK since 1 January. That temporary status ends on 1 July 2021 but the EU has now approved adding the UK to its ‘safe’ list on a more permanent basis. This is expected to take effect before 1 July, meaning data transfers from the EU to the UK won’t be interrupted.
The EU also recently approved a new set of SCCs which will soon take effect.
The new EU SCCs consolidate the various old EU SCCs into one document. The document has a modular structure making it easier to include the sections which apply to your data processing.
The rules on which SCCs you need to use will depend on which way the personal data is being transferred and when you are entering into the SCCs.
For transfers of personal data from the UK to third countries (i.e. countries not on the UK ‘safe’ list) you can use either:
You cannot use the new EU SCCs for transfers of personal data coming from the UK. This is because they only apply to transfers coming from EU member states.
The UK government is expected to start work on a more modern set of UK SCCs in the not-too-distant future. In the meantime, UK entities are limited to using the EU SCCs which were retained following Brexit (which include the ICO’s updated versions which are mentioned above).
For transfers of personal data from EU member states to third countries (i.e. countries not on the EU ‘safe’ list) you can use:
An EU decision in July 2020 (Schrems II) clarified the law on using the SCCs. Following the decision, data controllers must carry out a risk assessment to check that the SCCs, once signed by each party, are going to effective in practice. This assessment particularly focuses on whether state surveillance in the receiving party’s country might undermine the protections set out in the SCCs.
Having carried out the assessment, if you’re not confident that the SCCs will be effective in practice then you will need to put in place ‘supplementary measures’ to protect the personal data. There are a range of supplementary measures and one example is implementing strong encryption of the data. Failing to implement a supplementary measure may mean the transfer is unlawful.
Even though the Schrems II decision was an EU one, the UK regulator has confirmed that it applies to transfers from the UK following the end of the Brexit transitional period. At time of writing, we are waiting for official guidance from the ICO on how to conduct risk assessments and on what supplementary measures are available. The European Data Protection Board has published a guidance document. This document isn’t legally binding on transfers from the UK but it is a helpful guide whilst waiting for the ICO’s own guidance to be published.
Navigating the rules on international transfers of personal data can be tricky. If you would like any assistance with your data transfers, or with data protection matters generally, then please email or call me.