[co-author: Lukas Schrader, Summer Associate]
The European Commission recently published an updated version of the standard contractual clauses for the transfer of personal data to third countries ('SCCs'). Companies can use such SCCs to provide the appropriate safeguards required by Article 46 of the General Data Protection Regulation ('GDPR') for transfers to countries outside the European Economic Area ('EEA'). SCCs are the most commonly used option to guarantee these safeguards in case there is no valid adequacy decision from the European Commission regarding the relevant third country.
The GDPR imposes a general prohibition on cross border transfers of personal data from an entity in the EEA to any recipient in a third country, or an international organization. There are several ways to overcome this general prohibition, but SCCs are the most common method. The SCCs are a form of template contract, designed to permit the transfer of personal data from a transferor in the EEA (a ‘data exporter’) to a transferee located outside the EEA (a 'data importer'). They work by imposing obligations on the data importer to treat the transferred personal data in accordance with certain principles derived from EU data protection law.
The previous versions of the SSCs were issued in 2001 and amended in 2004 (for controller to controller transfers), and 2010 (for controller to processor transfers). Considering the GDPR came into force in 2018 and the consequences of the Schrems II ruling by the European Court of Justice ('CJEU') in July 2020, it was time for an update. To start the process the European Commission issued a draft set of new SCCs on 12 November, 2020. The European Data Protection Supervisor and the European Data Protection Board were consulted and delivered a joint opinion on 14 January 2021, which outlined some areas for clarification and improvement to the draft SCCs. The Commission issued the final decision on 4 June 2021, which is quite similar to the original draft but adding smaller changes and an extended transition period.
The newly published SCCs resolve certain practical issues, align the wording closer to the provisions of the GDPR and introduce new obligations for data transfers to third countries. These are the new key features:
- Modular approach: The SCCs now combine general clauses that apply in all cases with a modular approach to match with various transfer scenarios depending on the relationships between the parties. Data exporters and data importers can select the module applicable to their situation among four modules: In addition to the existing options for transfers from 'controller to controller' and 'controller to processor', there are now modules for transfers from 'processor to processor' and 'processor to controller'. This more flexible approach will allow the SCCs to provide a better fit for the versatile data processing relationships that exist in practice. In addition, a new docking clause makes it possible to add further parties to the SCCs after they have been executed. This will save time and resources in situations with complex structures and many parties involved, for example within corporate groups or multi party collaborations.
- Safeguards against public authority access: The new SCCs take into account the implications of Schrems II. In that decision, the CJEU effectively invalidated the EU U.S. Privacy Shield scheme. In the same decision, the CJEU accepted SCCs as a valid data transfer mechanism under Chapter V of the GDPR, but obliged the data exporter in each case to ensure that the appropriate safeguards are fulfilled in practice and the level of data protection of the GDPR is not undermined. To address these requirements, the new SCCs require that the laws and practices in the data importer‘s jurisdiction are assessed before personal data are transferred. Under the new SCCs, the parties warrant that they have no reason to believe that the rules in the data importer’s jurisdiction (including any requirements to disclose personal data or measures authorizing access by public authorities) prevent the data importer from fulfilling its obligations under the SCCs. In addition, the data importer has to notify the data exporter promptly if it becomes aware of any direct access by public authorities to personal data, and is required to challenge data access requests by public authorities if there are reasonable grounds to do so. However, even the updated SSCs may not be able to guarantee an adequate level of data protection when it comes to transfers to certain countries. In such cases, companies cannot just rely on the SCCs but have to add supplementary technical, contractual, or organizational measures to protect the transferred personal data. In light of the fact that the European Data Protection Board’s guidelines on supplementary measures have yet to be finalized, there is significant uncertainty for businesses in assessing their compliance obligations in relation to cross border data transfers.
- Use of processors: Finally, the new SCCs make it easier for businesses to use processors (and sub processors) in scenarios involving cross border data transfers. If a controller wants to use the services of a processor to handle personal data, it must fulfil the requirements of Article 28 of the GDPR. The old SCCs did not address all of the requirements of Article 28. As a result, the parties to the old SCCs had to either enter into a separate data processing agreement, or append the missing terms to the old SCCs. The new SSCs address Article 28 in full, and this will save companies extra steps. As a side note, the European Commission published an additional set of SCCs for the appointment of processors in accordance with Article 28.
The new SSCs were published in the Official Journal of the European Union on 7 June, 2021, and will come into effect 20 days later on 27 June 2021. After that date, companies can use the old SSCs only for a further three months. Beginning 27 September 2021, the old SCCs can no longer be used to create new data transfer agreements. Existing agreements based on the old SCCs continue to be valid for another 18 months, provided that the underlying processing operations remain unchanged. This means companies have to replace any arrangements based on the old SCCs by 27 December 2022, at the latest. To ensure a stress free Christmas 2022, companies are advised to implement the new SCCs as early as possible.