The European Commission’s new Standard Contractual Clauses - technical update

The European Commission published a new set of Standard Contractual Clauses ("SCCs") for international data transfers in June 2021. These replace the existing SCCs subject to a transitional period (see below).
The Office of the Data Protection Authority is alerting organisations to what they will need to consider doing in response to the new SCCs.

What are SCCs for? 
The Data Protection (Bailiwick of Guernsey) Law, 2017 recognises SCCs (which are also called ‘Standard Data Protection Clauses’) as forming one of a number of available statutory mechanisms which can be used to enable personal data to be lawfully transferred from a controller or processor in the Bailiwick to a recipient based in a country or jurisdiction outside of the European Economic Area (EEA) (see Section 56 (2) of the Law).

Existing SCCs vs. new SCCs 
The existing SCCs approved by the European Commission all pre-date both the local data protection law and the GDPR. There are three sets of existing SCCs – two controller to controller sets (2001 and 2004) and a controller to processor set (2010). In addition to these, the European Commission published two sets of new SCCs on 4 June 2021: 

• The first set of SCCs governs international data transfers (Standard contractual clauses for international transfers) and are the subject of this technical update. 
• The second set of SCCs governs data processing agreements between controllers and processors (i.e., service providers) (Standard contractual clauses for controllers and processors in the EU/EEA). We will be publishing further guidance on these clauses in due course.

Why are the new SCCs needed? 
The new SCCs for international transfers reflect the changes to European data protection legislation made by the GDPR, as well as taking into account the ‘Schrems II’ decision, which invalidated the EU/US Privacy Shield (see: EU/US Privacy Shield data transfers invalid) and stated that SCCs should be supplemented with an assessment of the legal redress available to individuals in the ‘third country’.

What about other measures to protect data?
In parallel to the new SCCs, the European Data Protection Board (EDPB) has also finalised its Schrems II guidance in relation to supplementary measures to accompany international transfer tools (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) 

Transitional period
The new SCCs have a transitional period - European controllers and processors must stop using the existing SCCs in new contracts by 27 September 2021 and all existing contracts relying on the existing SCCs must be transitioned to the new SCCs by 27 December 2022. 

Using SCCs and other measures in the Bailiwick 
The Data Protection Authority recognises the new SCCs as an appropriate transfer mechanism for transfers from the Bailiwick to ‘third countries’ (i.e. those countries which the EC do not recognise as having protections around personal data equivalent to the GDPR). It should be emphasised that there are a number of other transfer mechanisms available including ‘Binding Corporate Rules’.

What does this mean for transfers to and from the EEA and Guernsey?
Guernsey remains recognised as an "adequate" jurisdiction by the European Commission for the purposes of international data transfer. Accordingly, data transfers between Guernsey and the EEA do not require additional transfer instruments or mechanisms.

What does this mean for transfers to and from the UK and the Bailiwick?
Following the UK's departure from the EU, the UK has now also been recognised by the European Commission as being an adequate jurisdiction for the purposes of the international data transfer regime.    
Whilst the UK is currently reviewing its arrangements for international data transfer, the current position is that transfers from the UK to the Bailiwick can also continue to take place without further additional transfer instruments or mechanisms by virtue of the Bailiwick’s adequacy decision.

What does this mean for transfers to and from the Bailiwick and Third Countries?
The Law differentiates between authorised jurisdictions (which do not require additional transfer instruments or mechanisms) and unauthorised jurisdictions (which do).

Authorised jurisdictions include:

• the Bailiwick of Guernsey;
• a member state of the European Union (incl. EEA countries);
• any country, sector or international organisation which has been determined by the European Commission as providing an 'adequate level of protection' for the rights and freedoms of data subjects; or
• a "designated jurisdiction".

A ‘designated jurisdiction’ is so designated by Ordinance and could encompass  the UK (or any country within the UK), any Crown Dependency (such as the Channel Islands or Isle of Man) or any sector within the UK or a Crown Dependency.  No jurisdictions are currently recognised as designated jurisdictions.

Unauthorised jurisdictions means any countries, sectors in a country or international organisation that does not fall within the scope of an 'authorised jurisdiction'.   

Personal data must not be transferred outside of the Bailiwick of Guernsey by a controller or processor ("Exporter") to an unauthorised jurisdiction unless the Exporter is satisfied that:

• particular 'safeguards' are in place and there is a mechanism for data subjects (the people who the data relates to) to enforce their rights and obtain effective legal remedies against a controller or processor receiving the personal data ("Importer") (section 56 of the Law)
• the Data Protection Authority has authorised the transfer (section 57 of the Law) or
• other specified derogations exist (see section 59 of the Bailiwick data protection Law)

'Safeguards' for these purposes include for example: SCCs, legally enforceable agreements (where the Importer is a public authority / body), binding corporate rules ("BCRs"), or approved codes or other approved mechanisms which combine binding and enforceable commitments on the Importer. 

Where controllers and processors in the Bailiwick are relying on SCCs, the transitional dates detailed above apply i.e. they must stop using existing SCCs in new contracts by 27 September 2021 and all existing contracts relying on existing SCCs must be transitioned to the new SCCs by 27 December 2022.

Where controllers and processors are utilising SCCs or BCRs, they will need also to take account of the EDPB's guidance on supplementary measures. We will be publishing further guidance on this subject in due course.

Bailiwick controllers and processors who are subject to the UK GDPR by virtue of its extra territorial scope will also need to consider whether they may need to continue using existing SCCs – the UK is yet to make a decision on replacing them for the purposes of the UK GDPR. UK advice is likely to be required in this scenario.