On Friday 4 June, the European Commission adopted new standard contractual clauses (“SCCs”) to be used in cross-EU border processing of personal data. The new SCCs entail a general facelift and update as compared to the existing clauses and, in particular, the new clauses align with the requirements for data transfers following the Schrems II judgement. For a broader background, please see our previous insights.
The new SCCs represent a significantly more comprehensive and robust approach to governing data transfers compared to its predecessors and, thereby, will require a thorough reading and assessment by organisations transferring data based on SCCs. Basically all organisations engaging in EU cross-border business or using international ICT services are in need to initiate an SCC project. The following sets out our key takeaways to consider when analysing and preparing the roll-out of the new SCCs:
The Commission decision implementing the new SCCs includes transition periods, according to which the old SCCs may only be used in new contracts for another three and a half months. As of 27 September 2021, new contracts will have to rely on the new clauses meaning that, for example, organisations planning new IT outsourcing for the autumn entailing international transfers will have to carry out contract preparations based on the new SCCs.
For existing contracts relying on the old SCCs (concluded prior to 27 September 2021), there will be a grace period until 27 December 2022, during which EU companies exporting data will have to carry out procedures to replace the old SCCs with the new ones. However, the Commission decision implementing the new SCCs states that the relevant processing operations must remain unchanged and be subject to appropriate safeguards despite the grace period. Effectively, this means that any relevant change to the processing will trigger the obligation to replace the old SCCs already before 27 December 2022. Moreover, the grace period will not exempt companies from carrying out their Schrems II assessments since appropriate safeguards will have to be assessed and ensured in existing contractual arrangements also during that period.
The long-awaited feature of the new SCCs is the so-called modular approach, which includes separate provisions, not only for controller-to-controller and controller-to-processor transfers, but also for processor-to-processor and processor-to-controller scenarios. The new processor-to-processor module, especially, is highly welcome and useful in the context of many ICT services where, in practice, the processor often carries out the relevant transfers. In these cases, it has, thus far, been necessary for the controller to conclude the SCCs directly with the data importer or to authorise the processor to do so on its behalf.
Further flexibility is also offered through the so-called docking clause in the new SCCs allowing for a more clear and efficient procedure for additional parties to accede into the SCCs. This mechanism will, undoubtedly, prove useful for example in situations where several group companies engage the same service provider transferring their personal data outside the EU under a common contractual arrangement.
Schrems II-mandated due diligence retained and specified:
Making use of the new SCCs will not mark the end for the requirements set out in the Schrems II judgement, notably that organisations transferring personal data to third countries should carry out rigorous assessments of the level of data protection in the relevant third countries and implement supplementary measures, where necessary. Quite the contrary, the Schrems II-mandated due diligence procedure is incorporated into the new SCCs, which require the parties to the clauses to warrant that they have no reason to believe that the laws and practices of the respective third country undermine the SCCs, following a broad assessment of various circumstances and elements of the data transfer. Moreover, this assessment should, specifically, be documented and made available to the competent data protection authority upon request.
It is, therefore, clear that Schrems II will continue to be a keyword in companies’ compliance projects with a continued focus being on identifying necessary supplementary measures to ensure the lawfulness of data transfers. To aid in these attempts, the new SCCs contain a list of examples for possible supplementary measures, which arguably remain on a relatively high level to provide any meaningful guidance to organisations in an individual case.
Following the Schrems II judgement, it has become clear that contractual obligations for situations where transferred data becomes subject to an authority’s access request or direct access are crucial, since the key risks underlying data transfers are deemed to relate to foreign (surveillance) laws allowing access to European data. In this respect, the new SCCs include comprehensive provisions governing such access request situations and requiring the data importer to notify of and challenge such requests in order to protect the relevant data.
Risk-based approach allowed:
The new SCCs make clear that companies should be allowed to rely on a risk-based approach when assessing the level of protection afforded to transferred data and, especially, consider practical experience concerning prior instances of authority requests for disclosure of data. Essentially, this would mean that the absence of such access requests against the relevant service provider or other entity, to which data is transferred outside the EU, could be invoked as an argument for that data may be securely and lawfully transferred without a need for considerable supplementary measures. This has been a highly debated issue in the preparation of the new SCCs, with especially the European Data Protection Board asserting that practical experience, as a subjective factor, should not have an impact in such assessments. To accommodate these views, the finalised new SCCs state that the relevant practical experience should be adequately supported by regularly prepared internal records, which are certified at senior management level.
DPAs and SCCs:
A useful feature in the new SCCs is that, where the SCCs are used between a controller and processor or a processor and sub-processor, the SCCs may also serve as a data processing agreement (“DPA”) as required by article 28 of the GDPR. This means that a separate DPA will not be necessary since the mandatory elements thereof have been included in the new SCCs. It may, however, still be a common starting point that organisations having negotiated DPAs with their service providers retain these existing agreements (including the liability terms) despite having to renew the applicable SCCs. In this sense, the adoption of the new SCCs does not need to mean the complete overhaul of current arrangements.
Although the new SCCs provide for reasonable transition periods, European companies should begin preparations for their roll-out sooner rather than later. In practice, the time leading up to 27 September may prove to be a relatively short time period to start applying the new SCCs in new contract negotiations, noting that the novel elements of the SCCs, including the modular approach, will require sufficient assessment and discussion with service providers and other contract counterparties. Moreover, European companies should launch sufficient procedures in order to ensure that the old SCCs concluded in connection with existing contracts will be replaced by 27 December 2022.