What are SCCs and why are they needed?
Under the UK General Data Protection Regulation (GDPR), exporting personal data (PII) outside the UK, EU or another ‘approved’ country is illegal unless measures are taken to make sure that the recipient of the data is bound by rules which give rights to data subjects equivalent to those given to them in the UK by GDPR.
One of those measures, and the most commonly used, are the SCCs: contract terms prescribed by rules that the foreign ‘importer’ and UK ‘exporter’ agree to in order to allow the export to take place.
Until now, we have been using the SCCs that were mandated by the EU, despite Brexit. As the EU clauses have now changed (as of June 2021), the UK’s Information Commissioner’s Office (ICO) has set out the new terms that should be used going forward by UK-based data controllers who want to export personal data using SCCs. The new UK SCCs have been developed to take into account:
- the post-Brexit provisions of the UK version of GDPR.
- the new EU form of SCCs; and
- the CJEU’s judgment in the case known as Schrems II
What is changing?
The new UK SCCs come in two parts:
- a template international data transfer agreement (IDTA),
- a template international data transfer addendum to the EU’s SCCs (Addendum)
They can therefore be used in one of two ways:
- The ITDA can form a standalone agreement or can be incorporated into a commercial contract) for an ‘exporter’ based only in the UK; or
- Where the export is of data covered by both the UK and EU GDPR, the Addendum can be used to supplement the new EU SCCs, so that the combined document covers the entire transfer.
Transitional provisions
Organisations are allowed to continue entering new contracts on the basis of the old EU SCCs until 22 September 2022, at which date any new contracts for exports must be based on the new UK SCCs.
Existing contracts agreed using the old EU SCCs will be valid until 21 March 2024, but from that point any contracts still in force, and unchanged, will not be compliant with GDPR. UK based ‘exporters’ with contracts with terms that extend beyond 21 March 2024 will need, at some point between now and then to enter into a new contract using either the ITDA or Addendum.
Impact of the changes
Overall, the new terms bring UK terms into line with the EU’s SCCs. The key difference to note is that the UK exporter will be required to carry out a risk assessment to determine the privacy risks (for example foreign state access to the data) arising in the transfer. As GDPR requires data controllers to be accountable for their compliance, it will be important that this risk assessment is recorded and retained with the contract in case of regulatory action.
The ITDA and Addendum can be downloaded at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/