Transferring Data under the new Standard Contractual Clauses
17 September 2021
Standard Contractual Clauses are one of the most common mechanisms used when additional safeguards are needed to transfer personal data out of the jurisdiction. However, with the constant evolution of how data can be transferred, these clauses, dating from 2001, 2004 and 2010 were no longer deemed adequate. As such, the European Commission have updated the Standard Contractual Clauses to ensure the best protection of data subjects' rights in the transfer of personal data.
In line with the adoption of the European Union's General Data Protection Regulation (the GDPR), Guernsey introduced the Data Protection (Bailiwick of Guernsey) Law, 2018 (the DP Law). The DP Law was drafted to reflect the GDPR and with the intention of ensuring the rights of individuals, the free flow of data and continuing adequacy of the Channel Island regimes.
The Bailiwick of Guernsey has been recognised by the European Commission as providing adequate protection for data subjects. Other authorised jurisdictions comprise:
- • A member state of the European Union;
- • Any country, sector or international organisation which has been determined by the European Commission as providing data protection rights and freedoms for data subjects similar to those under the GDPR (an 'adequate level of protection') – this would include Jersey, the UK and Isle of Man; or
- • A jurisdiction designated by Ordinance for this purpose – this will include the UK until 31 December 2021.
(each an Authorised Jurisdiction).
Following the UK's exit from the European Union, on 31 January 2020, Guernsey was no longer able to freely transfer data to the UK upon reliance of the UK being a member state. As such, Guernsey adopted an Ordinance designating the UK an authorised jurisdiction which was valid from the date of the UK’s exit from the European Union (31 January 2020) and expires on 31 December 2021. The Ordinance was designed to give the European Commission time to determine that the UK offers an adequate level of protection to personal data.
A declaration of adequacy was recently confirmed by the European Commission on 28 June 2021 in favour of the UK. Personal data can therefore be freely transferred from Guernsey to the UK in reliance on the UK being an adequate jurisdiction and, until 31 December, in accordance with the Ordinance. Personal data is able to freely transfer from Guernsey to any other Authorised Jurisdiction (and vice versa) without the need for any additional protection mechanism. This increases the speed and efficiency in which data can be transferred. However, where a country is a 'third country' (not an Authorised Jurisdiction), additional safeguards are required in order to lawfully transfer data from Guernsey to that country unless certain exemptions apply. The most common mechanism to lawfully transfer data in these circumstances is to adopt the standard contractual clauses (SCCs).
What are the SCCs?
The SCCs are contractual obligations that are entered into between the sender and receiver of personal data to protect personal data that is not being transferred to an Authorised Jurisdiction. The SCCs are approved by the European Commission but currently pre-date the GDPR and the DP Law. Therefore, they do not reflect the changes to the European data protection regime made by the GDPR, and in particular, the impact of the Schrems II decision.
In Schrems II the Court of Justice of the European Union ruled that the EU – US Privacy Shield - a framework agreed between the US Department of Commerce and the European Commission that was considered adequate for the transfer of personal data from the EU to the US - was ineffective as it did not provide adequate protection for data transfers.
The New SCCs
In June 2021 the European Commission published a new set of SCCs which, among other things, strengthen data subjects' rights.
The new SCCs are modular in that they allow for personal data to be transferred as follows:
- from controller to controller (Module 1);
- from controller to processor (Module 2);
- from processor to sub-processor (Module 3); and
- from processor to controller (Module 4).
There will only be one set of SCCs going forward, which can be adapted by omitting modules that are not relevant.
In order to strengthen data subjects' rights, obligations on data importers are now more onerous. These obligations should therefore be carefully considered by both sender and receiver, and we anticipate closer scrutiny on compliance with these clauses.
The Office of the Data Protection Authority, being the data protection regulator for Guernsey, has now expressly recognised (here) the SCCs for use by Guernsey businesses as an appropriate transfer mechanism for transfers from the Bailiwick to ‘third countries’.
Any new data transfer contract ought to incorporate the new SCCs with immediate effect.
As of the 27 September 2021 the new SCCs must be used in all new contracts in place of the old SCCs.
For data transfer contracts that are already in place and incorporate the old SCCs, these contracts will need to be amended to incorporate the new SCCs by 27 December 2022.
The SCCs are only one of a number of available statutory mechanisms which can be used to enable personal data to be lawfully transferred from a controller or processor in the Bailiwick to a recipient based in a country that is not an Authorised Jurisdiction. The use of SCCs should still be considered on a case-by-case basis and an assessment undertaken to ensure that the SCCs provide adequate protection for the data being transferred. To the extent that the SCCs alone do not provide adequate protection then additional safeguards should be put in place.
The UK Information Commissioner's Office (the ICO) is proposing an International Data Transfer Agreement (the IDTA) which will act as an alternative to the SCC's. The ICO has published a consultation paper on the draft IDTA which is open until 7 October 2021 and can be found here.