There was some early summer cheer on Friday 4 June after the European Commission published its long-awaited updates to the Standard Contractual Clauses (SCCs). The SCCs are the most commonly used mechanism by organisations as a means of ensuring adherence with EU data protection rules when transferring personal data outside of the European Economic Area (EEA).

The new SCCs are the culmination of frantic efforts to establish a complaint vehicle for transferring personal data outside the EEA after the Schrems II ruling which invalidated the Standard Contractual Clauses (SCCs) and cast doubts over the protection provided by existing SCCs from data interception by overseas intelligence agencies and law enforcement bodies. To the frustration of many organisations, the ruling mandated that the SCCs did not offer sufficient safeguards from such interception and therefore organisations would need to assess the laws of the importing jurisdiction to evaluate the potential exposure to such access, more commonly known as a Data Transfer Impact Assessment (DTIA).

Many observers may feel the update of the SCCs are long overdue and they have been modernised to align with the EU General Data Protection Regulation which raises the bar in terms of compliance with the core processing principles and obligations by the data exporter and data importer. It is also clear that there has been focus to address previous areas of frustration as there are now, helpfully, four modules based on the relationship between the exporter and importer, the difference being specific clauses which now address Processor to Controller and Processor to Processor relationships.

Whilst the new SCCs certainly offer additional safeguards for personal data, the obligations they impose on data importers are likely to be considered onerous by some organisations and may result in more difficult negotiations when using third party vendors and service providers based outside the EEA, who may baulk at submitting themselves to the jurisdiction of the relevant supervisory authority.

Those who may have been hoping that the new SCCs would mark the end of DTIAs will be sorely disappointed as this will now be a permanent fixture of cross-border data transfer agreements. Such assessments will need to comprise of an evaluation of the personal data processing activities, the laws and practices of the importing jurisdiction (with specific focus on disclosure to governmental bodies), and the contractual, technical and organisational safeguards in place. Furthermore, both the exporter and importer will be required to document the assessment and furnish this to the supervisory authority upon request.

In the event the data importer receives a binding disclosure request from a public authority, it must notify the data exporter and provide as much information as possible about the nature of the requests, including personal data concerned, nature and volume of requests and whether any objections were raised. However, this is qualified to the extent that the importer is not prohibited from making such a notification to the exporter, although it is expected to use its best efforts to obtain a waiver. Whilst in theory there is logic in such an approach it remains to be seen how feasible this will be in practice.

The existing SCCs can continue to be used for new contracts for a further 3 months from the date of the Commission decision on Friday 4 June, recognising the fact that many contractual agreements incorporating the SCCs may presently be subject to ongoing negotiations. Furthermore, there will be a further 15 months (totalling 18 months transitional relief) grace period to allow organisations to transition their existing contractual agreements to the new SCCs. The significance of such an undertaking for many organisations should not be underestimated.

The curious juxtaposition with respect to cross-border data transfers is that this continues to be a very high-profile area of data protection compliance subject to sizeable changes in policy and approaches over the years driven by advances in technology and geo-political developments, however, there has to date, been minimal enforcement in this area from European supervisory authorities. Nonetheless, organisations cannot afford to be complacent and will need to take steps to review their existing contractual agreements across their supply chain to establish the extent of the remediation exercise which may be necessary.

As a general rule, organisations with a multinational footprint should prioritise their existing intra-group data transfer agreements to ensure the free-flow of personal data between their EEA and non-EEA locations to minimise disruption to business operations. This should then be followed by addressing contractual arrangements across vendor supply chains starting with critical or materially significant vendors and/or those holding large volumes of data, e.g. cloud-based service providers.

Whilst there may be a collective groan from senior management as they are once again briefed on changes to EU data transfer rules, those who undertake early action to assess their exposure, undertake a prioritisation exercise and initiate a targeted remediation response will find the exercise less daunting. The clock is now ticking and organisations cannot afford to let their frustration or apathy stymie their response.