The European Commission (“EC”) has adopted a long-awaited new set of standard contractual clauses (“SCCs”) for the transfer of personal data to parties in third countries outside the European Union (“EU”) and European Economic Area (“EEA”) that have not been found by the EU to have “adequate” data protection laws.
Under the EU’s General Data Protection Regulation (“GDPR”), companies are prohibited from transferring personal data out of the EU to a third country, unless certain safeguard mechanisms are in place. SCCs are one such mechanism commonly used to facilitate the transfer of personal data out of the EU. In July 2020, another commonly used mechanism, the EU-U.S. Privacy Shield, was invalidated by the Court of Justice of the European Union (“CJEU”) in its “Schrems II” decision (previously discussed here). In the same decision, the CJEU cast doubt on the version of SCCs in place at the time, suggesting that, on a case-by-case basis, “supplementary measures” may be required.
The prior SCCs were adopted before the GDPR took effect in 2018. The new set of SCCs is intended to update the prior version and address the shortcomings about which the CJEU expressed concern in Schrems II.
Some of the Key Changes
- The new SCCs adopt a “modular” approach with variations for different transfer scenarios, including controller-to-controller transfers, controller-to-processor transfers, processor-to-processor transfers, and processor-to-controller transfers.
- The new SCCs recognize that a party outside the EU/EEA, but directly subject to GDPR pursuant to the extraterritoriality provision in GDPR Article 3(2), can be a data exporter under the new SCCs.
- The new SCCs are drafted such that (i) the agreement can be multipartite (i.e., more than two parties can agree to the clauses), and (ii) new parties can be added over time via a “docking clause.” This change will make it easier to implement SCCs for large, complex data transfers.
- The processor modules in the new SCCs incorporate the processor contractual requirements in GDPR Article 28, as well as a new Annex to identify any subprocessors. As a result, a separate GDPR data protection agreement will not necessarily be required (although parties may still find one useful to impose additional safeguards).
- In response to Schrems II, the new SCCs contain enhanced requirements for the parties to assess the law in the third country where the personal data would be transferred. The new SCCs include a warranty that the parties have “no reason to believe” that local laws and practices in the importer’s country will prevent the importer from fulfilling its obligations under the SCCs. Under the old SCCs, this warranty was given by the data importer alone. In giving this warranty under the new SCCs, the parties must take into account certain factors (i.e., conduct a transfer impact assessment). Such assessment must consider the “specific circumstances of the transfer,” the “laws and practices of the third country of destination,” and “any relevant contractual, technical or organizational safeguards put in place.” Notably, the assessment may consider the parties’ “relevant and documented practical experience” with public authority requests to access personal data.
- The new SCCs also include detailed requirements governing the steps that a data importer must take in the event that it receives a request from a government authority for access to personal data transferred using the new SCCs. These changes also are intended to address concerns raised by the Schrems II decision.
- While there are variations depending on which module is to be used, the new SCCs include enhanced transparency requirements, data subject rights provisions, and onward transfer restrictions. The new SCCs also require data importers to “apply specific restrictions and/or additional safeguards” when the transfer involves sensitive categories of personal data.
- The new SCCs require data importers and both parties during transmission to adhere to higher data security standards. The data security annex to the SCCs requires a statement of the technical and organizational measures that the data importer will use to safeguard the personal data being transferred that may be more detailed than some data importers may be using with the old SCCs.
- The new SCCs provide additional flexibility regarding the selection of the law governing the SCCs and include additional specificity regarding the role of the EU supervisory authorities, including requirements that the parties document their compliance and agree to make this information available to the relevant supervisory authority upon request.
- The new SCCs, like the old SCCs, require that data subjects be made third-party beneficiaries of specified provisions. The new SCCs emphasize third-party beneficiary rights by requiring that they must be enforceable under the law governing the contract.
Adoption of the new SCCs will require organizations relying on SCCs to incorporate the new SCCs into their contracting process for new processing activities and also revise existing agreements that utilize the old SCCs. This could be a substantial undertaking for many organizations.
For new data transfer agreements entered on or before September 27, 2021, organizations can continue to use the old SCCs (recognizing they will eventually need to be replaced with the new SCCs; see next paragraph). This three-month grace period will give organizations time to review and come into compliance with the new SCCs. The new SCCs can be used before that date if the parties prefer.
For existing data transfer agreements, organizations must replace the old SCCs with the new SCCs by December 27, 2022. At the end of this 18-month grace period, organizations will need to have updated their contracts to reflect the new SCCs (recognizing that Schrems II may require additional measures in the interim). Also, if the processing operations that are the subject of the contract change during this grace period, the new SCCs must be used from that point forward.
In the meantime, the EU and the U.S. have stated they are “intensifying” negotiations on an enhanced EU-U.S. Privacy Shield framework.