Following the publication of the new EU Standard Contractual Clauses ("SCCs") last year and their UK equivalent at the beginning of this year, any current arrangements for transferring personal data outside of Europe or the UK (e.g. international data transfer agreements involving a European or UK party) should be revisited and updated in the coming months.
1. Background: Data Protection Developments - Introduction of New EU SCCs
The new EU SCCs were published on 4 June 2021 and came into force on 27 September 2021 and are applicable to all transfers of personal data from the EEA to third countries outside the EEA ("EU Restricted Transfers").
By way of a recap, the GDPR prohibits EU Restricted Transfers unless a condition under the GDPR is satisfied. One of these conditions is the use of SCCs which effectively function as a contract 'pre-approved' by the European Commission entered into between the data exporter and data importer which imposes certain data protection obligations on both parties.
The new EU SCCs have been updated to address some issues with the previous versions of the SCCs and, crucially, to factor in the outcome of the Schrems II decision, which made it clear that an additional level of due diligence in the form of a country specific Data Transfer Impact Assessment ("DTIA") needs to be carried out before any EU Restricted Transfer is made.
The introduction of the new EU SCCs also means that any previous Intragroup Data Transfer Agreements ("IDTA") that incorporated the old SCCs will need to be updated, as will any Data Transfer Agreements ("DTA") that has been entered into with third parties that incorporate the old SCCs as the new EU SCCs must be used for all new agreements to legitimise EU Restricted Transfers.
It is important to note that the old EU SCCs now cannot be used as a valid transfer mechanism for new agreements entered into on or after 27 September 2021 ("New Agreements"). As for existing arrangements, for all agreements that were entered into before 27 September 2021 ("Existing Agreements"), the old SCCs will remain valid until 27 December 2022 so all Existing Agreements that rely on the old EU SCCs will need to be repapered and replaced with the new EU SCCs ahead of this date. Practically speaking, this will be relevant to any contractual arrangements that will last beyond December 2022. Further detail concerning this re-papering timeline and some key practical considerations can be found in the linked blogs.
This re-papering exercise will likely involve, at varying degrees, the re-evaluation of current agreements, training and contracting support in order to implement data transfer agreements with appropriate iterations of the new EU SCCs on an ongoing basis.
2. Transfer of personal data from the UK
The requirements that apply in relation to transferring personal data from the UK to third countries outside the UK/EEA (transfers can made from the UK to the EEA without restriction for the time being) ("UK Restricted Transfers") slightly differ from those which apply to EU Restricted Transfers and need to be addressed in any updated IDTAs and DTAs, with the UK publishing a finalised version of its own SCCs and a UK addendum to be used with in combination with the new EU SCCs at the beginning of this year, The requirement to carry out DTIAs prior to conducting UK Restricted Transfers, however, remain.
3. Specific Areas for immediate attention: the IDTA, DTAs and country-specific DTIAs
When updating an Intragroup Data Transfer Agreement, the following changes will need to be made:
- replace old SCCs governing existing controller to controller and controller to processor transfers with new EU SCCs (and UK equivalent);
- assess if any intragroup processor to controller and processor to processor transfers are made and add appropriate modules from the new EU SCCs to address these transfers;
- address the differentiation between transfers made between entities based in the EEA and entities based in the UK which are subject to different GDPR requirements and implement the UK addendum to the new EU SCCs;
- consider addressing the specific local law requirements arising out of transfers made from non-UK/EEA jurisdictions1 by way of country specific schedules to the IDTA; and
- draft new schedules for the purposes of populating the appendices to the new SCCs and UK equivalent.
Aside from addressing the requirements of the new EU SCCs and their UK equivalent, updating the IDTA is also a good opportunity to update the IDTA more generally to incorporate an accession or adherence mechanism for new entities (to the extent that there isn't one already), refresh any front end controller to controller and controller to processor clauses to align with latest guidance and the SCCs and review the description of processing provisions to ensure that they accurately reflect the intragroup transfers that are occurring in practice. We can assist with all aspects of this exercise.
As outlined above, any Data Processing Agreements currently in place that incorporate the old SCCs will need to be updated to reflect the requirements of the new EU SCCs and their UK equivalent. Specifically the exercise will require consideration and analysis of the data flows under the arrangements with the relevant third party to identify and incorporate the modules of the new SCCs. As this exercise will usually involve a third party, we can also assist with the negotiation and agreement of these revised DPAs.
Finally, perhaps the most complex development to come out of introduction of the new SCCs is the requirement to conduct Data Transfer Impact Assessments for all importing jurisdictions outside of the EEA or UK.
In short, this means that a separate DTIA will need to be undertaken for each importing country that receives personal data from your entit(ies) based in the UK or EEA. Such assessments are extensive and require the following elements to be addressed:
- a comprehensive description of the contemplated transfer;
- an assessment of the data importer's operative data protection framework and legal regime;
- an assessment of the likelihood of harm; and
- consideration of any supplementary measures that need to be introduced to mitigate any specific risks identified.
The DTIA is a recent introduction and many practitioners are still getting to grips with how best to interpret and document these requirements. Our Data Protection team, however, has recently developed a methodology to conduct these assessments efficiently in the form of a document which involves awarding a risk rating to each element of the assessment listed above and documenting a final conclusion as to whether an equivalent level of protection with regards to the intended transfer of personal data can be ensured.
4. How HSF may assist youOur Data Protection team and our innovative Alternative Legal Services team can assist with the coordination and execution of this re-papering exercise. We are currently scheduling in such exercises across 2022 with a range of clients and note that the earlier this exercise is begun, the easier the transition will be.
2022 is set to be another big year in the data protection and privacy space. Our Data Protection team is prepared to guide you through this journey.
1 For example, a data transfer agreement under which a data exporter imposes data protection obligations on a data importer is a recognised mechanism for cross-border data transfer in Asian jurisdictions with comprehensive data protection laws including, amongst others, Singapore and Hong Kong (recommended practice only as section 33 of PDPO is not in operation yet).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.