UK data protection update: Standard contractual clauses and adequacy decision
In this article we provide an update on our previous article Data protection: European Commission kicks off UK adequacy process and consider the validity of the European Commission’s (EC) new Standard Contractual Clauses (SCCs) in the UK.
1. The EC’s draft adequacy decision on UK data protection
a. What is an adequacy decision?
An adequacy decision is a determination by the EC that a non-EU country (or sector within a non-EU country) offers an adequate level of data protection and therefore that personal data can be shared with it. If an adequacy decision is made, then personal data can continue to be freely transferred from the EU to that jurisdiction without the need for additional mechanisms to facilitate the transfer (such as further safeguards or authorisation from a national supervisory authority).
b. What is the current position on personal data transfers between the UK and the EU?
Following expiry of the Brexit transition period, the UK as non-EU country without an adequacy decision became a ‘third country’ for data transfer purposes. Personal data transfers from the UK to the EU remain permissible under English law and a review is scheduled in 2024.
As regards personal data transfers from the EU to the UK, transitional provisions have been applied to allow data flows to continue. Pursuant to the EU-UK Trade and Cooperation Agreement signed on 30 December 2020, personal data is able to flow freely from the EU to the UK during a bridging period agreed by the EU that expires on 30 June 2021. During the bridging period the UK is treated as though it is not a third country for data transfers from the EU to the UK. Unless the EC gives the UK an adequacy decision by the expiry of the bridging period, SCCs will be required to transfer personal data from the EU to the UK from 1 July 2021.
c. Where do things stand with the UK’s adequacy decision?
The EC’s draft adequacy decision on UK data protection has not been finalised. Indeed, at the beginning of this month the European Parliament (EP) asked the EC to amend its draft decision to ensure EU standards for citizens’ privacy are respected.¹ This request echoed concerns raised by the European Data Protection Board (EDPB) regarding onward personal data transfers to the US and exemptions in the fields of national security and immigration (amongst other things).
As the bridging period quickly draws to an end without a finalised adequacy decision in place businesses may wish to revisit their EU-UK transfer arrangements.
2. New standard contractual clauses
a. What are SCCs?
SCCs are a common mechanism to transfer personal data to third countries without an adequacy decision. These agreements contain contractual obligations on a data exporter and a data importer as well as rights for individuals whose personal data is transferred.
b. What are the EC’s new SCCs?
The EC recently adopted new SCCs for use between a controller and a processor within the EEA and for personal data transfers to third countries.² They replace the previous SCCs (adopted in 2001, 2004 and 2010) and address new requirements under the EU General Data Protection Regulation (EU GDPR) and take into account the Schrems II³ judgment of the European Court of Justice, which affected transfers of personal data from the EU to the US and/or countries outside the EU. For more information about the Schrems II judgment please see our March article.
c. Are the EC’s new SCCs valid in the UK?
The UK Information Commissioner’s Office (ICO) has made it clear that the EC’s SCCs are not valid in the UK so a company cannot, for example, use them for personal data transfers from the UK to the USA.² The ICO is working on bespoke UK SCCs for cross-border personal data transfers, which it intends to consult on and publish during 2021. UK organisations should therefore await further guidance from the ICO before taking any action.
d. We need to transfer personal data from the UK to a third country, what should we bear in mind?
UK data exporters can use existing EU SCCs that were valid as at 31 December 2020, these are available on the ICO’s website here. However, the Schrems II judgment applies when making restricted transfers from the UK using SCCs. Organisations may therefore find the toolbox in the EC’s SCCs helpful in this regard as they provide an overview of the steps organisations must take to comply with Schrems II as well as examples of possible ‘supplementary measures' that companies may take to meet the requirements of Schrems II (e.g. encryption).
The ICO also advises organisations to consider the additional measures set out in the EDPB’s Recommendations on measures that supplement transfer tools.⁴ The ICO intends to issue its own guidance on this topic soon.
e. We are a non-UK company based in the EU so the new SCCs apply to us, where can we find out more?
You can read more about the SCCs on the European Commission’s website here.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the UK or EU GDPR. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.
___
¹ Data protection: MEPs urge the Commission to amend UK adequacy decisions
² Standard contractual clauses for international transfers and Standard contractual clauses for controllers and processors in the EU/EEA
³ Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II)
⁴ Standard Contractual Clauses (SCCs) after the transition period end