Transferring Personal Data with the EU – Are SCCs the Answer?

Transferring Personal Data with the EU - Are SCCs the Answer?, data protection, personal data transfer, personal data, dp, uk data protection, urm blog, data protection blog, gdpr blog, gdpr

With the transition period following the UK’s exit from the EU set to end on 31 December
2020, those organisations that rely on personal data transfers from the EU to the UK are
looking to ensure that the transfers remain lawful from 1 January 2021. While there are a
couple of frontrunners amongst the options for transferring personal data lawfully, they
may not be as simple as they first appear.

Adequacy Decision

In our previous blog, ‘GDPR, Brexit and the Adequacy Decision’, we commented that the EU is committed to securing an adequacy decision by the end of the transition period. However, that was prior to the COVID-19 pandemic and the latest preliminary judgment of the European Data Protection Board (EDPB). The importance of the adequacy decision is clear when you consider that the UK government has calculated that in 2018, EU personal data-enabled services exports to the UK were worth approximately £42bn and exports from the UK to the EU were worth £85bn.

In many respects, an adequacy decision is the preferred arrangement or outcome. Upon leaving the EU, the UK is seeking an adequacy agreement with the bloc to ensure that personal data can continue to be freely exchanged across borders. For this to occur, however, the EU must be satisfied that the UK adheres to the same data standards as the EU.  This is where it starts to get a bit tricky, as the EU has concerns over the UK’s surveillance practices. Originally, surveillance was out of scope when the UK was a member of the EU, but it is now very much in scope in respect of the adequacy decision. And, even if the EU reaches an adequacy decision it will still be open to legal challenge by privacy advocates. This could see it ruled invalid in the same way that the EU-US Safe Harbor framework was rendered invalid, following a successful legal challenge by Max Schrems. The US is also seeking frictionless UK-US data flows as part of any UK-US trade deal, potentially opening the EU-UK agreement up to further challenge, and any divergence from EU standards may mean that the arrangement runs into difficulties during its 4-yearly reviews.

It is, therefore, quite possible that getting an adequacy agreement may prove easier than actually keeping it.

Standard Contractual Clauses (SCCs)

In the event of the UK’s failure to secure a timely adequacy decision, the go-to ‘plan B’ for most organisations will be to use standard contractual clauses (SCCs). There is, however, another potential fly in the ointment in that the use of SCCs is currently the subject of a legal challenge in the Court of Justice of the European Union (CJEU). Dubbed ‘Schrems II’, a judgment on SCCs is expected on 16 July 2020. In December 2019, the EU Advocate General (AG) issued his opinion that the SCCs should not be invalidated. While not binding in the CJEU, the Court often follows the AG’s opinion. The AG also highlighted that there is a requirement, embedded within the SCCs, to determine whether “the obligations which the law of the third State imposes on the importer entail a breach of the standard clauses and thus prevent the transfer from being accompanied by appropriate safeguards.”  If the view takes hold that UK surveillance practices are incompatible with SCCs, then data exporters may grow increasingly wary of using them, thereby limiting their usefulness.

If SCCs are ruled invalid, what else is there?  Another alternative for transferring personal data is for importers and exporters to draw up private contracts that are legally binding or, in the case of global organisations, to draw up binding corporate rules. URM has seen a number of examples where private contracts have been established between inter-group companies. With Denmark having recently released their (EDPB approved) alternative contract between controller and 3rd party processors, then legally binding contracts between individual parties appear to be a viable alternative. 

Even if the UK secures an adequacy decision or the SCCs are not ruled invalid in respect of the EU-UK transfers, there is a school of thought that UK data protection standards may be one area where we begin to see a divergence from the EU.  If this is the case, it would certainly open up the prospect of repeated challenges, thereby denying UK businesses a stable framework under which they can operate.

So, are there any other solutions/mechanisms for data transfers available? 

The answer is yes, but they come with additional administration overheads. For example, you could rely on the explicit consent of the data subject or the particular situation may deem that individual authorisation is not required, such as the protection of the data subjects’ vital interests. With all options carrying varying obligations, SCCs are often viewed as the most elegant solution.

Of course, none of the above may come to pass. But during challenging times, the ability to operate within a stable legal framework seems critical and there are certainly some worrying ‘known unknowns’ that are making it difficult to plot a course. Coupled with that, we have differing views and reports on the subject which, week by week, seem to indicate one option is more likely than another.  So, what should you be doing? As we said in our previous blog, we would recommend you follow the good old Baden Powell motto ‘Be Prepared’ i.e. understand where you may be exposed and where you will need to incorporate SCCs or other additional measures. Where SCCs have been incorporated, keep these contracts under review in case you need to revisit them. It is imperative that you understand who you are sharing PII with, their compliance status and what information is being shared within the EU.

How We Can Help

URM’s experienced consultants can provide pragmatic, expert advice allowing you to focus on steering your business through the changes. As well as keeping you updated with the latest developments, we can offer practical, tailored advice and support you in assessing the potential impact on your business activities to ensure that you maintain your GDPR and data protection compliance every step of the way.