June 21, 2021

EU New Standard Contractual Clauses for Transfers of Personal Data

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4,…

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.

The new SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”) and the old SCCs will be repealed three months after that date (“Date of Repeal”).

Here are some preliminary comments on the new SCCs:

Timelines for organisations

The decision of the EU Commission contains a sunset clause whereby:

  • Companies entering into new contracts shall use the new SCCs after the Date of Repeal; and

  • Companies having the old SCCs in place before the Date of Repeal may continue to use them for fifteen (15) months following the Date of Repeal. The organization will thus have a transition period of eighteen (18) months after the date of effect.

A diverse and modular approach

Whereas the old SCCs addressed only two transfer scenarios (i.e., controller to controller, and controller to processor) the new SCCs apply a more diverse and modular approach covering four data transfer scenarios:

  1. Controller to Controller;

  2. Controller to Processor;

  3. Processor to Processor; and

  4. Processor to controller.

In addition, they apply to subsequent transfers.

Geographical scope

The new SCCs make clear that they can be used not only by Controllers and Processors established in the EEA, but also by Controllers or Processors that are not established in the EU, for their processing activities that are subject to the General Data Protection Regulation 2016/679 (“GDPR”) because of the targeting criterion of Article 3(2) GDPR.

Article 28 GDPR data processing provisions 

The Controller to Processor module also incorporates the requirements of Article 28 of GDPR’s data processing provisions. No separate data processing agreement will need to be entered into, avoiding any contradictions between the two and thus setting a standard for Article 28 GDPR provisions.

However, the new SCCs may be incorporated into broader commercial contracts and further clauses may be included provided these do not prejudice the fundamental rights of data subjects or contradict the SCCs. Moreover, the new SCCs contain a clear rule on hierarchy, stipulating a general precedence of the SCCs.

Parties

The new SCCs envision multiple parties to agreements with docking clauses enabling third parties to accede to the agreement at any point in time, thereby reflecting actual practice.

Content

The new SCCs are more onerous and impose GDPR-like obligations on data importers, such as transparency and GDPR data subject rights. Furthermore, the new SCCs contain, amongst other provisions, the rights of data subjects as third party beneficiaries, liability (including in some cases joint and several liability of the parties vis a vis data subjects) and indemnification as well as supervision by EU Member State supervisory authorities.

Aftermath of the Schrems II decision

One of the main reasons why the new SCCs are so highly anticipated is because of the potential extent of protection they will offer to companies transferring personal data outside of the EEA in the aftermath of the Schrems II Judgement (CJEU Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, dated July 16, 2020).

The consequences of the Schrems II judgement have been addressed by the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor in their “Joint Opinion 2/2021 on SCCs for the transfer of personal data to third countries from January 14, 2021” and in the EDPB’s (yet to be finalized) “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data from November 10, 2020.”

The EDPB and EDPS notably stressed that the parties must assess whether there is anything in the law or practice of the third country of destination, which prevents the data importer from fulfilling its contractual obligations and, depending on the outcome of this assessment, must implement ad hoc supplementary measures (contractual and technical) to ensure adequate protection to data subjects. Therefore, a key question in this regard was whether the use of the new SCCs would make it unnecessary for the parties to carry out such assessment and implement ad hoc supplementary clauses.

The new SCCs (clause 14) will still require the parties to carry out such assessment and “warrant” that neither party has “reason to believe” that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the new SCCs.

In giving this warranty the parties must make an assessment taken into account (i) the specific circumstances of the transfer (e.g., nature of data transferred, purpose for processing); (ii) the law and practices of the country of destination and (iii) any supplementary measures implemented. The possibility to take into account circumstances that go beyond the law and practices is welcome. Some importers that are in principle covered by legislation on access to law enforcement but are not likely to effectively be required to handle data, may be able to warrant that they have no reason to believe that such legislation would prevent the importer from complying with the new SCCs.

Furthermore, the SCCs contain additional commitments that cater to what parties need to do in case of access by public authorities of the country of the importer. Some commitments had been de facto enforced by some data protection authorities under the current SCCs and had been recommended by EDPB in the above-mentioned draft opinion. The SCC requires, amongst other things, the importer to notify the exporter of (i) any “legally binding request from a public authority”, or (i) if it “becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses”. The data importer must also ”challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful.”


© Copyright 2021 Squire Patton Boggs (US) LLP
National Law Review, Volume XI, Number 160