Blog - 11/06/2021

Intellectual Property
The New EU Standard Contractual Clauses – What Do You Need To Know?On 4
June 2021, the European Commission published the finalised version of the new
Standard Contractual Clauses (the “New EU SCCs”). Standard Contract
Clauses govern the transfer of data from the EU to third countries deemed by
the European Commission to provide “inadequate” levels of data protection.

Key features of the New EU SCCs include:

• Providing for data transfers involving multiple parties and complex data
processing chains.

• Following the guidance set out in the Schrems II judgment, (see our

blog here) by requiring parties to initially assess the risk of transferring
personal data to a third country.
• Consistency with the General Data Protection Regulation (“GDPR”) by,
for example, ensuring that the obligations on data processors now
include all elements required under Article 28 GDPR.
When do they come into effect?
Businesses can start using the New EU SCCs from 27 June 2021 (the “Effective
Date”). For three months from the Effective Date, businesses will still be able
to enter into new contracts using the existing Standard Contractual Clauses
(the “Old SCCs”). The Old SCCs will be repealed on 27 September 2021.
Existing data transfers based on the Old SCCs can continue to take place for a
further 15 months, until 27 December 2022.
What do businesses need to do now?
Businesses in the EU should commence updating their template supplier
contracts and other data export agreements, as well as updating their systems
and processes, to ensure that they are compliant with the New EU SCCs before
the end of September. Businesses can use the 18-month grace period from the
Effective Date to identify all existing data transfers based on the Old SCCs and
update them with the New EU SCCs.

Will the New EU SCCs be adopted in the UK?

It is not yet clear how the adoption of the New EU SCCs will affect transfers to
and from the UK. The Information Commissioner’s Office (the “ICO”)
announced at the start of May 2021 that it is working on new Standard
Contractual Clauses to facilitate transfers of personal data outside the UK
(the “New UK SCCs”). These are expected to be consulted on this summer.
Until these come into force or until the ICO decides to recognise the New EU
SCCs as a valid transfer mechanism, the ICO will only recognise the Old SCCs.
Businesses in the UK should therefore continue to use the Old SCCs for the
time being but, taking into account the requirements of Schrems II, should be
reviewing whether they provide sufficient protection for data subjects and if
necessary taking additional measures.
Is there any update on the position on UK-EU transfers?
Following Brexit, the UK became a “third country” for data flows from the EU. In
draft decisions published in February 2021, the European Commission deemed
the UK to be “adequate.” This means that the European Commission has
provisionally accepted that the UK data protection regime affords adequate
protections for data subjects in the EU.

In April 2021, the European Data Protection Board (“EDPB”) assessed the
alignment of the UK Data Protection Act to the EU GDPR and to the Law
Enforcement Directive. Whilst it found that, in many aspects, the UK Data
Protection Act was essentially equivalent to the EU data protection framework,
the EDPB called for the UK to clarify its position on laws that allow government
agencies to collect bulk data, such as internet and phone use.
Last month, the European Parliament issued a press release requesting that the
European Commission amend its draft decisions on UK adequacy in line with
the opinion of the EDPB. The European Parliament does not, however, have the
ability to block the adoption of any adequacy decision made by the European
Commission. Before a final decision can be reached in relation to the UK’s
adequacy status, the European Commission must seek approval from
representatives of each EU Member State. A final decision is due to be reached
later on this year.

We shall keep you informed of the latest developments. In the meantime, until
1 July 2021, transfers of personal data from the EU to the UK can continue
unrestricted.