Following the Schrems II decision last year, there have been many questions about the status of international data transfers between the European Union and United States. The European Commission (the Commission) has now adopted a new set of Standard Contractual Clauses (SCCs) for international data transfers (the New SCCs), effective 25 June 2021. The New SCCs take into account some of the requirements under Schrems II and confirm how to carry out an assessment of a third country’s legal framework.
The New SCCs are more closely aligned with the requirements of the EU General Data Protection Regulation (GDPR) and more onerous in terms of scope and the number of obligations. As the old SSCs will be repealed on 24 September 2021 and all ongoing transfers will need to be updated to the New SCCs within the next 18 months, businesses need to consider how the changes apply to their data transfer scenarios and prepare to update their transfer arrangements.
The SCCs represent the most common safeguard for securing third-country transfers in order to be permissible under the GDPR and are widely used by hundreds of thousands of organisations. As the existing standard contractual clauses (the Old SCCs) were issued based on the European Data Protection Directive, they did not fully comply with the provisions of the GDPR. The Commission has now adopted and published final versions of two sets of SCCs:
- One set for the transfer of personal data from the EEA to third countries under Articles 28(7) and 46(2)(c) GDPR
- One set for use between controllers and processors under Article 28 GDPR
The clauses largely follow the draft version published by the Commission in November 2020, with a few significant updates.
In summary, the New SCCs:
- update the transfer agreements in line with the GDPR;
- allow one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- allow more flexibility for complex processing chains, through a “modular approach” and by offering the possibility for more than two parties to join and use the clauses; and
- provide a practical toolbox to comply with the Schrems II judgment with an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible “supplementary measures,” such as encryption, that companies may take if necessary to protect the personal data.
The New SCCs become enforceable shortly, 20 days following their publication in the Official Journal of the European Union. After three months, on 24 September 2021, the Old SCCs will be repealed, although up until this point companies can continue to use the Old SCCs. By 24 December 2022, all Old SCCs must be converted to the New SCCs “provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards” or replaced with alternative safeguards such as binding corporate rules. Where organisations intend to utilise the New SCCs, they will have a total of 18 months to prepare the New SCCs and ensure that safeguards are in place to protect their data transfers.
NEW SCCS APPROACH
A significant change is the consolidated modular approach of the New SCCs. Whereas the Old SCCs previously only captured two transfer scenarios (controller to controller and controller to processor transfers), the New SCCs combine the general clauses with four modules:
- Controller to Controller
- This addresses each of the data protection principles under Article 5, GDPR.
- There is no specific reference to use of these SCCs by joint controllers.
- Controller to Processor
- This module harmonises the requirements in the GDPR that require controllers to stipulate detailed Article 28 data processing provisions in contracts with processors.
- Processor to Processor
- This module is aligned with the requirements in the GDPR that require controllers to stipulate detailed Article 28 data processing provisions.
- Processor to Controller
- This applies to transfers between a processor based in the EEA and a controller outside of the EEA (in a third country).
- Third-party beneficiaries: the ability for data subjects to invoke and, where necessary, enforce certain provisions in the New SCCs as third-party beneficiaries has been retained from the draft SCCs.
- Docking clause: unlike the Old SCCs, the New SCCs include a concept for a third-party to accede to the New SCCs at any point in time. This is likely to prove particularly useful in intra-group transfers.
- Onward transfers: onward transfers of personal data by a data importer are only permitted in three specific scenarios:
- a third party accedes to the New SCCs (by way of a docking clause);
- in prescribed situations, such as the data subject has provided explicit consent or if there are specific safeguards; and
- the onward transfer is deemed adequate by the European Commission.
- Sub-processors: in the circumstances where a sub-processor is engaged by a data importer in a controller to processor, or processor to processor scenario, the parties can either, in line with Article 28 GDPR:
- agree to a specific prior authorisation; or
- a general written authorisation to the use of sub-processors.
- Liability: the indemnification clause in the earlier draft in the New SCCs has been replaced with a “contribution clause.” However, the liability provisions largely align with the GDPR, i.e., each party is liable to the other party for any damages it causes the other party by breaching the New SCCs. Companies should check that their existing contractual terms do not conflict with the liability provisions under the New SCCs.
Overall, the four modules allow the New SCCs to be incorporated into a broader commercial contract. The ability for more than two parties to join and use the clauses reflects the reality of complex data processing chains. Additional clauses can be added provided they do not contravene the New SCCs or undermine the rights of data subjects.
The New SCCs will not apply to transfers of personal data from the United Kingdom to a third country, as the decision does not form part of retained EU law for Brexit purposes. The UK Information Commissioner's Office (ICO) has announced that it is preparing to publish bespoke UK SCCs for international transfers.
Significantly, the New SCCs incorporate a number of Schrems II obligations in order to comply with the requirements of the European Data Protection Board and European Court of Justice on third-country transfers as outlined in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18).
- The New SCCs require the data exporter to use “reasonable efforts” to confirm that a data importer is able, through the implementation of technical and organisational measures, to satisfy its obligations under the clauses.
- Both parties warrant to conduct and document an assessment of whether the laws and practices in the data importer’s country would prevent them from fulfilling their obligations, taking into account the specific circumstances of the transfer. This was one of the key findings in Schrems II.
- Following this assessment, the data importer must notify the data exporter promptly if it believes it is (or will become) subject to laws that affect this assessment and additional safeguards are required. The data exporter must also notify the competent supervisory authority of the circumstances of the transfer and the new measures in place.
- On receipt of a government access request, the data importer must notify the data exporter promptly (and where possible, the data subject) and challenge such requests if it “concludes that there are reasonable grounds to consider that the request is unlawful.”
- For all four modules, the data importer must provide data subjects with a point of contact to whom they can submit requests and complaints.
It is important to note that the New SCCs are ultimately only one aspect of the Schrems II judgment. The implementation of supplementary safeguards will often be necessary despite full compliance with the New SCCs. Companies must clearly understand and assess, on a case-by-case basis, whether the transfers will provide adequate protections for the privacy rights of individuals whose personal data is transferred pursuant to the SCCs.
THE UNITED KINGDOM
The ICO has announced it will publish a UK set of SCCs this year. At this point, it is unclear whether the New SCCs will be adopted by the ICO for the time being and, therefore, applicable to UK-based controllers. It also remains to be seen whether the UK SCCs will be valid for data transfers from the United Kingdom that include EU GDPR-protected data to a third country, e.g. the United States.
Note that the UK’s adequacy bridge ends at the end of June and the final decision has not yet been published confirming that the United Kingdom remains an adequate jurisdiction for data transfers from the EEA.
Organisations will welcome the clarification on the changes to the SCCs and the extended transitional period of 18 months to replace the old SCCs, which provides greater flexibility to update their internal and external contracts than the one-year deadline date originally proposed. Organisations should make sure they audit their Old SCCs data transfers and start to prepare to implement the New SCCs. They also need to complete risk assessments and the implementation of any required safeguards to protect the data on transfer notwithstanding the New SCCs themselves.
Notwithstanding this, the New SCCs impose substantive obligations on companies and the hard deadline of 24 December 2022 to replace all new transfers with the updated SCCs is likely to create a significant compliance burden for data exporters and importers alike.
Trainee solicitor Christina Lewes contributed to this LawFlash.