The EC has issued new Standard Contractual Clauses (“SCCs”) under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) for data transfers from controllers or processors whose processing is subject to GDPR (whether resident in the EU/EEA or not) to controllers or processors established outside the EU/EEA.
The new SCCs:
- replace the three sets of SCCs which were adopted under the now replaced Data Protection Directive 95/46.
- have been pre-approved by the European Commission.
- come into force on 27 June 2021.
- include obligations more closely align with the requirements of the GDPR than those under the old SCCs which were related to the Data Protection Directive 95/46.
- can be used as a basis for data transfers from the EU to third countries.
- combines general clauses with modular options for various transfer scenarios – thus giving much greater flexibility than the old SCCs.
- contain 26 recitals explaining how exporters and importers should use them.
- can form part of a wider contract with other clauses or safeguards added, provided these do not contradict the SCCs “or prejudice the fundamental rights or freedoms of data subjects”.
- have been prepared after consultation with the European Data Protection Supervisor and the European Data Protection Board which gave a joint opinion on 14 January 2021 on this matter (the “Joint Opinion”).
Whilst the obligations imposed under the new SCCs are far more onerous than those in the old SCCs, the combination of general clauses with modular options helps to improve their flexibility and enables them to address various transfer scenarios which were not previously covered. The old SCCs covered only two types of transfer: controller to controller, and controller to processor. This meant that other common types of data flow were not covered – processor to (sub-)processor in particular. The new SCCs now deal with all the data flows:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
Further changes include Clause 15, which importantly provides steps for an importer to take when subject to a request for disclosure from a public authority and Clause 14, which sets out the factors which can be considered to carry out an assessment of a third country’s legal framework – this will be particularly important for companies seeking to export data to the U.S. (on which there is currently considerable focus with the Facebook litigation in Ireland) and to countries like Russia and China (in respect of which, perhaps oddly, there seems to be less overt concern in the EU but for which focus is increasing – e.g. with investigations into Tik Tok’s data processing).
Clause 7 is an optional “Docking Clause”, an addition which did not exist in the old SCCs. This clause enables a third party to agree to adhere to the new SCCs at any point in time – which is useful for intra-group data flows as it allows new companies to adhere to them on joining the group of companies. This was previously typically dealt with by the use of a Deed of Adherence to the old SCCs, but this express option removes any question over the legality of that mechanism.
The EC’s decision document, to which the SCCs are annexed, states that the new SCCs may be used for transfers to a processor or controller based outside the EU “only to the extent that the processing by the importer does not fall within the scope of" GDPR. This suggests that the new SCCs cannot be used to legitimise transfers of personal data to a data importer who is outside the EEA, where the importer’s processing of the personal data is subject to the extra-territorial jurisdiction of GDPR including because the importer is providing goods or services to, or monitoring, EU citizens. It is not entirely clear, therefore, how transfers to such importers are to be legitimised if not via the use of the SCCs. The EDPB is intending to confront this issue in an upcoming opinion.
Note that as post-Brexit UK data protection legislation only refers to the SCCs approved as at 31 December 2020, the new SCCs also do not cover transfers to which the UK GDPR applies. The UK ICO intends to consult on and publish UK SCCs during 2021.
The new clauses are a significant update, particularly in the light of the Schrems II decision which invalidated the EU-U.S. Privacy Shield. Following this decision, they have played a more substantial role as a potentially appropriate safeguard for transferring personal data from the EEA to recipients in the U.S. and other countries without an EU Adequacy Decision (which may include the UK if an adequacy decision is not made in favour of the UK). See here for our recent updates on this issue.
Parties will be required to be able to demonstrate compliance with the new SCCs. Specifically, the data importer must:
- keep appropriate documentation of its processing activities, which it should disclose to the competent supervisory authority on request; and
- inform the data exporter promptly if it is unable to comply with the SCCs.
In the event that the data importer is in breach of or is unable to comply with the SSCs, the data exporter should suspend any further data transfer or terminate the contract. Further, the new SCCs include a warranty at Clause 8 from the data exporter (enforceable also by the data subjects involved) that it has used “reasonable efforts” to determine the data importer is able to comply with the SCCs.
The liability provisions reflect those under the GDPR, so that each party is liable to the other party for any damages it causes the other party by breaching the new SCCs and in different situations either or both parties may be liable to the data subjects whose data is being transferred. This is for any material or non-material damages, and where more than one party is at fault, the parties shall be joint and severally liable. As SCCs are often entered into as part of a wider scheme of arrangement, the parties will need to tailor the commercial liability terms of such arrangements to ensure they do not conflict with the liability provisions under the new SCCs – although, it is clear that the SCCs will take precedence over the commercial terms.
The new SCCs come into force on 27 June 2021 (i.e. 20 days following their publication in the EU’s Official Journal on 7 June 2021); the old SCCs will not be able to be used three months after this date. SCCs existing on that date can be relied on for a further 15 months following this date. This is effectively a transition period of 18 months, but practically speaking, companies entering into new contracts should start to consider using the new SCCs as soon as possible; they will have to use them once the old SCCs have been repealed.
Companies will need to determine which of the ‘Modules’ in the new system applies to their data exports. They will then need to determine how they can satisfy themselves in an accountable fashion that the third country’s data protection framework will not undermine the protections afforded to the data subjects by GDPR and whether and how they and the data importers will be able to comply with contractual obligations in the new SCCs.