The Office of the Data Protection Authority (the "ODPA") Approves New EU Standard Contractual Clauses for use by Guernsey Controllers and Processors
In common with the GDPR, The Data Protection (Bailiwick of Guernsey) Law, 2017 (the "Law") places restrictions on the extent to which personal data may be transferred to recipients outside the Bailiwick of Guernsey ("Guernsey").
Under the GDPR, transfers of personal data are permitted without restriction to countries that the European Commission (the "EC") has assessed as providing an "adequate" standard of protection for personal data. The current list of countries considered "adequate" is Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay and the United Kingdom.
The adequacy decisions for Jersey and Guernsey are currently being reviewed by the EC.
In the absence of an adequacy decision by the EC, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to "appropriate safeguards". The Law replicates this regime for transfers outside Guernsey.
Appropriate safeguards for such transfers include:
- Binding corporate rules ("BCRs").
- Standard data protection contractual clauses adopted by the European Commission ("SCCs").
SCCs are generally the most commonly utilised mechanism for such transfers.
In June 2021, the EC approved a new set of SCCs for international data transfers. [1]
The Guernsey data protection regulator, the ODPA, has now approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey.
The new SCCs for international transfers reflect the changes made to European data protection law made by the GDPR and address some of the issues with the existing sets of SCCs (which include two controller to controller (“C2C”) sets (2001 and 2004) and a controller to processor (“C2P”) set (2010). The new SCCs (unlike the existing ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor ("P2P") and processor-to-controller ("P2C").
The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to "build" the relevant agreement on a modular basis.
The new SCCs also incorporate provisions to address the Schrems II decision of the European Court of Justice, the key effect of which was to invalidate the EU-U.S. Privacy Shield and to place additional administrative conditions on the use of SCCs.
While a transition period allows businesses to incorporate the old SCCs into new contracts until, at the latest, 27 September 2021, any Guernsey business looking to export personal data relying on SCCs will after that date need to use the new SCCs which provide for these further steps are taken. All existing contracts must be transitioned to the new SCCs by 27 December 2022.
Where controllers and processors are utilising SCCs (either new or old) or BCRs, they will need also to take account of the Schrems II decision. The European Data Protection Board ("EDPB") has published its Schrems II guidance in relation to supplementary measures to accompany international transfer tools. In summary, a 6 step process is required in relation to international transfers.
- Know your transfers. Be aware of where the personal data so you know the level of protection provided there. Make sure the data you transfer is adequate, relevant and limited to what is.
- Verify the transfer tool your transfer relies on. Using the SCCs or BCRs will be enough in this regard.
- Assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
- Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third party country's safeguards. If no supplementary measure is suitable, you must avoid, suspend or terminate the transfer.
- Take any formal procedural steps the adoption of your supplementary measure may require.
- Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.
In practice, the above requires a detailed and documented transfer impact assessment ("TIA"). For many Guernsey controllers and processors, this will be an onerous process and we would suggest that it should be something that Guernsey businesses should prioritise. We are able to assist clients in this process.
Part of the UK Information Commission consultation on international transfer referenced below includes a TIA toolkit and we would suggest that this provides an excellent and practical starting point for Guernsey controllers and processors
What about the UK?
The European Commission has recognised the UK as an adequate jurisdiction for the purposes of international data transfer, meaning that transfers to and from the UK and Guernsey may continue without restriction.
Guernsey controllers and processors who are subject to the UK GDPR by virtue of its extra territoriality provisions will also need to consider whether they may need to continue using the existing SCCs – the UK is yet to make a decision on replacing them for the purposes of the UK GDPR.
The UK Information Commission has now published a consultation draft of its SCC alternative - what it describes as an International Data Transfer Agreement ("IDTA").
The IDTA looks very different in style to the SCCs and time will tell whether those differences lead to issues between the EU and the UK.
However, it is encouraging to note that the UK's Commission has indicated that for those organisations wishing to use the European Commission approved SCCs, they will be able to do so by completing a straightforward UK addendum.
As noted above, a TIA toolkit is also included.
Should we be replacing our existing SCCs with the new ones? If so, when?
This will depend on the circumstances for each controller and processor. However, it should be noted that the new SCCs are complex instruments. It may be that Guernsey businesses should wait for market practice to evolve before moving to adopt them (always keeping in mind the "longstop" date of 27 December 2022).
The expectations of the ODPA are also likely to evolve as time goes on, so both market and regulatory practice are likely to inform the approach of businesses. The approach that the UK adopts is also likely to be influential (although given Brexit, potentially less influential than previously).
It may also be that the ODPA considers issuing a localised set of the new SCCs – the EU version naturally is drafted in anticipation of its use by EU businesses and provides for EU Member State law and jurisdiction to apply – or that it decides to follow the UK approach and publish its own SCCs alongside a Guernsey addendum to utilise together with the SCCs and/or the UK IDTA.
Our view is that, where possible, Guernsey businesses should take advantage of the transitional period and focus their initial efforts on the six step TIA process set out above. In doing so, the UK TIA toolkit seems a reasonable place to start (even if it is as yet a consultation draft).
As ever, we are happy to assist and/or discuss further.
[1] It should be noted that the European Commission also approved a set of SCCs in relation to data processing agreements at the same time.
