[co-authors: Meriem Sefta, PhD*, Antony Vitanov, Jade Levin]
The European Commission has issued new Standard Contractual Clauses designed to facilitate international transfers of personal data in compliance with the GDPR. The new provisions better reflect the variety of global data flows that life sciences and healthcare businesses are commonly involved in. However, they do little to alleviate the regulatory burden arising from last year’s Schrems II decision and create potential challenges for companies outside the EEA with activities in scope of the GDPR. There is an 18 month period for organizations to transition to the new clauses.
On June 4, 2021, the European Commission (EC) adopted new Standard Contractual Clauses (SCCs) for the transfer of personal data from the European Economic Area (EEA) to third countries whose privacy regimes are not deemed “adequate” by the EC.
The new SCCs were adopted following consultation and feedback on draft versions (see our previous OnPoint) and in the wake of last year’s decision by the Court of Justice of the European Union (CJEU) in Schrems II invalidating the EU – U.S. Privacy Shield for personal data transfers from the EEA to the U.S. The CJEU decision also called into question the practice of just relying on the then-current SCCs for transfers of personal data from the EEA to the U.S. and other non-“white-listed” countries.
The new SCCs remain non-negotiable, except for the addition of commercial terms that do not conflict with the SCC provisions, and consist of four “modules” to implement depending on the data transfer use case and the exporter’s and importer’s GDPR status. These modalities are:
The old SCCs only allowed for transfers in Controller to Controller and Controller to Processor scenarios. The addition of Processor to Sub-Processor and Processor to Controller terms significantly expands the availability of SCCs. This is a welcome development for many service provides in the life sciences sector who act as data processors and much needed in a global data ecosystem which is becoming increasingly complex.
In addition, the new SCCs specifically cater to non-EEA data exporters subject to the GDPR – a use case that has been sorely lacking. The GDPR not only restricts transfers of data out of the EEA but also ‘onward’ transfers and transfers by non-EEA businesses whose activities are within scope of the GDPR. The old SCCs did not cater to restricted transfers of data already outside the EEA.
While the modular format enables the SCCs to be applied in a greater variety of transfer scenarios, the EC has only approved the new SCCs for transfers of personal data where the importer’s use of the data will not be subject to the GDPR. (See, for example, Recital 7 and Article 1 of the Implementing Decision).
This raises a question of what safeguards must be put in place where the data importer will be processing data subject to the GDPR (for example, where the data importer’s activities are closely linked to the activities of an EEA establishment, or relate to offering goods or services to individuals in the EEA), given that such a transfer would still appear to be subject to the GDPR’s international data transfer restrictions. Even though the SCCs are not designed for these kinds of transfers, some may decide to take the position that implementing the SCCs may be reasonable to protect the data albeit without the certainty that comes with EC approval). Others may take the view that more limited safeguards are sufficient where the processing outside the EEA will be subject to the GDPR (this is a view supported by the UK regulator’s guidance).
As the SCCs do not provide a pre-approved solution for transfers to data importers subject to the GDPR, the steps required to legitimize these transfers are likely to be more fact-dependent and uncertain, at least until the EDPB issues guidance on the topic.
Apart from the restrictions on data transfers, Article 28 of the GDPR requires specific provisions to be put in place between data controllers and data processors. The EC has stated that the new SCCs also satisfy Article 28 requirements. However, the provisions in the SCCs do not seem as extensive as the EDPB has suggested the terms need to be. Companies may therefore find that different supervisory authorities have different standards for Article 28 compliance (one indicator would be if a supervisory authority has adopted Article 28 standard clauses for use for any cross-border data transfers). The new SCCs offer the benefit of streamlining the contracting process by eliminating the need for a separate data processing agreement but processors may find that they are less able to include processor-favorable terms.
One of the more significant updates is that the new SCCs include provisions aimed at addressing the concerns of the CJEU in Schrems II. The new SCCs appear to reflect a concerted effort by the EC to ensure the clauses withstand the kind of challenge that was fatal to the Privacy Shield and has jeopardized their use for data transfers from the EEA to the U.S. Hence – the inclusion of obligations to assess the risk of foreign law enforcement or intelligence agency access to personal data that is disproportionate and offers no recourse to data subjects. The new SCCs include clauses mandating a multi-step assessment and implementation of technical, organizational and administrative safeguards. For patient data this will likely involve pseudonymisation of the data where it cannot be fully anonymised. Note though that the new SCCs do not absolve businesses of the need to undertake their Schrems II assessments (see our OnPoint for further guidance).
The UK ICO has indicated that the new SCCs are not valid for transfers subject to the UK GDPR. Instead, the old SCCs remain the appropriate form for transfers by exporters subject to the UK GDPR. The UK ICO is set to consult this summer on new ‘UK’ SCCs. It will be interesting to see whether the new UK SCCs are influenced by and adhere to the EC’s approach, or whether the new UK SCCs will mark a divergence between the UK GDPR and EU GDPR.
While companies subject to the UK GDPR can continue to use the current SCCs in the meantime, it seems likely that contracts involving transfers subject to the EU and UK GDPR (not to mention other jurisdictions with exporting restrictions such as Switzerland and Israel), will become even lengthier and more complex in future, in order to account for different sets of SCCs. The EC has acknowledged this and said that it will strive for greater international cooperation.
The new SCCs enter into force on June 27, 2021. The current SCCs will cease to be valid from September 27, 2021 but companies can continue to use them, even for new contracts, until that date. After this, companies will have an additional 15 months (until December 27, 2022) to transition to the new versions. This is a longer transition period than in the EC’s original draft of the SCCs, which was requested by a number of life sciences organisations in the public consultation. It provides some additional breathing room for businesses with contracts that incorporate the old SCCs.
Given the transitional period there is no need for all companies to rush to amend all of their contracts containing the old SCCs (particularly ones with touchpoints with both the EU and UK GDPR given the new UK SCCs due from the UK ICO). That said, companies will want to allow ample time to prepare for potential business impacts brought about by the new SCCs. Businesses can start by auditing existing contractual arrangements and identifying any changes that will be necessary, including updating contracts that extend beyond the transition period, such as multi-year research collaboration agreements. In addition, exporters in processor roles or non-EEA exporters who have been using the old SCCs (notwithstanding that they technically did not apply in such scenarios) may wish to be more proactive in putting in place new documentation now that the SCCs are likely to be more fit-for-purpose. Alongside their contractual audits, companies should also undertake their broader Schrems II assessments, including transfer risk assessments, to the extent not already carried out.
*Chief Data & Clinical Solutions Officer Owkin