The 21 March 2024 deadline is looming: have you updated your contracts to replace the old EU SCCs?

Under the UK GDPR, UK businesses that wish to transfer personal data to a recipient in a jurisdiction that has not been approved by the UK government as providing "adequate safeguards" for the protection of such data, must rely on a valid transfer mechanism to give effect to the transfer. One of the more widely used transfer mechanisms is the use of standard contractual clauses approved by the UK government (which are incorporated into the contract between the UK business and the overseas recipient of the data).

As things stand, one of the sets of standard contractual clauses that businesses can rely on is, in respect of contracts entered into prior to 22 September 2022, the old EU standard contractual clauses issued by the European Commission under the old Data Protection Directive, ("the Old EU SCCs"). This will no longer be the case from 21 March 2024 ("the deadline").

Consequently, contracts which rely on the Old EU SCCs as a relevant data transfer mechanism need to be updated, prior to the deadline, to ensure the relevant international transfer of personal data continues to be compliant with the data protection legislation.

What transfer mechanisms can you rely on instead?

Unless another transfer mechanism can be relied on (e.g. the UK Extension to the EU-US Data Privacy Framework) either (i) contracts which incorporate the Old EU SCCs will need to be updated to include the new EU Standard Contractual Clauses issued by the European Commission on 4 June 2021 (the "New EU SCCs") with UK Addendum or (ii) the parties to the relevant contract will need to enter into the UK's International Data Transfer Agreement ("IDTA").

Note that the New EU SCCs, on their own, are not deemed to be a valid transfer mechanism for restricted transfers of personal data under the UK GDPR, the UK Addendum also needs to be entered into.

What steps should you be taking now?

With the deadline looming, it is important to get ahead of this issue if you have not already done so. In some cases, particularly where an organisation has a number of processors, this can be a lengthy process.

Firstly, you need to understand:

  • which of your existing contracts involve the transfer of personal data outside of the UK (to a country not subject to an adequacy decision); and
  • which of these contracts rely on the Old EU SCCs as the relevant transfer mechanism.

Once this has been completed, there will likely be additional points to consider, e.g. how you go about varying the contracts, however these first steps will help you to understand the scope and scale of the project, which will inform the approach you take.

Assuming you intend to rely on standard contractual clauses, you should subsequently identify how best to incorporate the New EU SCCs and UK Addendum into the relevant contracts or disapply the Old EU SCCs in favour of the IDTA. The most likely option will be to vary the contract, however in some cases it may make sense for a new contract to be entered into instead.

As part of this process, you should also ensure an up-to-date transfer risk assessment ("TRA") exists in respect of each restricted transfer. Completing a TRA is a requirement when transferring to a country not subject to an adequacy decision including where such transfer is based on either the IDTA or New EU SCCs and UK Addendum.

What about sub-processors?

The deadline applies to all restricted transfers whether that be from a data controller to a data processor, or an onward transfer from the data processor to its sub-processor. On that basis any organisation sharing personal data outside of the UK must comply with these new obligations regardless of its controller / processor status.

Where you are the data controller, you should be ensuring that the contract you have with any data processor has appropriate flow-down obligations to ensure that the processor is implementing an appropriate international data transfer mechanism with its sub-processors. You may also wish to notify your UK/EU processors of the deadline to ensure your data is adequately protected and there is no disruption to your data flows at a later date.

What if you don't comply?

As with any breach of the UK GDPR, if you are found to be non-compliant, the ICO will have the power to impose a fine on your organisation (of up to £17.5m or 4% of total worldwide annual turnover, whichever the greater). That said, these level of fines are reserved for serious breaches which put personal data at risk which doesn't seem applicable here (unless the breach is part of a wider systemic failure to comply with the data protection legislation).

Whilst we think it unlikely that the ICO will actively be issuing fines for non-compliance with the transfer rules immediately after the deadline has passed (and will more likely order companies to get their house in order), the most sensible course of action would be to try and address this issue sooner, rather than later. As we have seen on countless occasions, the ICO will often look more favourably on organisations which are seen to be attempting to comply with the data protection legislation, as opposed to those who simply disregard the rules.

For more information on the appointment of sub processors in non-adequate jurisdictions please see our article.

Key contacts