Data protection in a post-Brexit world – what is the impact of Schrems II on SCCs?
This is the second of two briefings on data protection post-Brexit. Click here for the first briefing.
The two sets of Standard Contractual Clauses (SCCs) currently in use were adopted prior to the implementation of the GDPR. Following the recent ECJ decision in the Schrems II case, their use for this purpose has come under scrutiny, (see our briefing, July 2020). The decision seemingly places additional burdens on data exporters and importers when transferring personal data from the EU to third countries.
The judgement in Schrems II stated that data exporters using SCCs when transferring data to third countries would be required to undertake due diligence to ensure that the third country affords protections to personal data equivalent to the protections provided in the EU. If this could not be ensured, additional measures would need to be added to the SCCs to ensure compliance with the EU level of protection of personal data or, if this were not possible, the personal data could not be transferred.
This judgement left several questions as to what would be required to transfer personal data outside the EU when using SCCs, and if they would be effective at all. This applies especially in circumstances where the data transferred would be accessible by governments of third countries for surveillance purposes.
SCCs remain a valid way to transfer data to third countries
To try and deal with this, the European Data Protection Board (EDBP) published two sets of guidance confirming that SCCs remain a valid way of transferring personal data to third countries. The guidance deals with the issues raised in Schrems II, and details when supplementary measures to the SCCs would be required. Data exporters from the EU to third countries (and the UK) should familiarise themselves with both documents.
Furthermore, on 12 November 2020 the EC published draft revised SCCs for the transfer of personal data to third countries. These new draft clauses attempt to deal with the issues raised by the Schrems II decision as well as various other deficiencies that were identified in the previous SCCs. The new SCCs were issued for consultation (the period for which closed in December 2020) and are now being assessed by the European Data Protection Supervisor and the EDPB prior to their implementation, expected to be by mid-2021.
Once these new SCCs are implemented, the current forms of SCCs will be repealed and businesses will have a one-year grace period in which to incorporate the new SCCs into their contractual agreements.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.