From 27 June 2021, organisations will be able to use the European Commission's long-awaited new Standard Contractual Clauses (SCCs), also known as model clauses, for data transfers from the European Economic Area (EEA) to recipients in third countries. Issued on 4 June 2021, they replace the existing, or old, SCCs, which have been the most commonly used mechanism to provide for adequate safeguards when exporting personal data from the EEA.
The new SCCs give more certainty over personal data transfers outside the EEA, but come at the cost of increased checks and compliance obligations for both data exporters and data importers. Coupled with the extra compliance burdens that flow from the Schrems II decision of July 2020, using new SCCs is no longer as straightforward an option as the old SCCs.
How soon can or should we use new SCCs?
Three situations must be distinguished:
- The use of new SCCs: The new SCCs can be used as of 27 June 2021.
- The continued use of old SCCs: Companies can continue to use the old SCCs in their new contracts until 27 September 2021.
- The replacement of old SCCs: Organisations have a transitional period of 18 months ending on 27 December 2022 to replace all contracts containing the old SCCs with the new SCCs. Companies can only continue to rely on the old SCCs (until at the latest 27 December 2022), provided that the processing operations that are the subject matter of the contract remain unchanged. Otherwise, a switch-over is necessary when this change occurs.
Why are new SCCs required?
Under Article 46(5) of the EU's General Data Protection Regulation (GDPR), the old SCCs remained in force in the interim to allow for a smooth transition from the regime under the Data Protection Directive 95/46/EC to the GDPR. Yet, it was clear from the beginning that they were obviously in need of updating in the light of new requirements under the GDPR.
In addition, the explosive growth of the digital economy has brought about new and more complex processing scenarios, often involving multiple data importers and exporters, and long and complex processing chains. The new SCCs have reflected these realities, by covering additional processing and transfer situations (such as processor-processor and processor to controller) and allowing a more flexible approach (such as enabling multiple parties to join the SCC contract throughout its term).
Finally, the new SCCs reflect the Schrems II ruling (mainly by including a basic set of additional obligations of both parties to ensure compliance with the clauses in case of a potential clash with local law requirements). They allow organisations to take a risk-based approach when assessing the local law of the destination country and to consider the specific circumstances of the particular transfer as well as the “likelihood” that public authorities would in fact ever want to access the exported personal data. This strikes a balance between the more conservative requirements of Schrems II and the practical reality.
When to use the new SCCs?
There is a very important – and already controversial – new aspect in relation to the applicability of the new SCCs: they cannot be used for transfers where the importer is directly subject to the GDPR. While this makes absolute sense and must be understood as a meaningful step to cater for the extraterritorial effect of the GDPR also in the application of Chapter V, in practice the application of the GDPR to non-EEA controllers and processors is often unclear. This is because in many cases it is very difficult to determine with legal certainty whether processing occurs “in the context of the activities” of an establishment in the EEA.
As a consequence, there will be big uncertainty as to when the new SCCs will actually be required, particularly for intra-group data transfers but also in other transfer scenarios. In-depth assessments on the applicability of the GDPR to third-country data recipients must in future be part of determining the appropriate (contractual) data transfer regime.
What are the important changes and consequences for businesses?
The new SCCs are able to cover more types of transfers than the old SCCs, which only provided for controller-to-controller and controller-to-processor transfers. The new SCCs take a modular approach, which covers four different types of transfers:
- Controller to controller
- Controller to processor
- Processor to (Sub-)processor
- Processor to controller
For the established transfer scenarios covered by modules 1 and 2, the content of the material safeguards is largely in line with the old SCCs.
However, there is a major update to the controller-to-processor clauses (module 2), which now include all provisions that must be found in data processing agreements according to Article 28(3) GDPR. This means that the supplemental provisions previously required to be used alongside the old SCCs will no longer be needed. The processor-to-processor clauses (module 3) are largely identical to the controller-processor clauses but with the wording adapted to the sub-processor scenario.
In modules 2 and 3 (controller to processor, and processor to (sub-)processor), a clause is provided to fulfil the requirement of Article 28(2)(1) GDPR which requires that the data transfer contract must include either a specific or a general authorization for the use of sub-processors (unless use of sub-processors is prohibited).p
Module 4 is entirely new. Until now, transfers covered by module 4 were not subject to SCCs. In practice, only data processing agreements in terms of Article 28(3) GDPR had been concluded in this respect. It is important to note that module 4 contains different sets of obligations depending on whether the processor in the EEA only processes data he received from the controller or whether he combines these with data he collected in the EEA.
The new SCCs require the parties to populate the annexes with more granular operational details of the data processing than is currently common practice, stating that the information provided should be "specific and not generic".
The new SCCs offer other enhanced flexibility compared to the old SCCs. For example, they reflect current widespread practice by offering the option for additional new parties to join into the new SCCs by using a "docking" clause. In addition, they explicitly allow the parties to add additional safeguards or other provisions, provided that they do not contradict the new SCCs or prejudice the fundamental rights or freedoms of data subjects.
Importers' obligations for security of processing
The new SCCs oblige the importer to regularly check that the technical and organisational measures set out in Annex II provide an appropriate level of security. In addition, the explanatory note at Annex II states that the technical and organisational measures must be described in “specific (and not generic) terms” and it must be clear “which measures apply to each transfer/set of transfers”, which may prove onerous for importers, especially processors.
It is noteworthy, that under the new SCCs, this obligation also applies to controller importers, which has not been the case under the OId SCCs.
Third-party beneficiary rights
Data subjects can enforce the majority of the provisions of the new SCCs as third party beneficiaries. Although the new SCCs have a longer list of clauses that data subjects cannot invoke against the parties to the SCCs, in practice they simply exclude all the provisions that apply specifically between the importer and exporter (or to interactions with data protection authorities).
Previously, if data subjects wished to bring a claim for noncompliance with the old SCCs, they first had to bring the claim against the exporter, or (if that was not possible) against the importer or (if not possible) against a sub-processor (if there is one). This was potentially cumbersome, and the new SCCs can be enforced against the data exporter and/or data importer, as the data subject wishes.
The law governing the new SCCs must be that of an EEA country (unless it is a processor to controller transfer) and it must be one that allows for third-party beneficiary rights. A data subject who invokes its rights as a third-party beneficiary may, in the event of a dispute with the data importer, lodge a complaint with the competent supervisory authority or refer the dispute to a competent court in the EEA.
Safeguards in relation to disclosure of data to public authorities
Importantly, the new SCCs reflect the Schrems II ruling. While (just like the old SCCs) they make it an obligation of all parties to warrant that they have no reason to believe that the laws in the destination country would require the disclosure of personal data to the authorities (preventing him to fulfil his obligations under the Clauses), it is now explicitly allowed in this assessment to take into account the specifics of the data transferred (including the types of recipients and any onward transfers) and the practices of the destination country.
The recitals to the Commission decision implementing new SCCs and an explanatory footnote to the new SCCs suggest in this regard that the existence of local law provisions that do not in themselves require a disclosure, but merely allow the authorities to request personal data (such as section 702 of the USA's Foreign Intelligence Surveillance Act) would not in themselves generally make data transfers to the recipient country unlawful. This is because unless and until disclosure of transferred data is actually requested on the basis of this local law provision, the data importer is in fact able to comply with the new SCCs.
This approach is good news for all businesses engaged in international data transfers. Nonetheless, it requires an in-depth check on each transfer. First of all, the parties must gather information on and evaluate a number of factors such as relevant practical experience with prior instances of requests for disclosure from public authorities and publicly available information on the existence or absence of requests as well as case law and reports by independent oversight bodies, etc. Secondly, and not less important, the respective risk assessment must be documented and provided to the supervisory authority upon request. Thirdly, this assessment is an ongoing obligation on the data importer, who must inform the data exporter of any legal developments that mean that the transferred data is no longer subject to appropriate safeguards. They then must either identify further safeguards to protect the data or stop the transfer.
If the data importer receives a request to disclose personal data to the authorities, then it must notify the data exporter and challenge the request if there are reasonable grounds for the request to be unlawful.
Although elements of these obligations were included in the old SCCs, they have been made considerably stronger in the new SCCs to deal with the implications of the Schrems II ruling.
Transfers from the UK
The new SCCs are not yet recognised in the UK. The UK Information Commissioner's Office (ICO) is working on bespoke UK standard contractual clauses for international personal-data transfers, which it intends will go out for consultation this summer. It is also considering whether to recognise the new SCCs as a valid transfer mechanism under the UK GDPR, rather than just the old SCCs. Until the ICO makes this decision – and even afterwards – businesses may have to consider doubling up, using the old SCCs for transfers out of the UK and the new SCCs for transfers out of the EEA.
What to do next?
There are many aspects of the new SCCs for businesses to consider. The flexibilities and complexities that they bring need to be viewed within the matrix of other recent developments impacting cross-border data transfers, including: the Court of Justice of the EU’s case law on the extraterritorial application of the GDPR; the adoption of new data-protection laws in third countries such as in India, Brazil, China and Australia; Brexit and the ICO's decision on new UK SCCs, coupled with the Schrems II judgement; and – last but not least – the current activities of Member State Supervisory Authorities’ to investigate into and enforce data transfer compliance.
For businesses with significant cross-border flows of personal data, new SCCs should act as a prompt to thoroughly reconsider and refresh their overall approach to compliantly managing cross-border data transfers. The following should be among their top-priority activities:
- Determine situations in which new SCCs will be required.
- Plan switch from old SCCs to new SCCs for new data transfers.
- Plan replacement of agreements incorporating the old SCCs.
- Plan conclusion of new SCCs for new transfers scenarios.
- Establish a process for the required data transfer risk assessment (define criteria, develop evaluation).
- Develop template or tool for the risk assessment.
- Start dialogue and alignment with contract party (exporter or importer).
- Prepare internal stakeholders and decide how to implement the (extended) obligations under new SCCs.
- Engage with IT Security to define requirements / solutions for technical and organizational measures applying to the transfers.
- Adaption of and alignment with other affected agreements; e.g. data processing agreements.