I Think I Have Third Party Transfers Maybe Kinda Sorted?

I Think I Have Third Party Transfers Maybe Kinda Sorted?

As much as I spend my time ranting on Twitter and elsewhere about the awful state of regulatory #absolutism concerning data transfers between the EU and US, I hadn’t given enough time assessing the question “okay, well what about the rest of the world?”

Most countries (even inadequate countries) are not facing regulatory ire like the US is (although some arguably should be). Many tech companies have not been deemed ‘WrongPlatforms‘ as Alec Muffett calls them, as they fail at being both a) American and b) profitable. You can be profitable out of South Africa, and you’re probably fine. Or unprofitable (like Signal) and American and you’re good. But once a tech company meets both conditions, it’s only a matter of time before it gets #Schremified.

But for the rest of the world, so called third party or restricted transfers may actually work, right? And the most viable option, save for the lucky few that can avail of a derogation under Article 49, or Binding Corporate Rules under Article 47, are Standard Contract Clauses (SCCs) under Article 46(2)(c).

Brexit Throws Another Spanner Into the Works

As most of my fellow privacy nerds know, the EU unveiled its updated (new) SCCs in June 2021. We’ve had a grace period, but that grace period is coming to an end — all data transfer agreements to third countries must be inked using the new SCCs by 27 December 2022.

Many of us have been happily updating to the new SCCs throughout this period. There’s a lot of flexibility in the new SCCs, and a considerably broader scope for different controller/processor relationships. And all was right and well with the world, until the UK decided to make things just a bit more annoying by adding their own version of new SCCs into the mix earlier this year. Even though they read substantially like the new EU SCCs, they’re different enough because they take out all the ‘EU’ bits and replace them with UK-specific bits. I mean, sure, lookit Brexit means Brexit.

In addition to Brexitifying the SCCs, the UK International Data Transfer Agreement (IDTA) and the UK Addendum also have their own cut-over periods.

  • Contracts signed on or before 21 September 2022 can rely on the old EU SCCs until 21 March 2024. This despite the fact that that controllers and processors had to cut over to the new EU SCCs by September 2021… (¯\_(ツ)_/¯)
  • Contracts signed after 21 September 2022 will need to use the IDTA or the Addendum in order to be effective.
  • From 22 March 2024, the old Standard Contractual Clauses will no longer fly (they will magically cease to offer ‘appropriate safeguards’). Contracts must be amended to replace the agreements either with the IDTA, or the new EU SCCs + UK Addendum.

What makes this extra messy, of course is that many organisations exist globally, including in the UK and the EEA, and while data can flow freely between the UK and the EEA now based on the fact that the UK has adequacy, this is not a permanent thing. In fact, I suspect the UK will face an ‘adequacy reckoning’ sooner rather than later, given all its various threats to ‘get Brexit done,’ by gutting many of the GDPR’s core principles and scrapping human rights law.

That’s Great and All, But Which Contract(s) Do I Sign?!

We’ve been updating many of our client’s SCCs and data processing agreements, and one asked me pointedly: which of these blasted things should they be using for all their third party transfers? DPAs? New EU SCCs? SCCs + the IDTA? Just the IDTA? SCCs + the UK Addendum?!

Y’all, this legitimately sent me into a panic. I didn’t have a direct answer to him, because it turns out the answer falls squarely into the lawyer trap of ‘it depends.’ But since I like my client, and I had a whiteboard and some spare cycles on a Thursday, I decided to plot it out. My initial whiteboard was a bit messy, but I realized that there are at least 8 (!) different transfer scenarios to consider: Arrows designate the importer relationship — e.g., the UK importing to a non-adequate third country. Depending on the nature of the relationship (controllers, processors, subprocessors, joint controllers), additional considerations may also need to be considered.

The UK also created a new liminal space — a not-a-restricted transfer-transfer between a UK branch and a third party parent. This isn’t considered a restricted transfer, and doesn’t need anything beyond a garden variety Data Processing Agreement.

UK –> Non-AdequateUK –> EUUK <–> EU
EU –> UKNon-Adequate –> EU & UKEU & UK –> Non-Adequate
Non-Adequate & UK –> EUUK (branch) –> Non-Adequate (Parent)
(the ‘UK Bubble’)
A Table of Importer Relationships

And so, here it is. A slightly-more-clear understanding of how contract drafting should go from now on when it comes to third party /restricted transfers in the UK, EEA to elsewhere. I probably got at least some of this wrong. If you see something glaring/confusing, hit me up on Twitter or via email (carey@castlebridge.ie)

Either way, I hope this helps others. It’s certainly helped me.

Previous post PimEyes: Extorting Data Subject Rights for Profit
Copyright AdinaVoicu - Pixbay - https://pixabay.com/photos/cat-gray-clouds-sky-3544131/ Next post Head in the Clouds? A Brief Note on Transfers to the US in a Privacy-Absolutist World