EU data protection guidance brings welcome news for UK suppliers

Out-Law News | 30 May 2022 | 11:46 am | 3 min. read

New guidance issued by the European Commission will be welcomed by UK-based suppliers involved in complex post-Brexit data transfer arrangements, but the guidance highlights a data protection “compliance gap” in relation to other data transfers, according to experts.

Kathryn Wynn and Rosie Nance of Pinsent Masons were commenting after the Commission published a new ‘Q&A’ paper regarding standard contractual clauses (SCCs) (24-page / 435KB PDF).

SCCs are one of the legal tools the Commission has developed to help businesses meet their obligations under the EU General Data Protection Regulation (GDPR) when transferring personal data outside of the European Economic Area (EEA). SCCs can be inserted into commercial contracts to govern how those importing personal data from the EU handle and safeguard that data, though the Commission has confirmed businesses cannot modify those clauses without approval of the modified version from a national data protection authority.

Last year the Commission published revised SCCs to replace those it had previously adopted in 2004 and 2010. The updated SCCs are designed to reflect the changes to data protection law implemented by the GDPR in 2018 and concerns raised by the Court of Justice of the EU in the so-called ‘Schrems II’ judgment.

Businesses will no longer be able to rely on the 2004 or 2010 SCCs to transfer data to third countries from 27 December this year. The Commission took the opportunity to reiterate that deadline date for remediation of legacy contracts in its Q&A paper.

Kathryn Wynn said there was welcome clarification in the guidance on a point of uncertainty that has arisen in relation to data transfers involving UK-based suppliers since Brexit.

“Data transfer arrangements have become more complex since Brexit. Some UK group companies have set up a substantial presence in EU countries, such as Ireland. We are familiar with scenarios where the data flows from an Irish controller to a UK group company providing shared services to a UK supplier and on again to a sub-contractor based outside the UK or EEA. Businesses involved in these arrangements have been keen to know which parties should enter into the SCCs, and which data protection regime – the EU GDPR or UK GDPR – applies,” she said.

“Previously, under the 2010 SCCs, only a controller could be the data exporter because it was only the controller that had data export obligations under the pre-GDPR legislation. In our scenario, this would have meant the Irish controller would be responsible for entering into the SCCs with the non-UK or EEA sub-contractor. However, because the 2021 version of the SCCs has a modernised, modular approach, the Commission has now confirmed that the processor is considered in our scenario to be the data exporter and therefore the party who enters into the SCCs with the non-UK or EEA sub-contractor,” Wynn said.

“The example the Commission gave involved a German controller, Polish processor and Indonesian sub-contractor. The initial transfer in that example is intra-EU, but the position is analogous to our scenario where the initial transfer is from Ireland to the UK because that transfer is a permitted transfer for which SCCs are not needed due to the UK’s ‘adequacy’ status. This clarification means that the data export requiring the ‘appropriate safeguards’ provided by the SCCs is the data export from the UK, not from the EU,” she said.

“This will be welcomed by businesses because it impacts on their contract remediation plans – while the 27 December 2022 deadline is fast-approaching, it applies to EU GDPR contracts; a later 21 March 2024 deadline applies for remediating UK GDPR contracts,” Wynn said. “It is worth noting that, in our scenario, the Irish entity, as the controller, will still need to ensure, from an accountability perspective, that its appointment of the UK processor and the subsequent processing by the UK processor and its sub-processors complies with the requirements of the EU GDPR.” 

In its Q&A paper, however, the Commission confirmed that organisations cannot rely on the 2021 set of SCCs to comply with the GDPR when transferring personal data to controllers or processors in non-EEA countries that are directly subject to the GDPR. It plans to issue a new set of SCCs that businesses can use in this scenario. However, Nance said the Commission’s comments create a problem for businesses over what to do until those new SCCs are available.

“The Commission’s confirmation that the 2021 SCCs cannot be used for transfers to controllers or processors in third countries that are directly subject to the GDPR leaves a compliance gap in the meantime, as the European Data Protection Board (EDPB) confirmed earlier this year that the international transfer provisions in the GDPR would apply in that scenario,” Nance said.

“This also has the potential to make intra-group transfers pretty complicated as some parties may now consider that they are expected to carry out a detailed assessment of whether their group companies are subject to the GDPR and choose their SCCs accordingly,” she said.

Wynn said that the compliance gap has been plugged in the UK by the ICO in its international data transfer agreement (IDTA), published earlier this year. The IDTA makes clear that organisations caught by the UK GDPR may be a “data importer” under the IDTA. In this situation, the sections of the IDTA which contain UK GDPR obligations, such as those relating to data subject rights, are disapplied because the data importer is already obliged to comply with those obligations by virtue of it being subject to the UK GDPR.

Nance further flagged that the Commission had explicitly confirmed that where the SCCs are used for international transfers, a transfer impact assessment that follows recommendations made by the EDPB should be carried out.