Developments to the Standard Contractual Clauses

On 12 November 2020, the European Commission released a draft set of new Standard Contractual Clauses (“SCC”) for personal data transferred from the EU to a third country.  The consultation on the new draft SCCs was closed on the 10 December 2020.  Following closure of the consultation, there is currently no clarity on what changes may be made to the draft pursuant to the consultation or when the new SCCs may be approved.  Whilst there was initially some hope that this may be in Q1 2021, it is true that significant feedback was received which may delay matters.  As currently drafted, once the new SCCs are approved there will be a one year implementation period for businesses to move their contracts onto the new SCC’s.

The ICO has stated that notwithstanding the end of the Brexit transition period (which ended on 31 December 2020) UK businesses can continue to rely on the existing EU SCCs to transfer personal data from the UK to a third country.  The Schrems II decision will also continue to apply to international data transfers from the UK (as well as the EU), meaning that organisations relying on SCCs will have to comply with the CJEU’s direction to assess transfers on a case by case basis and put in place additional safeguards where necessary before any data is transferred. Essentially, this means completing a ‘Transfer Adequacy Assessment’.

As stated above, organisations in the UK may continue to rely on the existing SCCs.  However, the UK ICO has also stated that once the EU SCCs have been finalised, UK authorities will assess and publish their own version of new ‘UK SCCs’ for consultation. Whilst it could be that the only divergence from the EU SCCs made by the UK are those that are deemed necessary to ensure the UK SCCs make sense in a post-Brexit environment (for example, by substituting references to EU institutions and laws with UK ones), but it is possible that the UK authorities may elect to make more expansive changes.

Again, there is no clear guidance as to when the UK SCC’s will be published but when they are finalised the EU SCCs may cease to be valid for any new and/or existing international data transfers from the UK (potentially following a grace period).  Organisations will need to understanding their international data flows to ensure they can seamlessly implemented any new SCCs, whether EU or UK, required in the coming year to ensure legal international data transfers.

We set out below a high level summary of the key changes in the new EU SCC’s: 

• Data transfers between processors and between EU processors and non-EU controllers are now covered by the SCC’s;
• New warranties as well as detailed notification and documentation obligations have been inserted to comply with the Schrems II judgement;
• There is an increase in the obligations placed on non-EU controllers, including obligations to notify EEA authorities of a data breach; and
• The obligations placed on data importers must be passed on to any further recipients of the personal data to ensure equivalent protections at all times.