“Data, data, everywhere,
And all the boards (of directors) did shrink;
Data, data, everywhere,
So much to stop and think.”
A modern take from (some may say abuse of) Samuel Taylor Coleridge’s ‘The Rime of the Ancient Mariner’, but the image of data being all around us is a pertinent one. However, unlike the Ancient Mariner who could not drink the sea water, there is much that can be done, and should be done, with data.
Many technology clusters rely on the sharing of knowledge and expertise, the transfer of technology and collaboration on joint projects as a means of accessing and developing innovative ideas. Data is an important part of what is shared, particularly where that data is personal data. When that personal data is shared between companies in international clusters, things start to get really interesting (for us as data privacy lawyers, anyway!).
The European Commission has recently introduced new ‘standard contractual clauses’ or SCCs for the transfer of personal data from a ‘data exporter’ in the EEA (the European Economic Area) to a ‘data importer’ in a non-EEA country. These clauses can be used to provide appropriate safeguards for the data if the non-EEA country in question is not the subject of an ‘adequacy decision’ by the European Commission. To date the Commission has recognised that thirteen countries outside of the EEA ensure an adequate level of data protection… and that now includes the UK after adequacy decisions were adopted last month.
But hang on a minute, as we have now left the EU why should we be interested in these new SCCs from the European Commission? Well, here’s why:
- if you have an ‘establishment’ in the EEA which processes personal data in the context of its activities, any transfer of that data outside of the EEA (other than to the UK or another country for which there has been an adequacy decision) would have to use EU-approved SCCs. That could, for example, be a subsidiary, a branch or an EU sales office; and
- the new SCCs approved by the European Commission are generally regarded as an improvement on the previous set of clauses (they are not perfect though, but that’s for another day) and have been updated to take account of our current data environment and, in the words of the European Commission, to “address the realities faced by modern business”. The Information Commissioner’s Office in the UK (the ICO) is looking at producing something similar for data exporters in the UK and intends to publish these later this year after a period of consultation.
So just to be clear, if you are a controller in the UK wanting to transfer personal data to the United States (as an example), you cannot use the new SCC’s from the European Commission. The previous EU GDPR standard contractual clauses remain valid for use post-Brexit although the ICO permits changes to these so that they make sense in the context of the UK GDPR. Helpfully in this respect the ICO has issued template standard contractual clauses which contains those permitted changes.
Technology clusters have benefited, and will continue to benefit, from the competitive advantages that flow from being an active member of the cluster. But it is not a ‘free-flow’ of data and information – there are laws that must be adhered to, particularly in relation to personal data when that data is to be transferred overseas. The fines that can be imposed, and the compensation that can be payable, as a result of non-compliance are not inconsiderable and are certainly enough to encourage companies to focus on ‘doing it right’.
Those who have read Mr Coleridge’s eighteenth century rime (or even those who have heard Iron Maiden’s rendition) will know that the Ancient Mariner shot the Albatross who followed his ship. Initially the bird was thought to be good luck but then he blamed the bird for the loss of a good wind and safe passage.
Don’t let the standard contractual clauses be like the Albatross – they might not bring good luck but you don’t want them to be hung around your neck as a burden or a curse!