Locations
Businesses should take the necessary steps as soon as possible if they have not already done so.
The deadline to adopt the new EU Standard Contractual Clauses (SCCs) was 27 December 2022. By that date, existing contracts concluded before 27 September 2021 that incorporated the old EU SCCs needed to be revised to incorporate the new EU SCCs.
As previously reported in our blog on "The updated standard contractual clauses — A new hope?", these new SCCs were adopted by the European Commission on 4 June 2021. A grace period until 27 December 2022 was afforded to organisations in relation to contracts that were concluded before 27 September 2021, as long as the relevant processing operations remained unchanged.
The objective of standard contractual clauses is to provide a mechanism for safeguarding personal data when it is transferred outside of the EEA to a country that is not deemed to provide adequate data protection in the eyes of the European Commission. A transfer impact assessment (TIA) should also be completed in tandem with the EU SCCs to ensure that there is "essential equivalence" of data protection in the country of import and to assess whether there is anything in the laws of the relevant country that would undermine reliance on the EU SCCs. A TIA reviews the laws and practices of the relevant country and assesses the risk of government interference, as well as the availability of effective recourse for data subjects who have had their rights infringed. One development under the new EU SCCs is that Clause 14 establishes various contractual obligations with regard to carrying out a TIA and therefore, failing to comply with these obligations, could give rise to not only claims by aggrieved data subjects (with the possibility of hefty fines handed down by regulators), but also a breach of contract claim.
To the extent that they have not already done so, businesses should take steps as soon as possible to update their legacy contracts to bring them in line with EU requirements and carry out the related TIAs. Companies should also keep in mind the deadline for updating contracts with the UK's own standard contractual clauses for international transfers. Having come into force in March 2022, the international data transfer addendum to the EU SCCs (UK Addendum) or the standalone international data transfer agreement (IDTA) must be used in all contracts that require a data transfer mechanism by 21 March 2024. All contracts entered into after 21 September 2022 should already be using the new UK Addendum or IDTA, where applicable. For more information on this please see our blog "New UK data transfer tools come into force". A TIA should also be carried out in respect of transfers from the UK. We have commented previously on the ICO's new approach to TIAs.