The EU Commission has finally adopted new Standard Contractual Clauses for the transfer of personal data outside the EEA. Well, it’s about time! The old ones were drafted for the old Data Protection Directive which became defunct in 2018 when GDPR became enforceable.
The old SCCs were separate, free-standing arrangements for different types of data transfer. The new SCCs address data transfers in a modular format for a broader range of transfers: (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-)Processor and (iv) Processor-to-Controller. While the new SCCs seek to address parts of the Schrems II decision, businesses should still conduct an impact assessment of the transfer rather than blindly rely upon the SCCs.
The new clauses are already in force. The old ones can be used until 27 September 2021 and transfers under the old SCCs can continue until 27 December 2022.
How does this impact the UK?
First, the EU Commission declared that the UK adequately protects personal data. So transfers from the EEA to the UK may occur without the need to enter into any SCCs.
Second, data transfers from the UK to countries outside the EEA must also provide adequate protection for personal data. One way of doing this is to use SCCs of course. But the Commission’s SCCs do not apply to these transfers. Instead, the ICO’s SCCs will apply. Except the ICO hasn’t published any yet (although they’re likely to mirror the Commission’s clauses in any event).
So the EU Commission took years to update its own SCCs. And the ICO hasn’t published theirs yet. Slow hand claps all round.
In the meantime, I recommend you use the Commission’s new SCCs for data transfers outside the EEA but adjust them as required to refer to the UK Data Protection Act. If you know what you’re doing, fine.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.