Data protection law update – the new standard contractual clauses are finally here
The GDPR prohibits the transfer of personal data from the EU to a third country (i.e. a country outside the EEA) unless the third county has been deemed adequate by the European Commission or one of the prescribed transfer mechanisms is in place. One of such mechanisms are the standard contractual clauses adopted by the Commission (SCCs).
The "old" SCCs were not in line with the GDPR as they were already in effect considerably before the GDPR came into effect in May 2018 and therefore needed a legislative update. In addition, since technology has moved on considerably over the years and the Court of Justice of the European Union’s "Schrems II" decision called into question the reliability of the SCCs as a data transfer mechanism (unless transfer adequacy assessments were conducted on a case by case basis and supplementary measures implemented where necessary), the need to adopt new SCCs became even clearer.
Key features of the new SCCs - a welcome change?
Broadly speaking, the new SCCs appear a significant improvement to the current SCCs from a contractual perspective. They fix deficiencies and provide a structure to address the Schrems II challenges. The key features are as follows:
- Transfers covered - The new SCCs include new modules that cover an expanded scope of data transfer modes and can be used for the following transfers: controller-to-controller; controller-to-processor; processor-to controller; and processor-to-sub-processor. This is particularly useful, since the old SCCs only dealt with controller-to-controller and controller-to-processor transfers.
- Multi-party design - Unlike the existing SCCs, the new SCCs can be executed by more than two organisations at the outset and also allow via the so-called docking clause new parties beyond the initial signatories to be added to them over time. This will undoubtedly ease large scale intra-group transfers.
- Modular approach - The new SCCs are seen as more business friendly as they retain a "modular approach". Instead of having different sets covering the different types of transfers, the parties should select the applicable module and, in addition to the general clauses applicable to all modules, only the clauses that apply to that specific module. It remains to be seen whether the implementation of the new SCCs will overall be beneficial to businesses and not bring about additional challenges.
- Non-EU data exporter - The new SCCs expressly recognise that they can be used by non-EU data exporters who process personal data under the GDPR. This is a welcome change for non-EU entities as the GDPR could apply to them (by virtue of its extraterritorial scope in Article 3(2)), but technically the previous SCCs could only be used where the data exporter was established in the EU.
- Increased obligations on non-EU controllers - There is an increase in the obligations placed on non-EU controllers, including obligations to notify EEA authorities of a data breach.
- Focus on security obligations - there are significant security obligations on all parties in each module. In most instances this requires the parties agreeing technical and organisations measures be implemented by one or both of the parties to protect the data from being subject to a personal data breach. These measures must then be documented in Annex II. In the new SCCs, Annex II contains a non-exhaustive list of examples of security measures, which could be used if appropriate for the relevant transfer. There is no indication as to when such measure should be used, what kind of transfer would trigger their usage, or what level of risk should be met before a particular measure is implemented, which means the onus is on the parties to make this judgement based on the relevant transfer. For effective application of the new SCCs, further guidance around security measures is required but organisations should continue to view security as a high priority.
- Data subject rights - the new SCCs allows data subjects to enforce certain provisions of the SCCs as third party beneficiaries against the data exporter and/or data importer. This applies in addition to the rights granted to data subjects under the GDPR. How effective these rights will be is difficult to assess at the present time.
The new SCCs may be used from 27 June 2021 but must be used from 27 September 2021. Existing SCCs (signed before 27 September 2021) will be valid for the duration of the transition period, which expires on 27 December 2022 unless the processing changes and/or any amendment is made during the 15-month transition period.
From 27 December 2022 onwards, all contracts utilising SCCs must incorporate the new SCCs.
Schrems II requirements
The new SCCs take into account the ECJ's judgment in Schrems II, providing a practical toolbox to assist in complying with the judgment and examples of 'supplementary measures', such as encryption.
Data exporters are now obligated to conduct and document a transfer impact assessment (TIA)—assessing the sufficiency of non-EU country protections on a case-by-case basis prior to transferring data from the EU to the non-EU country. This TIA must be made available to the competent EU supervisory authority on request. The SCCs set out the factors that the data exporter must consider in a TIA.
The implementing decision for the SCCs confirms that a risk-based analysis may be utilised, providing some relief for many US data importers. The decision stated that "different elements may be considered as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer."
It will have to be seen whether the EC decision will allow US businesses to avoid implementing supplementary and potentially cumbersome measures additional to the express requirements of the SCCs in order to comply with the GDPR such as data encryption and additional organisational and processing measures.
Data transfer from the UK post-Brexit
Crucially, the new SCCs do not apply to the transfer of personal data from the UK. This is due to the fact that at the time of Brexit, the UK indicated that the existing SCCs were approved but no reference was made to the new SCCs. The UK Information Commissioner's Office (ICO) is working on bespoke SCCs under the UK GDPR and plans to consult on them in the summer.
Whilst it could be that the only divergence from the EU SCCs made by the UK are those that are deemed necessary to ensure the UK SCCs make sense in a post-Brexit environment (for example, by substituting references to EU institutions and laws with UK ones), it is possible that the UK authorities may elect to make more expansive changes.
It is worth noting that there may be situations where businesses will have to rely on a fair number of SCCs, namely the new SCCs where applicable and if required after the 27 September 2021, and the old EU SCCs until the new UK SCCs will be in place.
There is no clear guidance as to when the UK SCCs will be published, but when they are finalised the EU SCCs may cease to be valid for any new and/or existing international data transfers from the UK (following a grace period as set out above). Organisations will need to understand their international data flows to ensure they can seamlessly implement any new SCCs, whether EU or UK, to ensure legal international data transfers.