Monday 27 September 2021 will enter history as the day the old Standard Contractual Clauses (SCCs) are replaced by brand new ones. What a time to be alive!
Sounds great – but what does this actually mean? Let me tell you!
Old vs new
While the old SCCs could be applied as a transfer tool to legalise personal data transfers outside the EEA, the new ones are actually two sets of SCCs:
- Set #1 – like the old SCCs, it is a transfer tool outside EEA
- Set #2 – a new set of rules that can be used as a standard Data Processing Agreement (DPA) for data transfers between a controller and a processor within the EEA
The old SCCs have been in force since the days of the Data Protection Directive (DPD) of 1995. A lot has changed since then. Most notably the DPD was replaced by the GDPR in 2018, but the courts have also been actively shaping the way the laws need to be interpreted. With the Schrems II ruling that created a lot of waves, the CJEU added additional obligations on organisations that want to transfer personal data to countries outside the EEA.
These developments are reflected in the new SCCs, e.g. it is now necessary to assess the legal system and the data protection practices of the destination country to see if the standard for the protection of the data is guaranteed.
Another upgrade to the SCCs is that they now follow a modular approach that allows them to cover all kinds of transfer scenarios to third countries that don’t enjoy the ease of having an adequacy decision. This brings certainty for the data transfer scenarios processor to controller and processor to processor, which were not covered under the old SCCs.
The new SCCs include the following modules:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller
Will the old SCCs we used so far be invalid?
For the ones late to the party – no need to panic! If you have entered into the old SCCs before 27 September 2021 they will remain valid until 27 December 2022 – provided that supplementary measures required by the Schrems II decision have been implemented. In other words, you have to assess the data protection level offered by the destination country and introduce mitigation measures if it is not essentially equivalent to the level of protection offered in the EU.
As of September 27, 2021 we’ll have to use the new SCCs as a transfer tool. It would be prudent to already start thinking about replacing existing data transfers that rely on the old SCCs as the designated transfer tool. In the future, they will have to be migrated to the new SCCs or a different mechanism such as Binding Corporate Rules.
What changes are there to data transfers between the EEA and the UK?
Not much. There’s no need for entering into SCCs since both the UK government and the EU commission adopted adequacy decisions. This means that the data protection regimes are seen as offering an essentially equivalent standard of data protection. Personal data can therefore flow freely between the UK and the EEA.
What about data transfers from the UK to third countries?
The UK government declared that the old SCCs will remain valid for existing and new transfers to third countries. However, it may be necessary to amend them to reflect that they apply to the UK and not the EU. The Schrems II decision also impacts the UK and therefore requires assessing the destination country’s level of data protection. If said level is not essentially equivalent to the one offered in the EU, mitigating measures need to be introduced. The ICO published UK versions of the SCCs to reflect the necessary changes.
The new EU SCCs are not part of the retained EU law in the UK and can therefore not be used for transfers from the UK to third countries. The ICO is currently involved in a consultation on the new SCCs but it is not clear what the outcome of it will be.
Do I have to use the second set of SCCs instead of my own DPA template for data transfers within the EEA?
No. You can still use your custom DPAs as long as they are compliant with Art. 28 GDPR. However, to ease DPA negotiations you might want to consider switching to the standard set of DPA rules set out in the second set of SCCs.
Here are the next steps you should take if you are using the old SCCs:
- List all personal data transfers outside the EEA
- Find the ones that rely on SCCs as the designated transfer tool
- Reach out to the data importer to start the migration to the new SCCs or a different transfer tool
- Determine which module(s) of the new SCCs apply
- Conduct an assessment of the legal system and privacy practices of the destination country and implement mitigating measures (Schrems II)
- Have all old SCCs replaced by 27 December 2022