Adequacy and the new SCCs – what does it all mean?

Great news for businesses! The European Commission finally adopts adequacy decisions for data transfers. Alongside this, the long-awaited new EU Standard Contractual Clauses have been published. What does this all mean?

The European Commission has adopted two adequacy decisions concerning transfers of personal data between the UK and EU, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

These agreements confirm the UK as having ‘adequate’ data protection for the transfer of personal data from the EU – thereby paving the way for lawful transfers between the EU and UK.

This is really helpful for UK businesses which rely on service providers or partners based in the EU – who would otherwise have needed to rely on other transfer mechanisms, such as Standard Contractual Clauses, to ensure data transfers to the UK are lawful.

Just in time too!

The news emerged on 28 June 2021 – only two days before expiration of the six month post-Brexit transition period under the UK-EU Trade and Cooperation Agreement.

There’s a caveat. These agreements are dependent on the UK’s legislative and regulatory environment for data. If the UK decides to go its own way with data protection laws, for example, diverges from the GDPR, the EU could potentially withdraw adequacy.

Positive reactions

Unsurprisingly, reaction to this news has been overwhelmingly positive.

The ICO:

“This is a positive result for UK businesses and organisations. Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices. Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently. The result is also a testament to the strength of the UK’s data protection regime.”

The UK Direct Marketing Association:

“A positive decision on data adequacy is a huge relief for thousands of businesses across the UK – over half of businesses surveyed by the DMA just before Brexit stated this was important for the future of their business. The government estimated that without adequacy the UK economy could lose up to £85 billion, so this announcement is a significant boost after a challenging year.”

Where do we stand for data transfers outside of the UK & EU?

Whilst the European’s Commissions’ decision is indeed a terrific boost, UK businesses will still need to ensure their transfers to/from other areas outside the EU are lawful.

For many businesses, this will mean a continued reliance on SCCs in contracts with trading partners outside UK and the EU.

The European Commission has also recently published its final Implementing Decision adopting new Standard Contractual Clauses. They’ve been updated to:

  • align with the GDPR,
  • allow for more flexibility, depending on whether parties are processors or controllers,
  • address requirements following the Schrems II ruling of July 2020.

New SCCs are ready to use!

Organisations can start to use the new SCCs from 27 June 2021. The Commission have allowed for a transition period. Exporters and importers can continue signing the existing SCCs for a further 3 months until 27 September 2021, however after that date no new contracts can be signed using the existing SCCs.

Exporters and importers will then have until 27 December 2022 to replace contracts which use the current SCCs with the new SCCs. That’s unless the underlying processing operations change, in which case the new SCCs should be used from that point on.

It is worth noting however that UK based organisations are being advised by the ICO that EU SCCs will not apply.  See the ICO’s guidance on international transfers.

What is different about these new SCCs?

There are several key differences you may wish to note.

1. Modular approach: Specific sets of clauses can be used for different types of transfers:

  • controller-to-controller,
  • controller-to-processor,
  • processor-to-processor
  • processor-to-controller.

There is an option for more than two parties to join and use the clauses through the docking clause.

2. Identification of a competent supervisory authority: The new SCCs specify that the supervisory authority of the data exporter will be the competent supervisory authority. If the data exporter is not established in an EU member state, but falls within the scope of GDPR, the supervisory authority should be identified as follows:

  • if the exporter has an EU representative, the supervisory authority will be the one where the representative is established.
  • if the data exporter does not require an EU representative, the supervisory authority will be the one of the Member States in which the data subjects whose personal data is transferred are located.

By entering into a contract bearing the new SCCs, the data importer agrees to accept the authority of the that supervisory authority and respond to it’s enquiries, comply with the measures adopted by them and submit to their audit regime.

3. Requirement to assess local laws: With a nod the Schrems II ruling of July 2020, the new SCCs contain a warranty stating both parties have carried out an assessment of the local laws in the jurisdiction the personal data will be transferred to, and they have no reason to believe those laws would prevent the importer from complying with its obligations under the clauses.

Additional guidance has been provided in Clause 18 (d) (12) around factors to take into account when giving this warranty. The parties will be required to document the assessment and make it available to a data protection supervisory authority on request.

4. Security measures: The new SCCs require that the technical and organisational measures (TOMs) adopted to safeguard the personal data transfers are described in specific terms in Annex II, clearly indicating which measures apply to each transfer.

5. No separate contractual measures are required: Contracting using the new SCCs will neatly avoid any requirement for controllers to impose separate contractual measures on a processor, in order to comply with the their obligations under Article 28 of GDPR.

6. Access by public authorities: Provisions are included which data importers will have to comply with if they receive a binding request from a public authority for disclosure of personal data transferred under new SCCs.

Don’t forget our Supplier Management Checklist

The DPN has published a 6-point supplier management checklist. This is designed to help controllers to manage their suppliers – wherever in the world they are based. We hope you find it useful. You may also wish to view the recording our recent webinar ‘How to avoid privacy errors with your suppliers.

In summary…

At last we have some clarity on international transfers. But if your business needs to rely on SCCs, there could well be quite a bit of work to be done to bring your supplier contracts into line by December 2022. We also hotly await developments regarding UK international transfers.

For your reference, here are the links to the European Commission’s two adequacy decisions: