Transfer Tedium: Adapting the New SCCs to Account for Transfers from Switzerland and the UK
As the September 27th deadline to implement the new Standard Contractual Clauses (“SCCs”) approaches, many privacy practitioners are working overtime to help their clients update their standard data processing addenda to facilitate the lawful transfer of personal data from the EEA to non-adequate countries (“third countries”).
Practitioners looking to facilitate transfers of personal data from EEA-adjacent countries like the United Kingdom and Switzerland, however, will need to look beyond the June 4th European Commission Implementing Decision. For those countries, which have their own privacy laws and regulators, the new SCCs, on their own, will not facilitate the lawful transfer of personal data to third countries like the United States.
To help bridge the gap, the the UK Information Commissioner’s Office (“ICO”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) both recently published updates on the intersection between their respective privacy laws and the GDPR in the context of international data transfers. This post summarizes those updates.
The ICO’s Approach
Since early May, the ICO has been working on “bespoke UK SCCs” to facilitate transfers of personal data from the UK to third countries post-Brexit. In the meantime, parties could continue to use the old EU SCCs as their transfer mechanism.
Then, on August 11, the ICO published a draft International Data Transfer Agreement (“IDTA”) and a draft UK Addendum to the new SCCs for public consultation. The IDTA is intended to serve as a stand-alone contract for restricted transfers of personal data to a country outside the UK. The UK Addendum, by contrast, allows UK data exporters to use the new SCCs so long as they append the UK addendum—which modifies the EEA SCCs to align them with UK data protection laws as they apply to data transfers from the UK. Among other things, the draft UK Addendum states that all references in the new SCCs to the GDPR should be replaced with references to “UK Data Protection Laws,” the supervisory authority should be the ICO, and disputes arising from the new SCCs (including legal proceedings brought by a data subject) must be resolved by the courts of England and Wales.
But because the IDTA and the UK Addendum have not yet been finalized or formally adopted (the ICO’s public consultation period closes on October 7, 2021), the old SCCs remain the only contract-based transfer mechanism that has been blessed by the ICO. As a result, until the UK Addendum is finalized and approved, companies seeking to cover transfers from the EEA and the UK to third countries will need to implement both the new and old SCCs.
The Swiss FDPIC’s Approach
On August 27, the Swiss FDPIC announced that it will recognize the new SCCs as a basis for the transfer of personal data to third countries—with a caveat. The new SCCs must be “adapted and/or supplemented as necessary in specific cases” to account for the application of the Swiss Federal Act on Data Protection (“FADP”). To determine the necessary adjustments to the new SCCs, the FDPIC instructs Swiss data exporters to take the following steps:
- Determine which law governs the transfer. If personal data is transferred from Switzerland to a third country and there is “no link to the GDPR” (i.e., personal data transferred relates to only Swiss residents and no EEA residents) then the data transfer is subject solely to the FADP. Otherwise, the data transfer is subject to both the FADP and the GDPR.
- If the data transfer is exclusively subject to the FADP, modify the new SCCs to specify the same. In this instance, the new SCCs must be modified in a number of ways through an additional annex, including, for example, by listing the FDPIC as the competent supervisory authority and specifying that all references to the GDPR are to be understood as references to the FADP.
- If the data transfer is subject to both the FADP and the GDPR, decide whether to bifurcate the transfer mechanisms or apply the GDPR standard for all transfers. Under this scenario, the parties may either use two separate transfer regimes (one for transfers under the FADP and one for transfers under GDPR) or (since that sounds like a nightmare) implement the GDPR standard for all data processing, including transfers. Taking the latter approach, though, requires modifying the new SCCs to, among other things, provide for parallel supervisory authority between the FDPIC and the EEA authority selected in clause 13 of the new SCCs.
- Add a disclaimer to the term “member state.” Regardless of which law applies, the parties must supplement the SCCs with an annex specifying that the term “member state” must not be interpreted in a way that excludes data subjects in Switzerland from the possibility of suing in Switzerland for their rights in their personal data.
In short, although properly addressing Swiss data transfers will be a bit complicated, the upside is the parties can still use the new SCCs as their framework for those transfers—unlike for UK-originating transfers (at least for now).
The Bottom Line
The bottom line is that parties seeking to address transfers from the UK and Switzerland as well as the EEA will have to think twice before just using their copy-and-paste skills to implement the new SCCs. At least for now, when those UK and Swiss transfers are in scope, parties will need to take additional steps to adapt their contracts to account for those countries’ unique transfer requirements.