‘Old’ EU standard contractual clauses sunset date approaches in the UK, Michael Charalambous

In the UK, transfers of personal data that continue to be based on the ‘old’ EU Standard Contractual Clauses (“Old EU SCCs”) will no longer be valid from 21 March 2024.

The Old EU SCCs were the standard contractual clauses that were issued under European Commission Implementing Decisions 2001/497/EC and 2010/87/EU, and were developed as a mechanism to transfer personal data under EU Directive 95/46/EU (i.e., the predecessor to the GDPR), and were also used as transfer mechanisms under Article 46 GDPR.

The European Commission replaced the Old EU SCCs in June 2021, with a new set of Standard Contractual Clauses under Commission Implementing Decision 2021/914, following the Schrems II decision, where the Court of Justice of the European Union recognised that the Old EU SCCs would require additional safeguards to remain a valid export mechanism under Article 46(1) GDPR. The Old EU SCCs were no longer valid in the EU from 27 December 2022. For more information see our article here.

In the UK, there was a need for new standard contractual clauses for the same reason, as the Schrems II decision which was handed down pre-Brexit, applies in the UK. However, the new EU SCCs were adopted post-Brexit, meaning that they cannot serve as a valid transfer mechanism under the UK GDPR.

To address this issue, a new set of clauses were introduced in the UK, in March 2022. For more information see our article here. In order to gradually phase out the Old EU SCCs, the ICO set out transitional provisions, whereby contracts based on the Old EU SCCs (as long as they were concluded on or before 21 September 2022 and the processing operations remained the same), would be valid until 21 March 2024.

Organisations who are still relying on the Old EU SCCs in the UK should consider the following steps, as the 21 March 2024 deadline approaches:

Re-assess the data transfer arrangement, as there may not be a need to replace it. For example, the data processing operations may have ceased, or the third country to which the personal data is being transferred to may have been recognised as adequate by the Secretary of State. The most obvious instance to consider is the UK Extension to the EU-US Data Privacy Framework; certain data transfers to the US are permitted under the UK Extension, depending on the scope of the personal data and the US organisations’ certification status.
In cases where a transfer mechanism remains necessary:
- An alternative transfer mechanism to the Old EU SCCs should be considered. For example, the ICO’s international data transfer agreement or addendum may be able to replace the Old EU SCCs.
- A transfer risk assessment should also be undertaken, if this has not already been carried out, or a previous version of this is outdated.

If you have any questions or need assistance with updating your SCCs please do get in touch with your usual LS contact.