The European Commission (EC) on June 4, 2021 adopted a new set of Standard Contractual Clauses for international data transfers (New SCCs). The New SCCs take into account the Court of Justice of the European Union’s (CJEU) decision in Schrems II, requirements under the EU General Data Protection Regulation (GDPR), and according to the EC “address the realities faced by modern business”. In particular, as it relates to companies ongoing Schrems II assessments the New SCCs provide details around the steps an importer should take when subject to a request for disclosure from a public authority, and helpfully confirm that in carrying out the assessment of a third country legal framework the factors which can be taken into consideration.
As compared to the existing SCCs (Old SCCs), the New SCCs are significantly more onerous in terms of the number and scope of obligations and in turn, they are considerably longer. However, their formulation (i.e., the multiple transfer scenarios addressed – including transfers from processors in the EU) greatly facilitates the “widespread use of new and more complex processing operations”. Unsurprisingly, the obligations under the New SCCs more closely align with the requirements of the GDPR than those under the Old SCCs (which were adopted under the former EU Data Protection Directive).
Set out below are some key points for companies to note when assessing and implementing the New SCCs. We have also identified certain key differences as compared to the Old SCCs:
- Transition Period: the New SCCs will enter into force twenty (20) days following their publication in the Official Journal of the EU and the Old SCCs will be repealed three months after that date. So effectively, companies entering into new contracts will need to start to use the New SCCs after the next 3 months while companies can continue to rely on Old SCCs in existing contracts concluded prior to the date of their repeal for fifteen (15) months following the date of their repeal (i.e., essentially a transition period of eighteen (18) months).
- Scope of the New SCCs: the New SCCs can only be used to legitimize transfers of personal data to a data importer (i.e., ex-EEA) whose processing of the personal data is not subject to the requirements of the GDPR. In other words, if the data importer outside the EEA is subject to the GDPR, because it processes personal data of individuals in the EEA in the provision of goods or services to those individuals or the monitoring of those individuals, the New SCCs are not appropriate.
- Modular Approach: whereas the Old SCCs addressed only two transfer scenarios (i.e., controller to controller, and controller to processor) the New SCCs combine general clauses with a modular approach that address the following four data transfer scenarios: (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller. Companies are required to select the applicable module(s) according to the particular transfer(s). The New SCCs can be incorporated into a broader commercial contract and additional clauses can be added provided these do not contradict the New SCCs or prejudice the rights of data subjects. However, despite the European Data Protection Board and the European Data Protection Supervisor asking in their Joint Opinion on the New SCCs (Joint Opinion) for clarity on the types of provisions which would contradict the New SCCs or undermine the rights of data subjects, the EC has not provided this.
- Module 1 (Controller to Controller): the Module addresses each of the data protection principles under Article 5 of the GDPR. For example, where complying with the transparency principle, the data importer is required (notwithstanding the data exporter’s transparency obligations under the GDPR and subject to certain limited exemptions) to inform the data subject (either directly or via the data exporter) of the categories of personal data processed, their right to request a copy of the New SCCs, and the purposes for and the recipients of, any onward transfers. Further, with regards to the security principle, the parties are required to agree and set out the security measures to be implemented in the New SCCs (examples are provided), and in the event of a personal data breach the data importer shall notify the data exporter and the competent supervisory authority of the breach without undue delay. However, despite the Joint Opinion asking for clarity as to how this Module applies to joint controllers, no relevant amendments were made by the EC.
- Module 2 (Controller to Processor) and Module 3 (Processor to Processor): the obligations in this Module largely align with the requirements in the GDPR that require controllers to include detailed Article 28 data processing provisions in contracts with processors.
- Module 4 (Processor to Controller): the Module applies to transfers between a processor in the EEA and its own controller outside of the EEA which is not subject to the GDPR. It does not address transfers from such processor to any other non-EEA controller. However, despite the Joint Opinion requesting that the Module be amended to incorporate the necessary Article 28 GDPR data processing provisions, the Module does not align with these requirements.
- Schrems II Provisions: The parties warrant that at the time of signing the New SCCs, they have no reason to believe that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the New SCCs. In giving this warranty the parties must take account, in particular, of: (i) the specific circumstances of the transfer (e.g., nature of data, purpose for processing); (ii) the laws / practices in the recipient third country – including “reliable information” on the application of the law, the existence / absence of requests in the same sector, and “under strict conditions, the documented practical experience of the” parties; and (iii) any supplementary measures implemented. This assessment must be documented by the parties and provided to the competent supervisory authority on request. The data importer should notify the data exporter if it believes it cannot comply with the New SCCs. In addition, detailed provisions are included around the steps the data importer should take in cases where it receives a request for disclosure from a public authority.
Such steps include, for example, notifying the data exporter of the request (where possible), providing the exporter with “aggregate information at regular intervals”, documenting the request and response, and challenging the request where the importer concludes there are reasonable grounds to consider it unlawful – including by “exhausting available possibilities of appeal”.
- Third-Party Beneficiaries: as with the Old SCCs, data subjects can invoke and where necessary enforce certain provisions in the New SCCs as third-party beneficiaries. In turn, the data importer is required to provide a contact point to data subjects and deal promptly with any requests or complaints. However, despite the Joint Opinion requesting that the EC provide a “white-list” of rights that can be enforced by data subjects, instead of listing those which are not enforceable, the approach remains unchanged.
- Use of Sub-Processors: where a sub-processor is engaged by a data importer under either Module 2 or 3, the parties have the choice of either agreeing to a specific prior authorization of individual sub-processors or a general written authorization to the use of sub-processors (i.e., in line with Article 28 of the GDPR).
- Onward Transfers: onward transfers of personal data from the data importer are only permitted where: (i) the third party accedes to the New SCCs (see docking clause below); (ii) in certain specific situations (which differ depending on the relevant Module) e.g., where the data subject provides their explicit consent; or (iii) the onward transfer is to a country which is deemed adequate by the European Commission e.g. Japan, Switzerland etc.
- Docking Clause: a docking clause is included which enables a third party to accede to the New SCCs at any point in time. This is not a concept which existed in the Old SCCs and should prove helpful for companies including e.g., in an intra-group scenario with the acquisition / disposition of business units. However, despite the Joint Opinion requesting that clarity be provided around the accession mechanism, no amendments have been made to address this request.
- Data Processing Provisions: where companies are using the New SCCs to legitimize transfers of personal data from either a controller to a processor, or a processor to a sub-processor, it will not also be necessary for these parties to enter into separate Data Processing Agreements with Article 28 GDPR data processing provisions as these are incorporated into the New SCCs.
- Accountability: the parties must be able to demonstrate compliance with the New SCCs and in particular, the data importer must: (i) keep appropriate documentation with regards to its processing activities which should be disclosed to the competent supervisory authority on request; and (ii) inform the data exporter promptly if it is unable to comply with the New SCCs. In the event that the data importer is in breach of the New SCCs or is unable to comply with the New SSCs the data exporter should suspend the transfer or termination the contract. Further, the New SCCs include a warranty from the data exporter that it has used “reasonable efforts” to determine the data importer is able to comply with the New SCCs.
- Liability: the liability provisions largely align with those under the GDPR. Each party is liable to the other party for any damages it causes the other party by breaching the New SCCs. With respect to Module 1 (controller to controller) and Module 4 (processor to controller), each party is liable to the data subject for any material or non-material damages and where more than one party is at fault the parties shall be joint and severally liable. With respect to Module 2 (controller to processor) and Module 3 (processor to processor): (i) the data importer is liable to the data subject for any material or non-material damages (e.g. distress) caused by the data importer or its sub-processor; and (ii) the data exporter is liable to the data subject for any material or non-material damages caused by the data exporter, the data importer or its sub-processor – albeit the data exporter can claim back from the data importer or its sub-processors compensation to the extent the exporter is held liable but is not at fault. Careful consideration will need to be given to any commercial liability terms entered into between the parties to ensure they do not conflict with the liability provisions under the New SCCs – although, it is made abundantly clear the New SCCs will take precedence.
In terms of next steps, companies will need to carefully consider the New SCCs to determine which of the Models applies to their data transfer scenarios, how they and other parties will comply with contractual obligations in the New SCCs and how they will roll out the New SCCs over the next few months both for intra-group transfers but also data transfer to vendors and other third parties. Companies will also need to consider the use of New SCCs in the context of their Schrems II data transfer assessment projects, final guidance on which is due to be published by the European Data Protection Board shortly.