Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
EU Commission adopts new Standard Contractual Clauses
Article 46 of the GDPR lists Standard Contractual Clauses (SCCs) approved by the Commission, as an ‘appropriate safeguard’ for transfers of personal data to a third country that does not have adequacy status. In essence, SCCs are standard sets of contractual terms and conditions, approved by the European Commission, which the sender, or ‘data exporter’ and recipient, or data ‘importer’ of personal data, both sign up to. These terms include contractual obligations that help ensure the protection afforded personal data by European data protection laws travels with it when transferred outside the EEA.
While the decision to grant the UK adequacy means UK-EU data transfers can continue unaffected, transfers to third countries remain a point of ongoing development and discussion. On 4th June 2021, the new European Union standard contractual clauses (SCCs) for transfers of personal data to third countries were adopted by the European Commission. The decision (2021/914) comes twenty years after the adoption of the first set of controller-to-controller (C2C) clauses in 2001 and implements the first new clauses since the GDRP took effect over three years ago.
The new SCCs are more consistent with the requirements of Article 46 of the GDPR, addressing inadequacies in the existing SCCs, such as the lack of processor-to-processor (P2P) clauses. They also reflect the CJEU ruling of July 2020, which invalidated the EU-US Privacy Shield and placed greater emphasis on businesses relying on SCCs, to carry out case-by-case assessments that account for the standard of data protection in the recipient country.
Previous SCCs required parties to choose the relevant template (C2C/01, C2C/04 or C2P/10). As mentioned, these previous SCC templates failed to account for both P2P and P2C transfers, leaving some data exporters in difficulty when implementing agreements. However, the newest SCCs adopt a ‘modular’ approach, allowing data exporters to choose from four different modules, C2C, C2P, P2P or P2C. Whilst the substance of the modules is largely similar, each module contains some specific clauses applicable to the chosen transfer context. Organisations will need to ensure their role as either a controller or processor in contractual relationships is clearly defined, being careful to select the correct module within the SCCs when entering and amending future contracts.
Importantly, paragraph (recital) seven of the new clauses also allows for controllers or processors not established in the Union, to use the clauses for transfers of personal data, to the extent that their processing is subject to the GDPR. The previous SCCs were only available for use by controllers of processors established in the Union.
A GDPR Update
Several provisions within the new clauses are now more accurately aligned with the requirements of the GDPR than previous SCCs, which were implemented under the repealed Data Protection Directive. For example, provisions within Clause 8 ‘Data Protection Safeguards’ cover GDPR Article 5 principles, account for Article 28 Processor obligations and bring requirements to implement appropriate technical and organisational safeguards to secure processing, in line with Article 32 security requirements of the GDPR (clauses 8.5, 8.6 and 8.2 in respective modules). Where the importer is a controller, clause 8.5 (b) will also require Annex II ‘Technical and Organisational Measures’ is completed, and that the importer carries out regular checks to ensure measures continue to provide appropriate levels of security.
Schrems II Context
Central to much of the discussion around the new SCCs and their previous drafts, has been whether they will work to address last year’s Schrems II decision, handed down by the CJEU. In particular, whether the new SCCs would align with EDPB guidance on supplementary measures in addressing the practical issues raised by the Schrems II decision.
For context, following Schrems II, the CJUE reminded data exporters that protection offered to personal data within the EEA, must travel with it wherever it goes. In practice, this means organisations relying on Article 46 safeguards such as SCCs to transfer personal data to third countries must, prior to transfers taking place and, on a case-by-case basis, carry out assessments on such transfers to determine if anything in the law or practices of the recipient third country could “impinge on the effectiveness of the appropriate safeguards of the transfer tools [relied] on” (EDPB, 01/2020, p.3). Exporters may then need to adopt ‘supplementary measures’ if an assessment reveals that the recipient third countries legislations or practices, impinge on the effectiveness of the safeguard relied on (i.e SCCs) in protecting personal data to an essentially equivalent standard that it receives within the EU.
Part three of our Data Transfers mini-series will explore the which addresses this risk-based, ‘assessment’ approach to third country transfers based on SCCs in more detail.
At a high level however, the new SCCs would appear to adopt a similar risk-based approach to third country transfers, in line with finalised EDPB recommendations. Clause 14 (a) requires parties to warrant that they have ‘no reason to believe’ that the laws and practices of a third country, appliable to the data importer, prevent the importer fulfilling obligations under the clauses. Clause 14 (b) further requires that data importers conduct a transfer assessment which crucially, according to footnote 12 of the SCCs “may include relevant and documented practical experience with prior instances of request for disclosure from public authorities, or the absence of such requests”. This ‘risk-based approach’ may offer some hope to parties looking to rely on SCCs, especially after such restrictive, initial guidance from Schrems II decision and subsequent EDPB draft recommendations. However, the new SCCs must be read and understood in conjunction with the EDPB recommendations which unpack how exporters may conduct risk assessments practically and provide use cases in which supplementary measures may still need to be applied.
The new SCCs provide a welcome update to their predecessors, addressing several known deficiencies and bringing the clauses in line with the GDPR, while accounting for the key issue of the Schrems II judgment.
Organisations currently relying and looking to rely on SCCs for international data transfers will need to consider the relevant timeline. The key dates for the new SCCs transition are as follow:
- 27th June 2021 – new SCCs became effective and are now usable in new contracts.
- By 27th September 2021 (3 months), prior SCCs must no longer be used in new contracts
- By 27th December 2022 (18 months), all contracts using prior SCCs must be repapered, replacing prior SCCs with the new SCCs.
While these deadlines may not appear immediately pressing, organisations will need to carefully consider both, their options when entering new SCCs from now on, and their strategy for amending existing contracts before the 27th December 2022 deadline.
UK based data exporters should also be aware that the new SCCs are only applicable to exporters transferring data from within the EEA to third countries as only SCCs approved pre-Brexit, are included in the UK GDPR. However, the ICO is expected to publish a new set of ‘UK SCCs’ for consultation in summer 2021 and organisations should ensure they are updated as to any changes introduced.
Lastly, and perhaps most importantly, when relying on the new SCCs for data transfers, parties will need to ensure they have assessed local laws and practices of recipient third countries as part of a wider transfer impact assessment (required by Clause 14(b) of the new SCCs), which should be caried out in accordance with the latest EDPB recommendations. Where necessary, exporters may need to apply supplementary measures to their chosen safeguard. This assessment requirement will be covered in more detail in the next article in our mini-series on international data transfers.
For more information regarding international personal data transfers please contact Phil Thompson, Partner or Sam Ridgway, Data Privacy Consultant.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.