After much anticipation, the European Commission has published new Standard Contractual Clauses (SCCs). Under the General Data Protection Regulation (GDPR), when personal data of individuals in the European Economic Area (EEA) is transferred or made accessible from one entity (the “exporter”) to another entity (the “importer”), and when that importer is outside of the EEA and in a country, which has not been deemed to have adequate data protection laws, SCCs provide a legal basis to allow that transfer according to GDPR Art. 46. We will examine why the SCCs were updated, how they changed, and what organizations need to do to comply with GDPR using the new SCCs.
Why were new SCCs issued?
There are multiple reasons why new SCCs were necessary. First, the current SCCs were written after the European Data Protection Directive was incorporated in 1998 but before the GDPR replaced it in 2018. This means they were not up to date with the EEA governing law. Second, cross-border data processing and transfers have become increasingly complex since the SCCs were originally drafted. The increase in volume, velocity, and variety of data transfers was not anticipated by the original SCCs. Finally, and arguably most significantly, the recent EU decision in the Schrems II matter necessitated updated SCCs to account for concerns surrounding access requests by public authorities. The Schrems II decision highlighted the need for supplemental security measures and additional assessments for cross-border data transfers.
When do they come into effect?
The new SCCs become effective 20 days after they were published in the Official Journal of the EU. This publication was done on June 7th, 2021, meaning they will be entered into force beginning on June 27th, 2021. The old SCCs will not be repealed for another three months following this effective date. This means that, during the three-month window, new agreements may still technically leverage the old SCCs. Once the old SCCs are repealed, the Commission will grant an additional 15-month grace period where the old SCCs are acceptable for existing contracts, but all new agreements must leverage the new SCCs. By the end of the 18-month period, all new and existing contracts will require the new SCCs. Below is an example timeline based on the currently proposed timelines.
7 Jun 21
27 Jun 21
27 Sep 21
27 Dec 2022
Old or New SCCs
Did the SCCs change significantly?
In a word, yes. Putting aside the notable net-new clauses, most of the existing text was largely unchanged outside of some quality enhancements. The form, however, looks very different. The prior SCCs were designed as entirely separate agreements for each transfer scenario (e.g., Controller-Processor and Controller-Controller) which largely repeated most clauses with some variation. The new SCCs have a “modular” approach; they are written as one agreement with certain subsections having a choose-your-own-adventure option set of text based on the following four scenarios across relevant clauses:
The old SCCs required the data exporter to be established in the EEA. If the data exporter was not based in one the EEA countries, SCCs were not available as a valid data transfer mechanism. This issue has been resolved in the new SCCs, which can be used for transferring personal data from a data exporter not based in the EEA to a data importer also not based in the EEA, such as from a processor to a sub-processor. The new SCCs also allow for more than two parties to contract and adhere to the standard contractual clauses. They also allow additional controllers and processors to be added to the SCCs as data exporters or importers throughout the lifecycle of the contract using the optional “Docking clause”.
How do the new SCCs address Schrems II and national security surveillance?
The concern that requests under the US Foreign Intelligence Surveillance Act (FISA) might result in the forced collection of personal data of Europeans resulted in the decision of the Court of Justice of the European Union (CJEU) to invalidate the U.S. Privacy Shield mechanism for transferring personal data of European residents to the U.S. The case was referred to the European Court of Justice by the Irish High Court, which was investigating Max Scherms challenge to Facebook Inc., on the validity of transferring his personal data from Ireland to the United States using Standard Contractual Clauses. Following the Schrems II decision, the European Data Protection Board (EDPD) issued remediating (though not a silver-bullet) guidance on conducting Transfer Impact Assessments (TIAs), which included an evaluation of the likelihood of personal data requests from public authorities like FISA and the implementation of supplemental security measures. The new SCCs codify much of the guidance on TIAs in Section III – Clause 14, such as documenting the circumstances of the transfer, the governing laws in the importing country, the likelihood of the data being subject to such requests, and the supplemental security measures implemented to protect unwanted disclosure. The footnote to this clause indicates that documentation of “experience with prior instances of request for disclosure from public authorities, or the absence of such requests” may be considered in such an assessment (emphasis by author). In practice, if an organization can document that it never or rarely receives these requests, it may categorize the assessment as low risk.
Clause 15 goes on to provide additional direction addressing such cases of access requests by public authorities. Where possible, importers must notify the exporter when such requests are received, including the legal basis under which it is being requested. When this information is provided by a sub-processor to a processor, the processor has an obligation to inform the controller. Further, importers must agree to challenge any such request from a public authority and leverage any available appeals process. Also of note, when complying with such requests, the importer must demonstrate that steps towards data minimization were applied to provide the minimal amount of personal data required to satisfy the request. Records must be maintained of such requests, and request reports may need to be provided to the controller.
What are some of the other notable obligations in the SCCs?
TIAs and the requirements under requests from public authorities are some of the most significant obligations for data transferors under the new SCCs. Beyond that, it is notable that Data Subjects themselves are considered beneficiaries of the SCCs and must be provided with a copy of the appendix upon request. This may be redacted, but the reason for such redactions must be provided. If the importer believes for any reason that they can no longer comply with the SCCs, they are obligated to inform the controller.
What should organizations do next?
If organizations have not already started to inventory and assess their data transfers and related third party agreements, they should begin doing so immediately. TIAs should be conducted and agreements prioritized for remediation. It is likely that such efforts may expose third parties that require SCCs but do not currently have one in place, and these must be prioritized for remediation. The grace periods offered for existing SCCs will give data transferors some sense of comfort, but given the challenge with timelines for various entities to come to agreement on their roles in the processing ecosystem, incorporating the new SCCs should be done sooner rather than later. Once this lookback remediation is completed, it is important to establish go-forward processes to proactively identify where SCCs and Impact Assessments must be conducted.