At the end of last week, the EU Commission adopted a new version of its Standard Contractual Clauses for the transfer of personal data from the EEA to third countries (the ‘New SCCs’).
The New SCCs are intended to reflect changes in data protection law resulting from the introduction of the GDPR (somewhat belatedly!). They are also intended to deal with issues which emerged from the CJEU decision in Schrems II last Summer.
The New SCCs will come into force 12 days after they are published in the Official Journal of the European Union (which is likely to happen imminently). Three months after that, the European Commission’s existing SCCs (the ‘Legacy SCCs’) will no longer be valid for new transfers of data. Businesses which are already using the Legacy SCCs to transfer data, however, will have 18 months to move across to the New SCCs.
In view of the fact that the UK has left the EU (and is now governed by the UK GDPR), what impact, if any, will the New SCCs have on UK businesses?
Data transfers pre-Brexit
While the UK was still part of the EU, transfers of personal data from the UK outside the EEA (known as transfers to ‘third countries’) were prohibited unless:
- The personal data was being transferred to a country which benefitted from an adequacy decision made by the EU Commission;
- The parties implemented one of the additional safeguards listed in the GDPR (the most popular of these being the Legacy SCCs); or
- The transfer could benefit from one of a number of very limited exemptions (e.g. the explicit consent of the data subject).
Transfers of personal data between the UK and EEA member states, however, were not subject to any restrictions.
Data transfers post-Brexit
During the EU/UK transition period, the GDPR continued to apply in the UK and the UK was treated as if it was still a member state of the EU for most data protection purposes. But from the start of this year, the GDPR was replaced in the UK by a UK version of the GDPR (known as the ‘UK GDPR’) and the UK became a third country for the purposes of data transfers between EEA member states and the UK.
However, the EU/UK Trade and Co-operation Agreement introduced a mechanism which created a temporary ‘data bridge’ between EEA member states and the UK. This meant that personal data could continue to travel freely from EEA member states to the UK (i.e. it was not necessary for businesses start using additional safeguards such as the Legacy SCCs). That data bridge is still currently in force but will expire at the end of June 2021. By that time, it is hoped that the EU Commission will have finalised adequacy decisions in relation to the UK.
In addition, some time ago, the UK government made a provisional decision of adequacy in relation to EEA member states. This means that, until such time as the UK government decides to revoke its adequacy decision, personal data can be freely transferred from the UK to EEA member states (i.e. again, it is not necessary for businesses to use additional safeguards such as SCCs).
In relation to transfers of personal data from the UK outside the EEA, in the run up to Brexit, various changes were made by the UK government to the Data Protection Act 2018. Those changes included approval for the continued use of the Legacy SCCs in relation to such data transfers.
Use of the New SCCs
In relation to data transfers from EEA member states, to the UK, the New SCCs will only be relevant if the current data bridge expires without being replaced by adequacy decisions in favour of the UK.
However, in this eventuality:
- Any new transfers of personal data from EEA member states which commence before the Legacy SCCs become invalid can be made on the basis of either the Legacy SCCs or the New SCCs;
- Any new transfers of personal data which commence after the Legacy SCCs become invalid will need to be made on the basis of the New SCCs; and
- Any ongoing data transfers which currently rely on the Legacy SCCs will need to move across to the New SCCs within 18 months of the New SCCs being published in OJEU.
In relation to data transfers from the UK to third countries (i.e. countries outside the EEA), the New SCCs will not automatically be valid for use by UK businesses (i.e. they will not automatically replace the Legacy SCCs). However, the ICO is currently considering whether to recognise the New SCCs for use by UK businesses (this would mean that international organisations transferring personal data out of Europe, could use the New SCCs for both EU and UK transfers).
The ICO is also in the process of working on a bespoke UK set of SCCs. These are likely to be published for consultation this Summer.
- UK businesses transferring personal data to EEA member states don’t need to worry about the New SCCs because of the adequacy decision made by the UK government in favour of EEA member states;
- UK businesses receiving personal data from EEA member states don’t currently need to worry about the New SCCs. However, if the data bridge comes to an end without a finding of adequacy in respect of the UK, the New SCCs may need to be used to ensure that EEA to UK data transfers can continue;
- UK businesses currently using the Legacy SCCs in relation to data transfers to third countries (i.e. countries outside the EEA) can continue to use the Legacy SCCs for the time being. However, it is clear that at some point the Legacy SCCs will be superseded, so it is important to keep an eye on developments relating to possible approval of the New SCCs by the ICO and the ICO’s own bespoke SCCs.
We’ll be publishing a further update soon, in which we’ll take a close look at the New SCCs.
In the meantime, if you’d like any further guidance about data transfers, please get in touch with a member of our Information Law Team.