International data transfers: Will the UK adopt EU standard contract clauses?
The Information Commissioner’s Office has opened a public consultation on changes to the rules on international data transfers. One of the proposed changes is for the UK to adopt the EU’s standard contract clauses for international data transfers.
What are standard contractual clauses?
Under both the EU GDPR (EU 2016 / 679) and the UK retained version of the GDPR (the UK GDPR), any transfer of personal data to a third country or to an international organisation (referred to as a ‘restricted transfer’) can only take place if certain conditions are complied with (Article 44). A ‘third country’ is defined in the UK GDPR as a country or territory outside of the UK (Article 4(27)). For the purposes of the EU GDPR, a ‘third country’ is a country other than the EU member states and the three additional EEA countries (Norway, Iceland and Liechtenstein).
Under Chapter V of both the UK GDPR and EU GDPR, a restricted transfer can only take place in the following circumstances:
- on the basis of an adequacy decision (Article 45);
- if appropriate safeguards are put in place (Article 46); and
- on the basis of a derogation for a specific situation (Article 49).
SCCs are one of the appropriate safeguards, listed in Article 46, which organisations can use to transfer personal data to a third country where there is no adequacy decision or applicable derogation in place.
What are the EU SCCs?
On 04 June 2021, the European Commission announced that it had adopted new Standard Contractual Clauses (SCCs) for the transfer of personal data from the EEA to third countries.
The European Commission’s new SCCs (the ‘New EU SCCs’) tackle three key issues:
- they address gaps in the current SCCs, such as catering for data transfers involving multiple parties, recognising that international flows of data are increasingly complex;
- they are consistent with the requirements of GDPR, whereas the previous SCCs were created under a now repealed data protection regime; and
- they address the requirements of the Schrems II judgment (for more information on this, see our blog on Schrems II).
The New EU SCCs came into force on 27 June 2021 and can be used in data sharing agreements from this date. The old EU SCCs will be repealed with effect from 27 September 2021. Any contracts entered into after 27 September 2021 will need to use the New EU SCCs. There is a transition period of 18 months to allow businesses and organisations to make the necessary changes to their contractual agreements so that contracts using the old EU SCCs and concluded before 27 September 2021 will remain valid up until 27 December 2022.
The New EU SCCs can be used to comply with the EU GDPR where personal data is being transferred out of the EU to countries whose data protection laws have not been assessed as ‘adequate’ by the EU Commission.
The below summary table sets out which SCCs apply to what type of data transfer:
|Type of data transfer||Applicable legislative regime||Applicable SCCs|
|Transfers from the EU to a third country (without an adequacy decision)||EU GDPR||New EU SCCs can be used from 27 June 2021 and must be used for new contracts from 27 September 2021. Old SCCs can be used for new contracts up until 27 September 2021. Contracts using old SCCs, and entered into before 27 September 2021, will remain valid until 27 December 2022.|
|Transfers from the UK to a third country (without an adequacy regulation)||UK GDPR||UK versions of the old EU SCCs (as approved at 31 December 2020) until these are replaced by new versions from the ICO.|
The European Commission has recently adopted an adequacy decision under the GDPR which means that personal data can now flow freely from the EU to the UK. Similarly, the UK treats the EU member states as having adequate data protection laws. This means organisations and businesses in the UK and EU can transfer personal data between them rather than relying on SCCs.
What would be the benefit of the UK adopting the EU SCCs?
The main benefit of the UK adopting the EU SCCs will be felt by organisations that transfer data from both the EU and the UK to third countries. It would mean that those organisations could rely on a single set of standard contractual clauses for both types of international data transfers.
If the UK does not adopt the new EU SCCs then in future those organisations face having to use two different sets of SCCs; a UK version for transfers out of the UK and the EU version for transfers out of the EU. That would make it harder to standardise contracts with customers and suppliers across the UK and EU and can start to raise questions about conflicts between the two sets of terms.
The ICO’s consultation is due to close on 7 October 2021, which is after the date when the old EU SCCs become invalid for new contracts. Unfortunately that means there will be a period when organisations will need to think more carefully about which set of SCCs they need to use in new contracts, depending on whether they are transferring data out of the UK, the EU, or both.
If you have any questions regarding international data transfers, or need advice about what the New EU SCCs mean for your business/organisation, please get in touch with the BDB Pitmans data protection team.