What happened?

In the wake of the Court of Justice of the European Union’s decision in Schrems II (covered here and here) and Brexit, the EU and UK respectively updated and issued new cross-border transfer clauses. The purpose of the clauses is to help legitimise the cross-border transfer of personal data to jurisdictions without “adequacy decisions,” which include the US and China among many others. The EU Standard Contractual Clauses (“SCCs”) are available here, and the UK International Data Transfer Agreement (“IDTA”) and Addendum are available here.

What now?

The SCCs and IDTA will be the transfer tool of choice for most companies sending or receiving data from the EEA or UK. Deadlines for implementing the new agreements are fast approaching.

For UK data transfers:

  • all new agreements executed on or after 21 September 2022 should incorporate the UK Addendum or IDTA; and
  • all existing agreements incorporating the old SCCs must be updated by 21 March 2024 (or sooner if the processing operations change before then).

For EEA data transfers:

  • all new agreements executed since 26 September 2021 have had to use the new SCCs; and
  • all existing agreements incorporating the old SCCs must be updated by 27 December 2022 (or sooner if the processing operations change before then).

For many businesses, implementing the new SCCs and IDTA or Addendum at the same time will be most efficient. Businesses may want to consider carefully what existing agreements need updating and how they will update their data protection compliance procedures to ensure all new agreements use the correct clauses.

For some businesses, the upcoming deadlines will be an opportunity to re-engage with international data transfer mapping and risk-assessment efforts. When doing this, businesses may want to pay close attention to EDPB guidelines and ICO guidance.

What next?

In March 2022, the United States and the European Commission announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework,” but it remains a work in progress. Once finalised, EU member states will have to agree to the final text, and the US would have to agree to any changes that arise from that process for the framework to enter into force. In the meantime, most businesses will need to rely on some combination of the new SCCs, IDTA and Addendum for cross-border data transfers for the US.

***

To subscribe to the Data Blog, please click here.

Author

Robert Maddox is an international counsel based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.