On June 7, 2021, the European Commission (Commission) published its long-awaited Implementing Decision adopting standard contractual clauses for the transfer of personal data to third countries referred to as the new Standard Contractual Clauses (the "new SCCs"), which are designed to comply with the General Data Protection Regulation (GDPR) and take into account the Schrems II judgment of the Court of Justice of the European Union. This article addresses seven key things businesses need to know about the new SCCs and how they impact contracting and cross-border data transfer strategies going forward.
The Commission’s Implementing Decision took effect on June 27, 2021, twenty days after publication, and there are two important dates that follow. First, businesses must use the new SCCs for all new contracts—and new processing activities—entered into as of September 27, 2021 where the contract or processing activity involves the transfer of personal data out of the European Economic Area to any country that has not been deemed to provide an adequate level of data protection. For example:
Second, businesses must migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022. That gives businesses an 18-month runway to work on existing contracts. But this also has created an interesting incentive for businesses to speed up their current contract negotiations to conclude and sign by September 26, 2021, so they can rely on the old SCCs for the transfer at least for the next 18 months. Why would this be an attractive option? See the next section.
The new SCCs require data importers to confirm that they will only disclose personal data to a third party outside of the European Economic Area where (i) the third party has “agreed to be bound by these Clauses” or (ii) a specific derogation applies. In prior guidance, the European Data Protection Board (EDPB) has been clear that the derogations are not available for systematic transfers. As a result, where transfers will be systematic under a set of new SCCs, the importer will need to have ensured that any third parties involved in the processing, such as (sub)processors, have also signed the new SCCs. And with the September 27 deadline for using the new SCCs fast approaching, this means importers will want to have examined their supply chain and put in place the new SCCs to cover such onward transfers (or otherwise mapped the transfer to another derogation, as appropriate) prior to entering into the new SCCs with a data exporter.
Given this short timeline for executing the new SCCs downstream, some importers are rushing to conclude contracts using the old SCCs prior to September 27 because the old SCCs do not require that third parties agree to be bound by the new SCCs. This potentially buys more time for importers to sort out their supply chain issues, but for contracts that do not manage to close by this date, it could mean delays in closing contracts in the fourth quarter of 2021 while supply chain contracting is resolved.
The new SCCs include an optional clause—Clause 7, the so-called “docking clause”—which can be used to add additional parties to the SCCs, for example, when bringing new acquisitions on board to an intragroup agreement. Under the old SCCs, there was no express provision for onboarding or “docking” new parties to the mother ship agreement, yet most parties would typically include their own form of docking clause specifying when and how additional parties could execute and be bound by the clauses without needing to secure further signatures from the rest of the group.
The new SCCs address this issue expressly: “An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix [which describes the parties] and signing Annex I.A.” This is so simple in its construction—the drafters seem to contemplate a single signature page that can be easily updated and signed by the parties whenever a new party joins. The reality, however, is that complex organizations using the clauses with many parties very often sign in counterpart or by email, or by appointment of a signatory agent authorized to act on behalf of the group. For these reasons, if parties want to use the docking clause, they will be wise to add clarifying provisions to explain concretely the procedure for when and how new parties may be added. For example, these clarifying provisions can describe in what contexts the parties will “agree” to add new parties and what procedure will be used to express that agreement.
Given than the old SCCs were born out of the GDPR’s predecessor, they did not contain all of the requirements for data processing agreements set forth in Article 28. As a result, with the old SCCs, it was necessary for companies to enter into separate data processing agreements to add the additional requirements imposed by Article 28. The new SCCs, specifically Modules Two and Three, however, provide for the necessary requirements under Article 28 of the GDPR. Therefore, in the context of controller-to-processor and processor-to-processor data transfers, no additional data processing agreement is required. Although this additional agreement is not required, companies may still wish to articulate the parameters of certain Article 28 terms in a separate agreement. For example, while Modules Two and Three include a provision with respect to audit, companies may want to provide additional detail with respect to the audit process (e.g., audits will be at the controller’s sole cost, subject to a separate confidentiality agreement and to reasonable scheduling).
In its Implementing Decision, the European Commission recognized that the new SCCs may need to be accompanied by supplementary measures to ensure appropriate levels of protection for data transfers, which could include encryption in certain circumstances. Under the new SCCs, parties may introduce supplementary measures to the text so long as they do not contradict the baseline requirements of the new SCCs or reduce the rights of the data subjects. Further, the hierarchy provision in the new SCCs provides that the SCCs will prevail in the event of a conflict with any supplementary measures. On June 18, the EDPB issued Recommendations on measures that supplement transfer tools like the new SCCs in order to ensure compliance with the EU level of protection of personal data (Recommendations). Ultimately, companies will want to perform the transfer impact assessments in line with the EDPB’s Recommendations to determine whether any supplementary measures will be necessary.
As an alternative method to migrating to the new SCCs, companies may incorporate by reference the new SCCs in the existing contract, provided that they specify the modules that suit the relevant relationship (e.g., controller to processor). Indeed, companies could simply add a clause to the agreement stating that the parties agree to and incorporate in their entirety the new SCCs with the relevant modules such that the new SCCs do not have to be restated in their entirety in the document. However, companies should still ensure that the docking clause (optional), governing law and jurisdiction clause, and annexes are appropriately included or completed.
The new SCCs do not apply in the UK following Brexit, and the UK Information Commissioner’s Office (UK ICO) must therefore publish its own set of SCCs under the UK GDPR (the GDPR as incorporated into the law of the UK). In August, the UK ICO launched a consultation on a draft international data transfer agreement (IDTA). The IDTA, once finalized, is likely to replace the old SCCs. In the meantime, companies must decide whether to continue to use the old SCCs for data transfers out of the UK. If companies use the old SCCs, they will also need to include a fulsome data processing agreement that accounts for the Article 28 data processing terms, which adds length and complexity to an already tangled process. This seems the least risky approach, however, at least for now. One proposal put forward by the UK ICO involves leveraging an IDTA addendum (that amends the EU SCCs to work in the context of UK data transfers)–which would be a practical solution for companies transferring data out of the UK. Companies could consider using the IDTA addendum now, notwithstanding the fact that it is in draft form, if they are willing to risk the UK ICO shifting its approach away from the IDTA addendum following the consultation period.
It is critical that companies act to prepare to use the new SCCs by September 27, 2021, and to migrate existing arrangements by December 27, 2022. For additional information, see our checklist of the top 10 things you need to know about the new SCCs. You can also listen to a discussion about the developments here.