Introduction

On 4 June 2021, the European Commission adopted new Standard Contractual Clauses (EU SCCs) for the transfer of personal data from the European Economic Area (EEA) to third countries that are not deemed “adequate” by the European Commission. On 11 August 2021, the UK Information Commissioner’s Office (ICO) published draft UK SCCs, formerly known as the International Data Transfer Agreement (IDTA), for UK companies to use in place of the EU SCCs. The UK SCCs are open to public consultation until 7 October 2021 and HewardMills will continue to provide updates and analysis throughout the process.  

The new EU SCCs took effect on 27 June 2021. However, organisations were given a 3-month grace period (ending on 27 September 2021) during which the old SCCs could still be used for new contracts. However, with the deadline fast approaching, all new data transfer agreements involving the EEA must use the new SCCs. Existing contracts that rely on the old SCCs may continue to do so until 27 December 2022. At that time, all data transfers must use the new SCCs. This also applies to subcontractor agreements.  

Amongst other requirements, both SCCs will mandate organisations to conduct a Transfer Impact Assessment (TIA) when relying on SCCs or other data transfer tools. Given the fast-approaching deadline for new contracts that rely on the EU SCCs, organisations should ensure they are ready to conduct TIAs before entering into new contracts after the grace period. 

Why organisations need a TIA

Although the new SCCs have been introduced, they are not a ‘holy grail’. Organisations cannot simply rely on data transfer tools, including SCCs, as a form of protection without further actions when transferring personal data outside of the EEA. Following the Schrems II decision, organisations must, on top of using such tools, assess whether the laws of the destination country ensure adequate protection for the personal data being transferred. This is because the laws and practices of the destination country may impact the effectiveness of the transfer tool.

Before transferring data, organisations must warrant they have no reason to believe that the laws of any third country will prevent the data importer from fulfilling its obligations under the new SCCs. A TIA would, therefore, be useful here as it helps evaluate if there is anything in the destination country that may impinge on the effectiveness of the appropriate data protection safeguards provided by the new SCCs.

Requirements of a TIA

As provided by Clause 14 of the new SCCs, a TIA should take into account specific circumstances of the transfer, the laws and practices of the third country destination, and any relevant contractual, technical or organisational measures to supplement safeguards under the SCCs.

When conducting a TIA, organisations could also consider the following factors:

  • Likelihood of government access to the data
  • If the data is within the scope of intelligence and law enforcement activities
  • Adequate protections are in place
  • The legal framework or applicable privacy and security standards in the destination country
  • The general human rights ratings of the country

Conclusion

As a TIA is required under the new SCCs and a method to ensure maximum data protection, organisations should conduct TIAs during third country data transfers to demonstrate compliance with the General Data Protection Regulation (GDPR).

HewardMills, a global DPO, helps organisations operating in the EU with their efforts to be GDPR compliant when transferring data to third countries, thus avoiding fines and other regulatory issues. Our team has developed a simple 6-step process to completing a TIA, and our data privacy consultants located around the world are available to guide and support your organisation’s implementation of this solution. For more information, please reach out to dpo@hewardmills.com.