09/06/21 – At the end of last week, and more than three months later than originally expected, the European Commission published final versions of its new standard contractual clauses (SCCs) for the transfer of personal data to third countries (New EU SCCs).
The New EU SCCs replace the standard contractual clauses adopted by the European Commission in 2004 and 2010. They have been significantly updated to be consistent with the GDPR, and also address many of the issues raised by the CJEU in its Schrems II judgment. Unlike their rather inflexible predecessors, the New EU SCCs are modular in format and can be adapted to accommodate various data transfer scenarios, including processor-to-processor transfers which will be welcomed by many B2B service providers.
Until the beginning of last month, it was assumed by most privacy geeks that the New EU SCCs, when adopted, would simply be topped-and-tailed by the ICO and then rolled out for use by UK companies transferring personal data to ‘third countries’ (i.e. countries without a UK adequacy finding, which currently includes the U.S.). However, last month we were somewhat taken by surprise when the ICO announced that it is currently working on bespoke standard contractual clauses for the UK (UK SCCs), expected to be published in draft form for consultation later this month.
Schrems II underlined the importance that the EU attaches to protecting its citizens’ personal data after it has been transferred out of the EU. The UK government on the other hand has stated its post-Brexit intention to ‘strike [its] own international data partnerships’ and to be more ‘agile’. It will therefore be interesting to see if the UK SCCs take a more permissive approach than the rigorous, post-Schrems II approach adopted by the New EU SCCs. And if the UK SCCs are significantly less protective than the New EU SCCs, whether the European Commission will threaten to take another look at the adequacy decisions for the UK… Given that we’re now only three weeks away from the 30th June deadline (when, in the absence of an extension, the UK becomes a ‘third country’ for GDPR purposes), this could be very bad news for UK businesses receiving personal data from customers and other data partners within the EEA.
Part 3 to follow once the UK SCCs have been issued for consultation.