Most EU companies (including, of course, Irish companies) use third party processors in one form or another to undertake data processing for them both in the EU and abroad: for example, online payment providers, email marketing or simply cloud data storage.
When personal data is exported to another country the rights and protections imposed by GDPR must travel with the personal data. The EU have a number of mechanisms that can be used to ensure these rights and protections, and to legitimise the transfer of personal data from the EU to a country outside the EU, referred to as a ‘third country’: The UK is of course no longer part of the EU and is therefore considered a third country.
Two of these mechanisms (and the most relevant) have been the subject of much discussion recently, namely an ‘adequacy decision’ or the use of ‘standard contractual clauses’ (or SCCs for short), and this blog discusses how they apply to EU companies with a UK client base.
Adequacy
An adequacy decision is awarded by the European Commission to third countries that can essentially demonstrate that they take data protection and the rule of law seriously. It is a recognition of a country providing an adequate level of protection, similar to EU data protection laws. When a favourable adequacy decision is awarded, personal data can generally flow freely to these countries.
The UK recently secured a favourable adequacy decision from the EU, meaning that personal data can continue to freely flow between EU and the UK without the need for additional data transfer safeguards.
But what about countries that do not have an adequacy decision, such as the USA?
In these cases additional transfer safeguards may need to be implemented, as any data transfers still need to be subject to the obligations under the GDPR, UK GDPR and Data Protection Act 2018.
The most common safeguards used are SCCs between the data exporter in the EU or UK and data importer in the third country. However, the application of SCCs in the short term at least may pose problems for EU companies processing UK client personal data (even storage) in any third countries due to the introduction of new EU SCCs by the European commission on the 27 June 2021.
SCCs
Before we discuss the situation in respect of the new EU SCCs introduced a month ago, we must look at the UK position following the end of the transition period, 31 December 2020.
The UK adopted a substantial part of EU law, regulations, decisions that were in place on the 31 December 2020 (essentially copied and pasted it into UK law at the end of the transition period). One of the pieces of EU law which was adopted by the UK at the end of the transition period was the GDPR. The GDPR has been amended and now known as the UK GDPR and contains almost identical provisions to the EU GDPR, but in relation to UK data subjects and data processing as opposed to EU data subjects and data processing.
Another piece of EU law adopted by the UK were the EU SCCs in place at 31 December 2020. However, the EU have now updated their SCCs (in light of the introduction of the GDPR and the Schrems II decision), and there is now the potential for very complex contractual situations arising for EU companies doing business with UK customers, when personal data is exported to a service provider based in a third country, such as the USA.
New EU SCCs
If you are an EU company then you must start moving over to the new EU SCCs. There is a grace period to assist companies with the switch, and the timetable is as follows:
27 June 2021 – The new EU SCCs come into force. EU companies can continue to use the old SCCs for 3 months or can start using the new SCCs from this date.
27 September 2021 – EU companies must only use the new EU SCCs for new data transfers from this date.
27 December 2022 – All contracts/agreements (old and new) that rely on SCCs must contain the new SCCs from this date: so old contracts can continue to use the old SCCs for the next 17 months as long as the processing activity does not change.)
UK SCCs
The current situation is that, if you are a UK company and you export personal data to a third country not deemed adequate, you use the old EU SCCs adopted by the UK on 31 December 2020.
If you are an EU company with UK customers, and you export personal data to a third country not deemed adequate, then in addition to your own new EU SCCs, you must use the old EU SCCs which were adopted by the UK on 31 December 2020 for any UK personal data exported. So you will have two sets of SCC’s to prepare.
Will the UK adopt the new EU SCCs?
To date the UK have not adapted to the new SCCs and are themselves considering creating their own SCCs. We should know more about this by the end of the year. Ideally it would be good if the UK adopted the new EU SCCs for consistency.
What you should do
In terms of updating contracts, you may have thousands of contracts to go through. Our advice is for EU companies to prioritise contracts now and start implementing the new EU SCCs from now if possible, unless the data transfer is for a short term project not exceeding 18 months (the date by which all old EU SCCs must be replaced). The alternative is a rushed exercise at the end of 2022.
Other issues with the new SCCs
There will be other issues to consider as well with the new EU SCCs, such as liability clauses. Many companies will have spent considerable time negotiating data protection contract terms, including on liability in the run up to GDPR. The new EU SCCs stipulate that in the event of any contractual dispute the new SCCs will prevail, so any financial cap negotiated under old contracts may no longer be compatible with the new SCCs liability provisions.
It should also be noted that neither the adequacy decision or the new SCCs relieve EU companies of their requirement to appoint a UK representative under Article 27 UK GDPR, or similarly, for UK companies subject to the EU GDPR to appoint a representative in the EU. In fact, the new SCCs go further and ask for representatives details.
As lawyers based in the UK and Ireland we are perfectly placed to help and advise you with both the UK and EU SCCs. We can assist with contract reviews and also offer EU and UK representative services for our Irish and EU customers from our Dublin and UK offices.
