The real question is how to transfer in a compliant manner, and in the last few years, the data privacy world has seen quite the evolution. It started with the Schrems II1 case in July 2020, which simultaneously invalidated the U.S.-EU Privacy Shield (RIP) and put an asterisk next to the Standard Contractual Clauses ("Old SCCs"), particularly in respect of transfers to the United States. The landscape continued to change with the release of a new set of Standard Contractual Clauses ("New SCCs") by the EU Commission in 2021, which, while helpful, don't really remove that asterisk.

At the end of March 2022, there were two more developments: firstly, the United States and European Union announced that they have agreed in principle on a new transfer framework that should address the concerns raised by Schrems II (that is, overreaching by U.S. intelligence agencies and lack of redress for non-U.S. citizens). Further, the U.K. announced it will be moving away from the Old SCCs (which are still being used due to Brexit) in favor of either a standalone U.K. document called the International Data Transfer Agreement ("IDTA") or the New SCCs paired with a U.K.-approved addendum ("Addendum").

The IDTA and Addendum are both a bit more user friendly and flexible than Standard Contractual Clauses, but they are dependent on other documents: the IDTA requires a separate data processing agreement, and the Addendum is only valid when paired with the New SCCs. The Old SCCs are still valid, but they are being phased out and must be replaced by the New SCCs by the end of 2022.

Does this impact you/your business?

  • Are you/your company transferring or receiving personal data from the U.K. and/or the EU?
  • Are you/your company on pace to transition all your relevant relationships involving EU data from the old SCCs to the new SCCs by the end of 2022?
  • Are you still relying on the Old SCCs for U.K. data transfers?

If you answered "Yes" to any of the above, what does this mean in practice?

Privacy Shield 2.0 and EU Data Transfers

It would be prudent to not jump on the bandwagon. First, there is no delivery date for this new framework, and any data transfers will have to comply with other international transfer mechanisms until the new Privacy Shield takes effect. Second, while the original Privacy Shield (and its predecessor the Safe Harbor) were company favorites because of their relative ease of use, it's unclear whether Mr. Schrems2 will agree that the new Privacy Shield addresses the issues raised in his latest case. This means a company could have to switch to the New SCCs or another transfer mechanism anyway if Privacy Shield 2.0 is ultimately invalidated like its predecessors. It should also be noted that any EU data transfers that rely on the Old SCCs should transition to the New SCCs prior to December 27, 2022.

UK Data Transfers

While you can use the IDTA or SCCs/Addendum for the time being, the IDTA or Addendum will be required for any new U.K. data transfer agreements after September 21, 2022, and all existing agreements must transition to the IDTA or Addendum method prior to March 22, 2024.

Turning to the two seemingly longer lasting options, the IDTA and the Addendum methods, the more practical one to rely on may be Addendum method if EU and U.K. data transfers are occurring. This will eliminate having to attach and complete the New SCCs and the IDTA, both of which are at least 20 pages and require different information to be added by the parties. By contrast, the Addendum is roughly eight pages and works hand-in-glove with the New SCCs. Even if there are no EU data transfers currently, the Addendum method is still more efficient, and can serve to future proof the agreement if EU data transfers eventually do occur. Lastly, even though you can continue to use the Old SCCs for a few more months, by using one of the newer methods now, you'll save time and money on converting to them leading up to the March 22, 2024 conversion date.

Footnotes

1. Data Protection Commission v. Facebook Ireland Limited and Maximillian Schrems, Court of Justice of the European Union, Case C-311/18 ECLI:EU:C:2020:559 (July 16, 2020).

2. The individual who brought the cases that resulted in the invalidation of Privacy Shield and Safe Harbor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.