They are finally here. The much anticipated standard contractual clauses for the transfer of personal data to third countries (New SCCs) were adopted by the European Commission on 4 June 2021. As before, the New SCCs facilitate the transfer of personal data from the European Economic Area (EEA) to third countries that provide an "inadequate" level of protection. This includes Australia.
It has been quite a journey from the first set of controller-to-controller and controller-to-processor SCCs which were adopted in the early 2000s. The previous SCCs lacked many of the protections required by the General Data Protection Regulation (GDPR) since its implementation in 2018, and the Court of Justice of the European Union's "Schrems II" decision which called into question the SCCs' reliability as a data transfer mechanism unless transfer impact assessments were conducted and supplementary measures implemented.
Data transfer for Australian businesses to change
The New SCCs provide a comprehensive basis for any type of data transfer between parties.
Importantly for Australian-based organisations, the New SCCs expressly recognise that the data exporter can itself be a non-EU entity. This was previously a bit of a conundrum for Australian-based organisations, as the GDPR could apply to them (by virtue of its extraterritorial scope in Article 3(2)), but technically the previous SCCs could only be used where the data exporter was established in the EU.
The New SCCs take a modular approach, with the data exporter able to pick which module applies to the transfer at hand (controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller). The new addition of the processor-to-processor module will be a relief for many, as it is more and more common for data to be processed by subcontractors.
Another helpful development is that the New SCCs allow for multiple data exporting parties to contract and for new parties to be added over time. While this might alarm purists who prefer separate SCCs for each data flow, this will take the sting out of large-scale intra-group data transfers and allow for new group members to be added with relative ease.
Schrems II requirements
What about the elephant in the room, Schrems II? An entire section of the New SCCs is dedicated to addressing Schrems II requirements. Treading an unenviable path between adopting measures consistent with Schrems II while also continuing to enable data transfer beyond the EEA, the New SCCs take a risk-based approach. Among other things, the parties must warrant that they have "no reason to believe" that the destination jurisdiction's laws will cause the data importer to be unable to fulfil its commitments under the New SCCs. The New SCCs also require the parties to assess transfer risks, including those specific to the destination jurisdiction. In the end though, organisations will still need to consider whether any additional safeguards are required to protect personal data in the destination jurisdiction.
Data transfers from the UK post-Brexit
For those with the UK in mind, the New SCCs do not apply to the transfer of personal data from the UK. While the previous SCCs can continue to be used, with the usual additions for Schrems II compliance, the UK's Information Commissioner's Office has indicated that the UK will produce its own SCCs soon.
Getting your data transfers into good order
There is some breathing space.
If an organisation has a new data transfer, the previous SCCs can be used for the next three months. This provides a small window for organisations to get up to speed on the New SCCs.
The previous SCCs can continue to be used for existing data transfers for up to 18 months. This means that organisations have until the end of 2022 to get their data transfers sorted, but as we all know from the GDPR's implementation, it is best to get moving sooner rather than later.
Over the next few weeks we will be sharing more detailed guidance on how to prepare for, and implement, the New SCCs.