Monday, 17 August 2020

Data Protection: Whither the EU’s SCCs …

It is possible that the European Commission will fail to provide the UK with a data protection adequacy assessment by the end of the year. It is also possible that, in the near future, the EU will publish revised sets of Standard Contractual Clauses to replace the existing SCCs in a bold effort to ensure that flows of personal data outside the European Union remain suitably protected.


So what?


If the UK receives an EU adequacy assessment, presumably the UK Government will simply anglicise the new EU SCCs and ask UK organisations to use the new versions for the Non-EU, UK - Rest of the World data flows.

But, if the UK does not get an EU adequacy assessment, some commentators will suggest that this is the time either to leave the existing SCCs alone, or to adopt a very different approach. 


The Conservative Party won the General Election in December 2019 on the manifesto promise that it would get Brexit done.


If the point of Brexit is for the UK to remove itself from the straightjacket  embrace of the European Union, it is surely now up to the UK to determine for itself what contractual clauses are really necessary, in today’s world, to safeguard personal data flows outside the UK. 


My experience of using SCCs over the past few decades is that few organisations take much, if any, notice of the clauses once they have been incorporated into a data processing contract. They are part of the non—negotiable legal boilerplating text that is slipped into a schedule towards the end of the contract. The very few occasions I’ve noted the processor’s lawyers raising an issue with any of the clauses have been the times when they had realised that “my side” had a right to (1) audit “their” processes, or (2) be consulted and provide prior consent to the use of sub-processors.  


What evidence is there that SCCs are of any value? I’ve never been involved in a contractual dispute with a processor that has required the parties to rely on the SCCs to address or resolve an issue. And, in the past 20 years of attending data protection conferences (with the exception of presentations on the never-ending Schrems cases) I’ve never knowingly come across anyone who has.

 

So, if I were to take an evidence-based approach, I would ask why it was necessary for the UK Government to change the existing SCCs, or why it was necessary to have them at all. What evidence is available to justify their existence, or at least to justify their existence in their current form? Why can’t any of the current clauses be capable of being negotiated between the parties on a risk basis? Why not give UK data controllers more flexibility?

Whatever tweaks are proposed by the European Commission will invariably require EU-based organisations to undertake an absolutely enormous repapering exercise. It could take years to complete. Many of my privacy colleagues are only now recovering from the repapering rigmarole that was required to meet the GDPR Article 28 requirements. To expect them to commission a similar exercise so soon is cruel (and costly). 


No doubt some EU-based organisations will want to ‘simplify’ their contractual arrangements by requiring contracts with all processors, regardless of whether the underlying personal data is within the scope of the GDPR, to be changed to reflect the new SCCs.


But why should the UK Government tell UK organisations to follow the EU’s approach if the EU had decided that the UK doesn’t have sufficiently adequate data protection standards in the first place?  Would the UK really want to copy a GDPR regime that did not properly respect the UK’s privacy standards? 


Isn't there a better approach?


I’m looking forward to a passionate debate.