In early June 2021, the European Commission adopted a new set of Standard Contractual Clauses for organizations to use to ensure compliance with the EU General Data Protection Regulation (GDPR) requirements for transfers of personal data from the European Economic Area (EEA).
Under the GDPR, transfers of personal data from the EEA are not permitted unless certain safeguards are met to ensure that a similar level of protection is afforded to data subjects as that granted under EU law. Among the most commonly used safeguards are Standard Contractual Clauses (SCCs) approved by the European Commission, which organizations can incorporate into their contractual arrangements. The SCCs were developed under the previous EU Data Protection Directive of 1995 and had not been updated to reflect changes introduced by the GDPR. Moreover, the SCCs applied in a limited number of circumstances and did not cover many common data processing scenarios in the chain of data processing activities. Additionally, following a series of legal challenges, SCCs have been subject to additional requirements in respect of risk assessments and supplementary contractual measures.
Recent Legal Challenges - Schrems II
The updated SCCs come in the wake of the judgment of the Court of Justice of the European Union (CJEU) last July in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II) (summarized in a previous alert: EU Court Issues Landmark Ruling on Transfer of Personal Data Outside European Economic Area). In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield. In addition, the CJEU held that companies wishing to rely on SCCs for international data transfers may need to implement additional safeguards. In particular, data exporters must assess whether there are any conflicts in the laws of the destination country which would conflict with their ability to provide adequate protections under the SCCs, and data importers have an obligation to inform the exporter of any inability to comply with the terms of the SCCs.
International Transfers — Risk Assessment
As with the current SCCs, the new SCCs require the parties to warrant that they have no reason to believe that the laws and practices in the importing country prevent the data importer from fulfilling its obligations, including any local law requirements to disclose personal data to, or measures authorising access by, public authorities. The new SCCs specifically require the parties to take into account:
- The specific circumstances of the transfer, including the length of the processing chain, onward transfers, the nature of the recipients, the purposes of processing, the nature of the personal data and storage location.
- The laws and practices in the importing country, including laws requiring disclosure to, or authorizing access by, public authorities.
- Any relevant contractual technical or organizational safeguards, including technical measures such as encryption applied during the transfer to and ongoing processing in the importing country.
In considering the second element, the new SCCs provide some additional flexibility compared to the previous draft issued in November 2021 (summarized in our previous alert: Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?) and allow the parties to take a risk-based approach. In particular, the parties can take into account a number of different factors in assessing the impact of local laws on their compliance with the SCCs, including relevant and documented practical experience in respect of prior requests (or the absence of any such requests) by public authorities over a representative timeframe. This practical experience will need to be supported by other relevant, objective elements, which the parties to the SCCs must weigh up and consider, including whether the parties’ experience is supported by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector. While this additional latitude will be welcomed, the parties’ assessment will need to be objective, rigorously documented and certified at senior management level. A subjective assessment that the transfer is not particularly risky given the nature of the data, the relevant industry sector and the likelihood of government access will not cut it.
Other Key Features
- The new SCCs cover the full range of possible transfer scenarios and have been produced as one document with different options or “modules”: controller to controller, controller to processor, and — for the first time — processor to processor and processor to controller.
- Adding new parties to the contract has been simplified so that the joining party completes the mandatory information without requiring all parties to sign.
- There are tighter restrictions on the onward transfer of personal data by the data importer, with specific requirements which vary depending on the transfer scenario.
- Data importers will be required to notify their data exporters of any government access requests, or if they become aware of any government access to their data, unless legally prohibited where it is not possible to obtain a waiver of the prohibition. Importers must also regularly update exporters with any relevant information relating to such requests and keep these documented for supervisory authorities.
- There are greater transparency requirements on parties to provide more information about their processing, including their security arrangements.
- Parties to the new SCCs must list their competent supervisory authority/authorities.
- There is more direct liability to data subjects under the new SCCs, which must be governed by the law of an EU Member State allowing for third-party beneficiary rights, and not-for-profits may initiate proceedings against parties to the SCCs on behalf of data subjects.
There will be an implementation period of 18 months for organizations to transition to the new SCCs. The existing SCCs remain valid for a three-month period following the date of the Implementing Decision (June 4, 2021). Organizations will then have a period 15 months to transition to the new SCCs and any existing SCCs relating to contracts entered into before the end of the three-month grace period will continue to provide protection during that 15-month period — as long as the underlying processing activities remain unchanged. If there are changes in the processing activities, the parties will need to enter into new SCCs immediately to cover those new processing activities. While an 18-month transition period seems relatively relaxed, there is much that needs to be done during that period. The new SCCs require much greater due diligence and rigorous ongoing management.
Furthermore, the fact that the new SCCs can (through the modular approach) be applied to a much broader range of processing arrangements with a number of different parties in the chain of processing activities will require some organisations to re-examine their data flows, and the locations and roles of the parties as controllers, processors and sub-processors.