With new rules in force in the EU and UK, we gauge how firms can navigate the evolving data landscape
Following the publication of the new EU Standard Contractual Clauses (SCCs) last year and their UK equivalent at the beginning of 2022, any current arrangements for transferring personal data outside of Europe or the UK should be revisited and updated in the coming months.
Background: The new EU model clauses
The new EU SCCs came into force on 27 September 2021 and are applicable to all transfers of personal data from the European Economic Area (EEA) to third countries outside the EEA (EU Restricted Transfers).
To recap, the GDPR prohibits EU Restricted Transfers unless a condition under the GDPR is satisfied. One of these conditions is the use of SCCs which function as a contract ‘pre-approved’ by the European Commission, imposing data protection obligations on both data exporter and importer.
The new EU SCCs have been updated to solve issues in earlier versions. Crucially, they factor in the Schrems II decision, which made clear an additional level of due diligence in the form of a country-specific Data Transfer Impact Assessment (DTIA) needs to be undertaken before any EU Restricted Transfer is made.
The introduction of the new EU standard also means previous Intragroup Data Transfer Agreements (IDTAs) that incorporated old SCCs will need updating, as will any Data Transfer Agreements (DTAs) entered with third parties that incorporate old SCCs. This is because new EU SCCs must be used for all new agreements to legitimise EU Restricted Transfers.
Significantly, old EU SCCs now cannot be used as a valid transfer mechanism for new agreements entered on or after 27 September 2021. As for existing arrangements agreed before 27 September 2021, the old SCCs will remain valid until 27 December 2022. This means all existing agreements relying on the old EU contractual model will need re-papering and replacing with new version ahead of this date.
Practically, this will be relevant to any contractual arrangements lasting beyond December 2022. Further detail concerning this re-papering timeline and some key practical considerations can be found in the linked blogs.
This re-papering exercise will likely involve the re-evaluation of current agreements, training and contracting support to implement data transfer agreements with appropriate iterations of new EU contractual terms on an ongoing basis.
Transferring personal data from the UK
The requirements applied in relation to transferring personal data from the UK to third countries outside the UK/EEA (UK Restricted Transfers) slightly differ from those applied to EU Restricted Transfers and need to be addressed in any updated IDTAs and DTAs. The UK published a finalised version of its own SCCs and a UK addendum to be used in combination with the new EU counterpart at the beginning of this year. The requirement to carry out DTIAs prior to conducting UK Restricted Transfers, however, remains.
Meanwhile, transfers can made from the UK to the EEA without restriction for the time being.
Areas for immediate attention: Data transfer agreements and country-specific impact assessments
When updating an IDTA, the following changes will need to be made:
- Replacing old SCCs governing existing controller-to-controller and controller-to -processor transfers with new EU SCCs (and UK equivalent).
- Assessing if any intragroup processor-to-controller and processor-to-processor transfers are made and adding appropriate modules from the new EU SCCs to address these transfers.
- Addressing the difference between transfers made between entities based in the EEA and entities based in the UK which are subject to different GDPR requirements and implementing the UK addendum to the new EU SCCs.
- Addressing the specific local law requirements arising out of transfers made from non-UK/EEA jurisdictions by way of country-specific schedules to the IDTA.
- Drafting new schedules for the purposes of populating the appendices to the new SCCs and UK equivalent.
Aside from answering the requirements of the new EU SCCs and their UK equivalent, updating the IDTA is also a good opportunity to:
- Update the IDTA more generally to incorporate an accession or adherence mechanism for new entities (to the extent that there isn’t one already).
- Refresh any front-end controller-to-controller and controller-to-processor clauses to align with latest guidance and the SCCs.
- Review the description of processing provisions to ensure they accurately reflect the intragroup transfers that are occurring in practice.
We can assist with all aspects of this exercise.
As outlined above, any Data Processing Agreements currently in place that incorporate the old contractual model will need updating to reflect the requirements of new EU SCCs and their UK equivalent. Specifically, the exercise requires analysis of the data flows under the arrangements with the relevant third party to identify and incorporate the modules of the new SCCs. As this exercise will usually involve a third party, we can also assist with the negotiation and agreement of these revised DPAs.
Finally, perhaps the most complex development to come out of the introduction of the new SCCs is the requirement to conduct DTIAs for all importing jurisdictions outside of the EEA or UK.
This means a separate impact assessment needs to be undertaken for each importing country that receives personal data from your entities based in the UK or EEA. Such assessments are extensive and require the following elements:
- A comprehensive description of the contemplated transfer.
- An assessment of the data importer’s data protection framework and legal regime.
- An assessment of the likelihood of harm.
- Consideration of any supplementary measures needed to mitigate identified risks.
The DTIA is a recent introduction and advisers are still getting to grips with how to interpret and document these requirements. Our Data Protection team, however, has developed a methodology to conduct these assessments efficiently in the form of a document which allocates a risk rating to each element of the assessment listed above. Moreover, the process will document a conclusion assessing whether an equivalent level of protection regarding the intended data transfer can be ensured.