On June 4, 2021, the European Commission adopted modernized standard contractual clauses (“SCCs”) for use in international data transfers (collectively the “Clauses”). These updated Clauses reflect new requirements under the EU’s General Data Protection Regulation (GDPR) and take into account the EU Court of Justice’s Schrems II decision, which invalidated the U.S.-E.U. Privacy Shield program in July 2020. The Clauses also address known short-comings with the old SCCs.
The GPDR restricts transfers outside of the EU unless an exception applies. Generally, this means a controller (i.e., a person or entity that is in charge of how data is processed) or processor (i.e., a person or entity processing at the direction of a controller) may transfer personal data internationally only if it has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for EU citizens are available. For international transfers of data to countries such as the U.S., SCCs are therefore essential for compliance with the GDPR. Following is an overview of some of the more notable changes and what to plan for if you rely on SCCs as a data transfer mechanism.
When do the Clauses become effective?
The Clauses can be used beginning 20 days after publication in the Official Journal of the EU, or as soon as June 27, 2021. However, data exporters (i.e., the controller or processor transferring the personal data to a third country) and importers (i.e., the controller or processor receiving the personal data) can continue signing the existing standard contractual clauses for another three months (until the Commission decision approving the current clauses is officially repealed). After that three month period, which ends on September 27, 2021, no new contracts can be signed using the existing SCCs and the new Clauses must be used instead.
Data exporters and data importers will have 18 months from the effective date of the effective date of the Commission’s decision adopting the Clauses to update existing contracts with the updated Clauses. This date falls on December 27, 2022. (Note however, that if the underlying processing changes after September 27, 2021, companies should be using the new Clauses.)
So what’s new about the new Clauses?
The Clauses offer more flexibility for transfers:
- From a controller to another controller (C2C);
- From a controller to a processor (C2P);
- From a processor to a processor (P2P); and,
- From a processor to its appointing controller (P2C).
This additional flexibility provides for processing scenarios that the old clauses did not. Under the prior SCCS, the data exporter could technically only be a party established in the EU. The new SCCs recognize the case where a data exporter is not established in the EU, but subject to the GDPR through extraterritorial application (e.g., a controller subject to the GDPR because it clearly intends to offer goods or services to data subjects in the EU).
The updated Clauses can also be used by multiple parties to a transfer and include arrangements for new parties to agree to Clauses already in place via a “docking clause.” The docking clause is a mechanism that allows new parties to agree to the Clauses where processing changes over time. For instance, this may be used for data transfers within a group of affiliated or commonly-owned companies where a new subsidiary is created or acquired, and which needs to become a party to on-going intra-group transfers.
How do the Clauses deal with Schrems II?
The Clauses are drafted to take into account the Schrems II judgment. In that judgement the European Union Court of Justice invalidated the European Commission’s adequacy decision regarding the EU-US Privacy Shield program. Adequacy decisions provide a legal basis under the GDPR for transferring personal data, and are a finding by the European Commission that a third country’s privacy law is essentially equivalent to EU privacy standards. In invalidating the adequacy decision for the Privacy Shield, the court concluded that surveillance practices by U.S. national intelligence agencies fail to meet European privacy standards due to the lack of redress provided to those who are targeted for surveillance, and the lack of independent judicial review for EU citizens.
While the old clauses were upheld by the Court in Schrems II, the updated Clauses incorporate further elements from the judgment. Specifically, the new Clauses call for transfer impact assessments to be carried out and made available to the competent supervisory authority upon request. The Clauses also set out the factors that the data exporter (with input from the importer) must consider in a such a transfer impact assessment, including:
- the law and practice in the third country;
- the purpose of the processing and the nature of the data transferred;
- the length of processing chain;
- the number of actors involved and transmission channels used;
- the type of recipient and details of onward transfers;
- the format of the transferred data and the relevant economic sector concerned in which the transfers occur, and,
- the storage location of the data transferred.
The Clauses also impose greater obligations on the data importer with respect to attempts by public authorities in the third country to access EU citizen personal data. Where possible, the data importer must notify both the data exporter and data subjects that it has received a request by a public authority (which includes judicial authorities) to access such personal data; furthermore, it must assess the legality of any such order and, where it considers it has reasonable grounds to challenge the order, it must do so. The data importer must document these requests and the steps it follows and make these available to the exporter. It must also prepare a transparency report (i.e., more general information about the nature of requests received).
Ultimately, the new Clauses require the parties to warrant at the time of signing that they have no reason to believe that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the Clauses. The data exporter must also warrant that it has made reasonable efforts to determine that the importer can comply with the Clauses.
Companies will need to carefully consider the updated Clauses to determine which of the processing scenarios applies to their data transfer, how they and other parties will comply with contractual obligations in the updated Clauses, and how they will implement the updated Clauses over the next few months. The updated Clauses are still subject to additional guidance from the European Data Protection Board, which is scheduled to release its “Recommendations on Schrems II” report later this month.