Ending months of anxious speculation from privacy lawyers around the globe, the European Commission announced on Friday that it had adopted final versions of the new Standard Contractual Clauses (the “New SCCs”) for the transfer of personal data to third countries (i.e., countries outside the EU and EEA that have not been deemed to provide an adequate level of protection for personal data) under GDPR.
As we explained back in January, the Commission’s original proposed draft of the New SCCs, first released in November 2020, provoked extensive public comment, and also a joint opinion from the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) outlining several areas for clarification and improvement.
On Monday, the Commission published its revised and final implementing decision in the Official Journal of the European Union, with an updated version of the New SCCs included as an Annex. That publication officially started the clock for organizations to transition from the “old” SCCs (i.e., the Controller-to-Controller Clauses adopted under Decision 2001/497/EC, as amended by Decision 2004/915/EC, and the Controller-to-Processor Clauses adopted under Decision 2010/87/EU) to the New SCCs.
Broadly speaking, the final version of the New SCCs reflects the approach set out in the original draft as summarized in our prior post, including a modular format that accommodates different categories of transfers, provisions meant to address the effect of local laws and the handling of government access requests, and some enhanced data subject rights.
As organizations digest and seek to understand the full range of implications the New SCCs will have for their international data transfers, we offer these five immediate practical takeaways to keep in mind in plotting a path forward.
The Commission’s implementing decision repeals its previous decisions adopting the old Controller-to-Controller and Controller-to-Processor and SCCs, but not until September 27, 2021. Thus, the decision explains, for contracts concluded before that date, the old SCCs “shall be deemed to provide appropriate safeguards” under GDPR Article 46 for transfers of personal data from within the EU to third countries, until the final transition deadline (discussed below).
But starting on September 27, 2021, any new contracts that involve the transfer of personal data from the EU to a third country must use the New SCCs—the old SCCs will cease to provide a valid transfer mechanism cross-border data transfers covered by contracts signed after that date.
The Commission’s implementing decision allows a roughly 18-month transition period (an increase from the 12 months in the original draft) for parties to continue to rely on the old SCCs as part of contracts signed before September 27, 2021, provided that the processing operations contemplated by those contracts remain unchanged.
To that end, the decision sets a deadline of December 27, 2022 for parties to update those contracts to replace the old SCCs with the New SCCs or another valid transfer mechanism. The decision also explains, however, that “in the event of relevant changes to the contract,” before that deadline, the data exporter “should be required to rely on a new ground for data transfers under the contract,” in particular by replacing the old SCCs with the New SCCs.
The implementing decision also states that, to rely on the old SCCs, they must ensure appropriate safeguards are in place. This caveat is a bit of a take-back, but it alludes to the obligation to implement supplemental measures, where necessary, in accordance with Schrems II.
As we explained in our post earlier this year, the Commission’s original draft of the New SCCs provided some welcome flexibility for parties to evaluate how local laws in the data importer’s country impact its ability to comply with the SCCs, as required under the European Court of Justice’s ruling in Schrems II. To that end, that draft allowed for the parties to consider not only objective factors, but also the practical likelihood that personal data would be subject to government access, based on factors that include “any relevant practice experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred.”
The EDPB and EDPS’s joint opinion rejected that idea, arguing that such “subjective factors” should not be considered. Instead, the regulators argued, “the assessment . . . should be based on objective factors, regardless of the likelihood of access to the personal data.”
The final version of the New SCCs adopts the approach from the original draft, albeit with some strict qualifications. For example, a footnote to the New SCCs provides that in making the required warranty that they have no reason to believe that the laws in the data importer’s country prevent the data importer from fulfilling its obligations, the parties may consider the “relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame.”
But the footnote places some important qualifications on the parties’ reliance on such “practical experience.” It explains that any practical experience “needs to be supported by other relevant, objective elements,” and must take into account “whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.”
The New SCCs will complicate (in some cases significantly) the ability of data importers to make onward transfers of personal data received under the New SCCs to third parties, whether located within the same country as the data importer or another third country. To that end, the data importer must, regardless of the module used, obtain the agreement of the third party to also be bound by the New SCCs, or else use one of several specified alternative means to ensure that the personal data receives an appropriate level of protection. The New SCCs also assume that the parties will include, as part of the Annexes, details about any onward transfers.
Those requirements will require parties to pay close attention to the entire chain of processing, including both the initial transfer of personal data from Europe and any subsequent sharing of the personal data by the data importer with processors or subprocessors.
As with the old SCCs, the New SCCs include a set of nonnegotiable clauses that make up the main body, and a set of appendices that the parties populate with information about each particular export arrangement. The New SCCs, however, require a level of detail and specificity that goes beyond what many parties will be used to under the old SCCs. For example:
Those requirements may, depending on the circumstances, make a “set it and forget it approach” to the Annexes, such as in a template data processing addendum, difficult to implement.
The open question: when the data importer falls within the scope of GDPR under Article 3(2), Is there a transfer?
One notable issue that the New SCCs do not resolve is the scope of the term “transfer” under GDPR. As we previously mentioned, the original draft implementing decision stated that the New SCCs would be considered to provide appropriate safeguards “for the transfer of personal data from a controller or processor subject to [GDPR] to a controller or (sub-) processor not subject to [GDPR].” That language arguably implied that transfers to a controller or processor that is located outside the EU, but covered by GDPR under Article 3(2), are not “transfers” for which GDPR would require a transfer mechanism at all.
As noted in our previous post, the EDPB and EDPS did not like that implication, and asked in their Joint Opinion for the Commission to modify its approach and make clear that the implementing decision was not intended to limit the scope of what qualifies as a transfer subject to GDPR Chapter V. Seemingly in response to that request, the Commission’s final implementing decision provides that it is “without prejudice to the interpretation of the notion of international transfer” in the GDPR.
But Clause 1 of the New SCCs still provides that the new SCCs are meant to apply when a data importer’s processing “is not subject to [the GDPR].” Similarly, a recital in the implementing discussion provides that the New SCCs “may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.” That language leaves open the possibility that when processing by an organization outside Europe is subject to GDPR, for instance under GDPR Article 3(2), then the New SCCs do not apply because they are unnecessary.
We will provide additional thoughts on this issue soon.