On 7 June 2021, the EU Commission published the new Standard Contractual Clauses (SCCs) for transfers of personal data to third countries. They provide for more legal certainty following the decision of the Court of Justice of the European Union in the Schrems II case. However, companies transferring data outside the EU should also expect some challenges.
What are Standard Contractual Clauses?
A company intending to transfer personal data to a so-called third country outside the EU or the EEA has to provide for not only the legal basis for data processing but also for appropriate safeguards specifically for the transfer to a third country. These safeguards aim at ensuring that after the transfer, personal data is afforded a level of protection essentially equivalent to that guaranteed within the EU.
For some third countries, the EU Commission has itself created such safeguards, namely the so-called adequacy decisions. For the vast majority of third countries, however, other safeguards are necessary. In practice, companies often make use of the Standard Contractual Clauses adopted by the EU Commission, which offer a practicable solution for data transfers to a third country in many situations.
Why were new Standard Contractual Clauses adopted in 2021?
As the previous SCCs – adopted in 2001 and 2004 for transfers between controllers and in 2010 for transfers from a controller to a processor – no longer stood up to the economic and legal reality of the modern economy, the EU Commission adopted a new version of the clauses in the beginning of June 2021. On the one hand, the new SCCs stay abreast of the rapid developments in the digital economy of the previous years, and of the increasing complexity of data processing operations.
On the other hand, the new SCCs also take into account the latest legal developments. Namely, the publication of the new SCCs was preceded by the entry into force of the General Data Protection Regulation (GDPR) and the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case. In the latter, the CJEU invalidated the EU-U.S. Privacy Shield, yet confirmed the validity of the “old” SCCs. Admittedly, the Court set a high threshold for their use. According to the decision, the data exporter has to ensure that in a specific case, the data importer will be able to comply with the provisions of the SCCs. Furthermore, should the protection of the transferred data solely by way of the SCCs be insufficient, parties to the SCCs have to adopt additional safeguards to adequately protect personal data in the country of destination.
The new SCCs take the CJEU’s reasoning into account by providing for specific safeguards for the event that the legislation or legal practice in the country of destination could impair the data importer’s compliance with the clauses. In this respect, the new SCCs impose concrete obligations on the latter in case of access to data by public authorities of the destination country. In addition, the SCCs now explicitly stipulate that – should the laws and practices of the country of destination prevent the data importer from complying with the clauses – the data exporter has to suspend data transfers.
What are the most important changes to the Standard Contractual Clauses?
The new standard contractual clauses differ from the previous versions in some significant aspects. For companies, the most important changes are as follows:
Unlike the previous clauses that were each applicable to merely one specific processing constellation (controller – controller or controller – processor, respectively), the new SCCs incorporate a modular approach and cover the following data processing situations:
- transfers between controllers (Module 1),
- transfers from a controller to a processor (Module 2),
- transfers from a processor to another (sub-)processor (Module 3) and
- transfers from a processor to a controller (Module 4).
The parties to the SCCs should select the module applicable to their particular situation. This approach gives companies more flexibility with regard to data transfers to a third country but is likely to be more burdensome in practice.
Expanded circle of possible data exporters
The new SCCs introduce the possibility for data processors to use the SCCs in the capacity of data exporters (Modules 3 and 4). The new Module 3, in particular, is likely to gain significant practical importance as it provides European processors intending to employ a non-European sub-processor with a practical mechanism for the execution of corresponding data transfers. NO comparable mechanism existed prior to the adoption of the new SCCs.
Furthermore, companies not established in the EU but nonetheless bound by the GDPR by virtue of its Art. 3(2) can sign the SCCs as data exporters as well.
No separate data processing agreement necessary
Modules 2 and 3 meet the regulatory requirements of Art. 28 GDPR for a data processing agreement. Hence, if a company transfers personal data to a non-European (sub-)processor based on the new SCCs, no separate data processing agreement is necessary.
Transfer impact assessment
Companies might find the obligation to assess the legal and factual protection of personal data in the country of destination particularly burdensome. This obligation, which stems from the Schrems II decision and the subsequent EDPB Recommendations, has now been incorporated into the SCCs. Contracting parties have to analyse the laws and practices of the country of destination potentially having an impact on the compliance with the clauses, document their analysis, and make the documentation available to the competent supervisory authority upon request.
Obligations of the data importer in case of access to personal data by public authorities
In the event of an (intended) access to personal data by public authorities, the data importer has to notify the data exporter and, where possible, the data subjects, and review the legality of the authority’s request for disclosure.
The new SCCs explicitly allow for more than two parties to conclude the SCCs. In addition, a company that is not a party to already signed SCCs may, with the agreement of the parties, accede to the SCCs at a later point either as a data exporter or as a data importer. This rule aims at providing more flexibility to companies given the ever more complex reality of modern data processing operations.
When can companies start using the new standard contractual clauses, and what will happen to contracts concluded pursuant to the old versions?
The Commission Implementing Decision with the new SCCs was published on 7 June 2021 and will enter into force on 27 June 2021. As of this date, companies can start using the new SCCs.
The Decisions of 2001 and 2010 containing the “old” SCCs remain valid until 27 September 2021. Until then, companies theoretically have a choice and can conclude contracts according to both the old and the new SCCs. However, as the new SCCs reflect the essential aspects of the latest CJEU case law, companies are in principle well advised to opt for the new SCCs from the time they enter into force.
Contracts concluded before 27 September 2021 based on the “old” SCCs remain valid until 27 December 2022, provided that the relevant processing operations remain unchanged.
Companies should therefore determine to which non-European entities they currently transfer personal data on the basis of the old SCCs. Here, not only data transfers to service providers are relevant but often also intra-group transfers, e.g. if the parent company is established outside the EU.
If personal data are transferred using the old SCCs, companies should contact the data importers as soon as possible and initiate the conclusion of an agreement using the new SCCs. Due to the obligatory assessment of the specific circumstances of the transfer and of the relevant laws and practices in the country of destination in particular, the conclusion of the new SCCs is likely to demand a significant amount of time and resources.
How do the new Standard Contractual Clauses affect data transfers to and from the United Kingdom?
Until the end of the post-Brexit transitional period on 30 June 2021, European companies can transfer personal data to the United Kingdom (UK) without the need to adopt any specific safeguards. Provided that the UK is granted adequacy status, European companies will not need to enter into SCCs for data transfers to the UK even after the end of the transitional period. But this is still uncertain.
As for the transfers of personal data from the UK to third countries, UK companies can currently use the “old” European SCCs, which remain valid under the UK GDPR notwithstanding the decision of the EU Commission. However, the UK data protection supervisory authority, the Information Commissioner’s Office (ICO), intends to publish its own SCCs in 2021. It is still unclear whether it will also decide to recognise the new European SCCs as valid under the UK GDPR. This would be a significant advantage especially for multinational companies doing business both in the UK and in the EU, as they would not have to use two sets of rules for their international data transfers.
Conclusion: Standard Contractual Clauses provide more legal certainty and flexibility, but are also more labour-intensive
With the new SCCs, companies are obtaining significantly more flexibility in the arrangement of their data transfers to third countries. This is to be particularly welcomed, as SCCs were previously unavailable for some constellations.
However, companies should consider that in the wake of the Schrems II decision, the conclusion of the SCCs has become more time- and resource-intensive. In line with the decision, the new clauses explicitly require the involved parties to assess the level of protection of personal data in the destination country prior to transferring the data, to adopt additional safeguards if necessary and – finally, yet importantly – to carefully document the entire process.
In addition, third country transfers have become a continuous task. Businesses are required to continuously monitor the circumstances in the country of destination affecting the protection of personal data. If necessary, they have to respond to any developments, e.g. by adopting additional safeguards to protect the data, or by suspending the transfers.
The obligations related to third country transfers – be it the selection of service providers, the examination of the legal situation in the destination country, the conclusion of appropriate clauses or the subsequent continuous monitoring – should not be taken lightly. The coordinated, cross-border examination of companies on third country transfers by the German data protection supervisory authorities demonstrates that the supervisory authorities are paying special attention to the issue of third country transfers. It cannot be assumed that this will change with the publication of the new SCCs.