Since the EU-US Privacy Shield was declared invalid in 2020 by the European Court of Justice in the Schrems II decision, SaaS suppliers and SaaS customers have had to use EU standard contractual clauses, (“EU SCCs”) or binding corporate rules (“BCRs”) as the transfer mechanism when transferring personal data from the EEA, UK or Switzerland to a third country. A third country is a country which the EU has determined does not have laws that protect personal data to the same standard as the EU and is therefore not deemed “adequate” by the European Commission, for example, the USA.
The EU SCCs were drafted more than 10 years ago and were not really suitable for the actual types of data transfers that SaaS customers and SaaS suppliers make today under complex cloud computing models. Accordingly the EU created a new version of the EU SCCs.
New EU SCCs
On the 27th of June 2021, the European Commission replaced the existing EU SCCs with new EU SCCs. The new EU SCCs cover four different transfer scenarios in one document:
- Controller to controller – module 1
- Controller to processor – module 2
- Processor to controller – module 3
- Processor to processor – module 4
However, the new EU SCCs only apply to international transfers of personal data from the EEA (not the UK) to third countries. The UK continued to use the “old” EU SCCs for international transfers of personal data from the UK to third countries. The UK has now created new UK SCCs.
New UK SCCs
The Information Commissioner’s Office (“ICO”) on the 21st of March 2022 and has advised that the new UK SCCs must be used instead of the “old” EU SCCs for transfers of personal data from the UK to third countries.
The new UK SCCs consist of two separate documents:
- International Data Transfer Agreement (“IDTA”)
- International Data Transfer Addendum (“UK Addendum”) together with the new EU SCCs
The IDTA is designed to enable SaaS suppliers and SaaS customers to transfer personal data from the UK to a third country, i.e. the USA.
The UK Addendum is an addendum to the EU SCCs. It is designed to enable SaaS suppliers and SaaS customers to transfer data from the EU and the UK using the new EU SCCs, by incorporating the UK Addendum into the new EU SCCs. The UK Addendum allows SaaS suppliers and SaaS customers to use the new EU SCCs to cover both transfers, avoiding the need to use both the EU SCCs and the IDTA.
When must the new UK SCCs be used
SaaS suppliers and SaaS customers can continue to use the old EU SCCs until the 21st of March 2024 for all agreements concluded on or before the 21st of September 2022, provided that the processing operations that are the subject matter of the agreement remain unchanged.
All agreements concluded after the 21st of September 2022, must either use: (i) the IDTA; or (ii) the UK Addendum together with the new EU SCCs.
IDTA or the UK Addendum?
The choice will largely depend upon the locations of the SaaS supplier, SaaS customer, their group companies and the countries to which each transfers personal data.
Where a SaaS supplier transfers personal data from both the EU and the UK, it makes sense to use the UK Addendum, as:
- The EU SCCs can be used for transfers from the EU and from the UK (with a UK Addendum added for the UK transfers);
- This makes the drafting of the SCCs much simpler;
- This should reduce discussions between SaaS customers and sub-processors;
- This will make the contractual provisions for all personal data transfers more consistent.
Where a SaaS supplier only transfers personal data from the UK to third countries, or most transfers are from the UK, use of the IDTA makes sense, as:
- The SaaS agreement is incorporated into the IDTA;
- The structure is simpler to follow and does not include the complicated modular approach of the new EU SCCs;
- More flexible commercial provisions can be added to the IDTA.
Where a US SaaS supplier transfers personal data from both the EU and the UK, the UK Addendum should be used.
Actions to take now
SaaS suppliers and SaaS customers will need to take the following steps to implement changes to their existing data processing agreements to add the UK Addendum or IDTA, as appropriate, in line with the above time lines. They will need to:
- Carry out a data mapping to identify international data transfers from the EU and UK;
- Identify the data transfer mechanism relied upon for each transfer to a third country;
- Carry out a Schrems II data transfer assessment, (“DTA”) based on the guidance from the EDPB for transfers relying upon SCCs or BCRs;
- Carry out an ICO data transfer assessment for each transfer from the UK, (“DTA”) in due course using the template and tool being created by the ICO, see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/;
- Decide whether to use the UK Addendum or the IDTA for personal data transfers from the UK;
- Review existing group data transfer agreements;
- Review existing DPAs with all third parties i.e. customers, suppliers and sub-contractors;
- Use the UK Addendum or IDTA for all new agreements from the 21st of September 2022;
- Ensure the UK Addendum or IDTA is added to all existing agreements before the 21st of March 2024
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here