Transition date looms: Transferring data transfer agreements to the new SCCs
The current list of countries considered “adequate” is Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom.
In the absence of an adequacy decision by the EC, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to “appropriate safeguards”. The Law replicates this regime for transfers outside Guernsey. Appropriate safeguards for such transfers include:
- Binding corporate rules (“BCRs”).
- Standard data protection contractual clauses adopted by the European Commission (“SCCs”).
SCCs are generally the most commonly utilised mechanism for such transfers.
In June 2021, the EC approved a new set of SCCs for international data transfers. The Guernsey data protection regulator, the ODPA, approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey.
The new SCCs for international transfers reflect the changes made to European data protection law made by the GDPR and address some of the issues with the existing sets of SCCs (which include two controller to controller (“C2C”) sets (2001 and 2004) and a controller to processor (“C2P”) set (2010)).
The new SCCs (unlike the existing ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor (“P2P”) and processor-to-controller (“P2C”).
The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to “build” the relevant agreement on a modular basis.
The new SCCs also incorporate provisions to address the Schrems II decision of the European Court of Justice, the key effect of which was to invalidate the EU-U.S. Privacy Shield and to place additional administrative conditions on the use of SCCs.
A transition period expired 27 September 2021 by when businesses were able to incorporate the old SCCs into new contracts until, at the latest, 27 September 2021. Since that date any Guernsey business looking to export personal data relying on SCCs have been obliged to use the new SCCs.
But all contracts using the old SCCs must now be transitioned to the new SCCs by 27 December 2022. This cut-off date is fast approaching. Furthermore, where controllers and processors are utilising SCCs (either new or old) or BCRs, they will need also to take account of the Schrems II decision. The European Data Protection Board (“EDPB”) published its Schrems II guidance in relation to supplementary measures to accompany international transfer tools.
In summary, a 6 step process is required in relation to international transfers:
- Know your transfers. Be aware of where the personal data is so you know the level of protection provided there. Make sure the data you transfer is adequate, relevant and limited to what is.
- Verify the transfer tool your transfer relies on. Using the SCCs or BCRs will be enough in this regard.
- Assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
- Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third party country’s safeguards. If no supplementary measure is suitable, you must avoid, suspend or terminate the transfer.
- Take any formal procedural steps the adoption of your supplementary measure may require.
- Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.
In practice, the above requires a detailed and documented transfer impact assessment (“TIA”). For many Guernsey controllers and processors, this is an onerous process and one Guernsey businesses should prioritise.
It should be noted that the European Commission also approved a set of SCCs in relation to data processing agreements at the same time which are available for use at the election of controllers and processors albeit that processors may well have amended their standard form contracts for processing terms by now.
Link to article