Farewell old SCCs!

21 March 2024 marked the end of the EU’s old standard contractual clauses (Old SCCs). After this date data can no longer be exported using these as safeguards under GDPR Article 46.

Exporting data outside of the UK and the EEA – a quick recap

Personal data cannot be exported outside the UK or the EEA except in accordance with the rules about ‘restricted transfers’. Possibly the most common mechanism is to ensure that the recipient organisation in the “third country” to which the data is being exported enters into contractual commitments to ensure that the personal data is protected to standards comparable with those which apply in the UK/EU.

The standard contractual clauses published by the EU contain such commitments and can be entered into by a data exporter and a data importer to supplement whatever other agreements exist between them.

In 4 June 2021 the EU abolished the Old SCCs and introduced a new set of standard contractual clauses (New SCCs) with the twin objectives of addressing some of the issues with the Old SCCs and imposing more robust, GDPR-standard obligations. However, there was a transition period (until December 2022) during which the Old SCCs could still be used.

At the same time as these changes were happening, the UK left the EU. The EU made an adequacy decision for the UK (currently valid until June 2025 although it may be extended) so personal data can be transferred freely between the EEA and the UK.

However adequate safeguards are needed to export personal data elsewhere, so the UK introduced its own document – the international data transfer agreement (IDTA) – to provide a mechanism comparable with the New SCCs but for exporting data out of the UK (as opposed to out of the EEA).

Where organisations export data from both the EEA and the UK, the New SCCs can be used with the addition of what is known as the UK Addendum.

When the IDTA and the UK Addendum came into force in March 2022 transitional arrangements were again put into place to give organisations time to replace their Old SCCs (with either the IDTA or the UK Addendum). Organisations could enter into new contracts on the basis of the Old SCCs until 21 September 2022 on the basis that they would only be valid until 21 March 2024. As the transition period has now come to an end, the Old SCCs may no longer be used.

If you rely on contractual mechanisms as the basis for making international data transfers it is important that you check all relevant contracts have been updated and any necessary transfer risk assessment (TRA) have been completed. Where an organisation relies on an Article 46 transfer mechanism (such as the IDTA, the UK Addendum or the New SCCs) it must carry out a TRA to help identify the likelihood of the proposed transfer infringing data subject rights.

Data transfers to the US

Since the introduction of the IDTA and UK Addendum, some data transfers to the US from the UK are now permitted under the UK Extension to the EU-US Data Privacy Framework (EU-US DPF) provided that the US data importer has self-certified under the scheme. This means that some organisations will not need to implement the IDTA or UK Addendum for transfers to the US if the US data importer has self-certified, as this will be deemed to be an appropriate safeguard.

Importance of complying with rules on international data transfers

The importance of complying with the rules on restricted transfers was highlighted recently when the European Data Protection Supervisor (EDPS) found that the use by the European Commission of Microsoft 365 infringed several provisions of data protection law including a failure to adopt appropriate safeguards for data exported outside the EU.

The infringements identified by the EDPS include the use of Microsoft 365 for the processing of personal data of a large number of individuals. They found that the Commission had failed to provide appropriate safeguards to ensure personal data transfers to third countries were afforded an essentially equivalent level of protection as that provided in the EU. The EDPS also found the Commission’s contract with Microsoft was not specific enough regarding the types of data to be collected and the specified purposes for which the data would be processed.

The EDPS ordered the Commission:

1. To suspend all data flows to Microsoft, its affiliates and sub-processors located outside the EU/EEA in third countries without an adequacy decision with effect from 9 December 2024.
2. To bring all processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725 (which sets out rules for the protection of personal data for EU institutions, bodies, offices and agencies) by 9 December 2024.

This decision is significant because it involves Microsoft 365 – a widely used cloud-based productivity software platform and the Commission – a very well resourced, high-profile controller. The ruling should remind controllers with similar obligations, albeit under the GDPR, to review their risk assessment procedures and data export mechanisms.