The Office of the Data Protection Authority ("ODPA") in Guernsey has approved the European Commission's (the "Commission") new standard contractual clauses ("New SCCs") for the international transfer of personal data to "third countries" which have not yet adopted data protection legislation that is equivalent to the EU's General Data Protection Regulation ("GDPR") and so are not yet considered to have 'adequacy'. The ODPA has also published a helpful technical update on international data transfers which includes the current list of jurisdictions with adequacy.
The New SCCs have a transitional period and controllers and processors must transition all existing contracts to the New SCCs by 27 December 2022.
Guernsey was one of the first jurisdictions outside of the EU to adopt data protection legislation that is equivalent to the GDPR. Under the Data Protection (Bailiwick of Guernsey) Law, 2017, as amended (the "DP Law"), if a data controller or processor in Guernsey transfers personal data to a person located in a "third country", being a jurisdiction that has not yet adopted data protection legislation that the Commission considers is equivalent to the GDPR, the controller/processor must ensure there are one or more safeguards in place to enable individuals to enforce their rights against the controller/processor.
One, and arguably the most important, of these statutory safeguards is for the controller/processor to ensure that there is a contract in place between the transferor and the recipient of the personal data which covers certain matters set out in the DP Law which are designed to afford continuing protection to the personal data.
The Commission had adopted "standard contractual clauses" ("SCCs") that could be used for this purpose and Guernsey had adopted those SCCs.
The Schrems II Case
However, in July 2020 the Court of Justice of the European Union ("ECJ") issued its decision in Schrems II (Case C-311/18) which cast doubt as to whether transfers of personal data could always be made to persons in third countries using the SCCs. The ECJ did find that the SCCs were valid as a transfer mechanism, but they needed some work as a person transferring data to a third country could not rely on the SCCs alone. That person also had to assess the third country's level of compliance with the GDPR and ensure that the third country had equivalent data protection as the GDPR.
This means that the data recipient in the third country must be required to inform the data controller/processor exporting the data of any impediments to its compliance to the SCCs. If the existence of third country laws or regulations mean that the third country's laws do not fully align with the GDPR, then the data exporter must stop the data sharing and end the contract. If the data exporter fails its obligations under the SCCs, the lead supervisory authority (the ODPA for Guernsey) must intervene and can prohibit the data sharing.
The New SCCs
The New SCCs issued by the Commission take into account and reflect the Schrems II judgement, and ensure a higher level of data protection. However, before the New SCCs can be adopted and relied upon by Guernsey businesses who transfer data to a third country, they had to be approved by the ODPA. This has now happened.
Guernsey businesses who transfer personal data internationally or are looking to transfer personal data internationally to a third country should review their existing contractual arrangements, particularly where they rely on the SCCs, to ensure that there are no gaps following either the Schrems II judgement or the adoption of the New SCCs. The New SCCs have a transitional period and controllers and processors must stop using the prior SCCs in new contracts by 27 September 2021 and all existing contracts relying on prior SCCs must be transitioned to the New SCCs by 27 December 2022.
About Walkers' data protection practice
Walkers has a dedicated experienced data protection group that can offer bespoke privileged legal advice and guidance in connection with all aspects of the Channel Islands' data protection regimes, including assisting with the preparation or amendment of international data transfer agreements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.