A little over three months ago, the new Standard Contractual Clauses for international data transfers extra-EEA to non-adequate countries (new SCCs) were published in the Official Journal. The new SCCs came into force, and were usable, from 27 June 2021. In the same Decision the European Commission confirmed the old SCCs would be repealed on 27 September 2021 (see Article 4).
If you have old SCCs in place at any point prior to 27 September 2021 you can still rely on those old SCCs for a further 15 months, i.e. until 27 December 2022, provided that there are no changes to the “processing operations that are the subject matter of the contract” and “reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”.
Organisations transferring data extra-Switzerland to countries outside the EEA or third countries with no adequacy decision will have welcomed the Federal Data Protection and Information Commissioner (FDPIC) statement of 27 August 2021, in which the FDPIC recognised the new SCCs as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law. In parallel with the new SCCs timescales, the FDPIC permit the old SCCs as a valid transfer mechanism until 27 September 2021, after which the new SCCs must be used for all new transfers. For existing transfers using the old SCCs, signed before the 27 September 2021, the old SCCs will remain valid “provided that the data processing or the contract is not significantly changed in the meantime” until 31 December 2022. It is believed the extra few days are because the new Swiss Federal Act on Data Protection is now expected to come into force on 1 January 2023.
For extra-UK transfers the situation is a little different. The ICO launched a consultation on international data transfers extra-UK on 11 August 2021, which does not close until 7 October 2021, ten days after the old SCCs are repealed by the European Commission and are no longer recognised by the FDPIC. The ICO consultation consists of three sections:
- Proposal and plans for updates to guidance on international transfers
- Transfer risk assessments (TRA)
- The international data transfer agreement
(For more detail on each section see our article “It’s official Summer is here…the new UK SCCs consultation is out!”). Of particular relevance are the UK’s proposals in the third section where the ICO sets out two new frameworks to legitimise restricted transfers and proposals to replace the old SCCs, namely (1) the draft model International Data Transfer Agreement, effectively the UK SCCs and (2) the draft UK addendum to the new EU SCCs. The latter indicating the ICO’s approach to recognising and adopting model agreements from other jurisdictions. It is important to remember these are draft proposals and could be subject to change.
So where does this leave us in relation to the old SCCs in the meantime? Well the answer is hinted at in the ICO’s consultation and the timescales look markedly different to the EU and Swiss approach. To take it from the top, post-Brexit the old SCCs could continue to be used under the transitional provisions set out in Schedule 21 para.7 of the Data Protection Act (DPA) 2018. The ICO may disapply the old SCCs by virtue of Schedule 21 para.8(b) of the DPA. Once the old SCCs are disapplied and any transitional timeline has expired, they can no longer be used as a valid transfer mechanism.
The ICO proposes to disapply the old SCCs when it lays the new frameworks before Parliament. If there are no Parliamentary objections the timelines would be:
- For data transfer agreements being negotiated, the parties can use the old SCCs for around 4.5 months (or 3 months plus 40 days to be precise) from the date the proposals are laid before Parliament, after which they can no longer be used.
- For all existing arrangements relying on the old SCCs (and any arrangements concluded during the above period), the old SCCs would remain valid for a further period of 21 months (so effectively 2 years and 40 days after the date that the proposals are laid before Parliament).
It is clear to see for extra-UK transfers only the timescales stretch much further than the end of 2022 so this will need to be factored into any decision making processes.
So where does this leave us now?
While most organisations have decided on the approach they will take in regard to international transfers, until the UK position is finalised there are still some uncertainties. It looks as though this is recognised with the proposed extended timescales but for international organisations moving data globally they need to be aiming for the earlier of these dates and the focus remains on switching over to the new SCCs by the dying days of December 2022.
And what about those transferring data to the US? Is there any hope at all of a replacement for the privacy shield? Well as with all good questions, the answer is it depends. While both the EU and US and the UK and the US are in negotiations, differences still remain and with US mid-term elections next year it seems likely domestic US issues will be higher up the agenda than international data transfers.