EU – SCCs: The great repapering deadline approaches
The deadline to repaper legacy EU standard contractual clauses is the 27 December. We reflect on some of the lessons from this great repapering exercise.
In June last year, the EU Commission issued their long-awaited new Standard Contractual Clauses (“SCCs”) for the transfer of personal data to third countries. The clauses included a number of innovations such as building in transfer impact assessments (“TIAs”) and operating in a modular way with a new option for processor-to-processor and processor-to-controller transfers (more here).
As part of a carefully worked out transition process, new transfers could still be made under the old SCCs until September 2021 and, absent any changes to the processing in the meantime, existing transfers could be made under the old SCCs until 27 December 2022. The latter deadline is now upon us. Merry Christmas.
A two-phase process
Many businesses have either completed, or are close to completing, this repapering exercise. In our experience, this has typically involved two concurrent phases.
The first phase is to understand and rationalise affected data transfers. In some cases, this is easier said than done. After nearly twenty years of the old SCCs, it is not necessarily easy to track down where they are used within a business, let alone confirm if the transfers described in the SCCs are still with the same counterparty, still correctly described, still actually taking place etc.
This initial process also typically seeks to rationalise the use of SCCs wherever possible. In particular, the new processor-processor module can hugely simplify some data transfers by allowing an EU-based supplier entity to act as a single point of contact (i.e. it gets rid of any arguable need for direct SCCs between controllers and a supplier’s sub-processor).
The second phase is to carry out the actual repapering. This typically requires:
- The old SCCs to be terminated or disapplied in relation to future transfers, usually by executing an amendment agreement that replaces them with the new SCCs going forward.
- The new SCCs to be filled in and executed. This is largely a mechanical process of transposing that information from the old SCCs to the new SCCs. However, this assumes the information in the old SCCs is still correct (see above) and there are still additional information requirements to complete the new SCCs (such as the frequency of transfers).
- A TIA. This is not strictly tied to the repapering exercise and, in theory, this should have already been carried out in respect of any transfers under the old SCCs. Nonetheless, repapering is often the trigger for conducting a TIA and the burden of trying to conduct a large number of TIAs at once is significant.
Like Tolstoy’s unhappy families, each business will have approached this in their own way. The number of transfers, the type of data being transferred, the jurisdictions to which data is transferred, and the homogeneity of the transfers; these all affect the overall approach to this exercise.
However, our experience suggests there are four key factors to a successful repapering exercise:
- Scalable solutions: Where there are large numbers of transfers, we have helped business create scalable solutions to implement the repapering as efficiently as possible. For suppliers with homogeneous data transfers from customers, that typically means adopting pragmatic and standardised positions to avoid having to develop bespoke arrangements coupled with streamlined execution processes. For customers, that sometimes means accepting standardised positions from large suppliers even if they leave something to be desired.
- Use technology: Some businesses have used technology to help identify their existing SCCs and automatically generate new SCCs. For example, we created an AI-powered tool for SCC repapering. E-signature applications are another tool which is frequently used to facilitate the execution of large volumes of SCCs in an efficient way.
- Prioritise: For some businesses, this repapering exercise has been a burdensome undertaking, particularly the need to conduct TIAs. Our experience has been that careful prioritisation generally leads to the best results. Consider which transfers create the most risk because of the volume and sensitivity of the personal data being transferred, and the implications if that transfer were blocked. Those are the transfers that need the greatest consideration and the deepest TIA analysis.
- Do something: Perfection is the enemy of the good so it is important to at least do something. Regulatory investigations and action by individuals and pressure groups (such as NOYB) will ramp up once the repapering deadline has passed and businesses that have not repapered any of their transfers or even attempted to assess the risks of the transfer will be easy targets for enforcement. Much of the enforcement in this area to date has been against businesses that didn’t even do the basics.
Following Brexit, the UK is running on its own timelines. While the deadline to switch to the new IDTA or UK SCC addendum passed in September this year, existing transfers can continue under the old SCC until March 2024 (assuming the processing doesn’t change).
The UK Information Commissioner has also issued new guidance on international transfers, including an alternative six stage approach to conducting TIAs. It is open to UK controllers to use either the EU or UK approach, but those using the UK approach will likely benefit from some additional flexibility given it focuses more closely on the inherent risk in the data being transferred. For example, if all the data is “Low Risk” (e.g. name, age, contact details, training records) it can proceed without a substantive assessment of the jurisdiction to which it is being transferred. However, for large organisations processing sensitive data the process is likely to be very similar, if not identical, to the EU approach, and there are likely to be process and cost benefits in explicitly applying the EU approach to UK transfers.