Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates. When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.
In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.
(1) Transition Period
The new SCCs enter into force on June 27, 2021, at which time organizations may begin incorporating them into new contracts. However, organizations may continue signing the old SCCs in new agreements until September 27, 2021, and then have 15 additional months (until December 27, 2022) to introduce the new SCCs into existing agreements that relied on the old SCCs, “provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.”
This transition period provides greater flexibility than the 1-year deadline date originally proposed, which should be a welcome development that will give organizations a bit more time to assess the implications of the new SCCs and update their internal and external contracts (and related processes) accordingly.
The new SCCs are designed to provide adequate safeguards for the transfer of personal data outside of Europe in four possible transfer scenarios: controller-to-controller (“C-C”), controller-to-processor (“C-P”), processor-to-controller (“P-C”) and processor-to-processor (“P-P”). The relevant obligations for each of these permutations are set out in separate “modules” within certain clauses of the new SCCs. This consolidated modular approach is a significant update to the old SCCs, which provided two separate sets of clauses for only two transfer scenarios (C-C and C-P).
Many welcome the inclusion of the new scenarios, in particular the P-C scenario (where a processor based in Europe transfers personal data to a controller based outside of Europe), as they better reflect the diversity of data flows in the modern age, and give greater flexibility to incorporate the new SCCs into a broader range of use cases. Relatedly, the new SCCs also enable controllers or processors located outside of Europe—who may be directly subject to General Data Protection Regulation (“GDPR”) due to its broad territorial scope—to act as “data exporters” for purposes of the clauses.
(3) Data Processing Terms and Other Changes Stemming from the GDPR
The old SCCs predated the GDPR (published in 2004 and 2010, respectively), and therefore, did not reflect all the requirements of the GDPR (which began to apply in 2018). Thus, a significant number of the changes introduced in the new SCCs seek to harmonize their provisions with the requirements of the GDPR. For example:
- The C-P and P-P modules of the new SCCs include all the terms required by Article 28 GDPR. Therefore, it will no longer be necessary for organizations to include supplemental terms to meet those requirements when transferring personal data to a processor or sub-processor based of Europe.
- The new SCCs require a detailed description of the technical and organizational measures that the data importer has implemented to protect personal data in all transfer scenarios (not only for C-P transfers). The Annex includes a detailed list of possible measures that the data importer should consider implementing, including requirements for data security (e.g., pseudonymization and encryption), data retention, data minimization and accountability, and so forth.
- The new SCCs establish joint and several liability of the parties vis-à-vis data subjects, and each party must indemnify the other for the portion of liability corresponding to its responsibility. This essentially reflects the liability provisions set out in Article 82 GDPR.
- The C-C module of the new SCCs includes specific obligations that data importers must fulfill, which largely reflect GDPR obligations for controllers. That said, there are a few noteworthy updates to mention here, in particular:
- The final version of the SCCs removed language in the draft version that enabled data importers to process personal data under the new SCCs for purposes “compatible with” those set out in the relevant Annex of the new SCCs. Now, data importers must process personal data only for the purposes identified in the Annex, and may process such data for other purposes only if: (1) the data subject has given prior consent; (2) the processing is necessary to establish, exercise or defend legal claims; or (3) the processing is necessary to protect the vital interests of the data subject or another individual.
- The data importer must proactively inform data subjects of the data importer’s identity, the categories of personal data it processes under the SCCs, the right of data subjects to obtain a copy of the SCCs, and about any onward transfers, including the recipients or categories of recipients and the purpose of the onward transfer (unless data subjects already have this information or providing it would involve a disproportionate effort). The new SCCs also include detailed rules on onward transfers, which reflect the transfer requirements of the GDPR.
Some of the obligations included in the new SCCs arguably go even further than the GDPR. For example, the SCCs require both data exporters and data importers to notify their counterparty if they become aware that transferred personal data is inaccurate or outdated. While this obligation is generally consistent with the GDPR’s data accuracy principle, it may compel data importers to proactively monitor the accuracy of data received under the SCCs, which could be challenging to do in practice.
Further, data importers in the C-C scenario must, without undue delay, notify both the data exporter and the competent supervisory authority of a personal data breach if it is “likely to result in a risk to the rights and freedoms of natural persons.” The draft version of the SCCs required such notification only if a personal data breach is likely to result in “significant adverse effects,” making the standard articulated in the final version notably stricter.
(4) Changes Stemming from the Schrems II Decision
The new SCCs also include obligations responsive to the Court of Justice of the European Union’s (“CJEU”) ruling in Schrems II. In particular, the new SCCs require the data exporter to use “reasonable efforts” to confirm that a data importer is able, through the implementation of technical and organizational measures, to satisfy its obligations under the clauses. More specifically, the new SCCs stipulate the following:
- Both parties warrant to conduct and document an assessment of (among other things) whether the laws and practices in the data importer’s country would prevent them from fulfilling their obligations. Notably, the new SCCs make clear that the parties may take into account the specific circumstances of the transfer (including intended onward transfers) and additional safeguards that the parties have implemented when performing this analysis. The final version of the new SCCs includes a footnote which clarifies that this assessment may take into account “practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame,” so long as it is “supported by other relevant, objective elements” and is corroborated by publicly available information that is reliable. The assessment must be provided to supervisory authorities upon request.
- The data importer must notify the data exporter promptly if it believes it is (or will become) subject to laws that change the above-mentioned assessment. In such a case, the parties must put in place additional safeguards or suspend the transfer. Further, even if the parties put in place additional measures to safeguard the transfer, the data exporter must notify the competent supervisory authority of the situation and the new measures in place.
- The data importer must notify the data exporter (and where possible, the data subject) promptly whenever it receives a government access request, and challenge such requests if it “concludes that there are reasonable grounds to consider that the request is unlawful.” The new SCCs also require the data importer to provide the data exporter with “as much relevant information as possible on the requests received” and to use best efforts to waive any prohibition on notice. Similar to the transfer assessment, the data importer must document its legal assessment of government access requests, and make it available to the data exporter and/or competent supervisory authority upon request.
- The data importer (in all four modules) must provide data subjects with a point of contact to whom they can submit requests and complaints. In the C-C, C-P and P-P modules, the new SCCs also require the data importer to accept the jurisdiction of the relevant EU supervisory authority or court, and binding decisions they may issue. Notably, the new SCCs include an optional clause that would allow the data importer to offer data subjects the possibility to lodge complaints with an independent dispute resolution mechanism.
If data importers and data exporters determine that the SCCs do not provide sufficient safeguards as-is to transfer personal data outside of Europe, they must implement supplementary technical, contractual, and/or organizational measures to lawfully transfer personal data under the SCCs. In November 2020, the EDPB published draft recommendations on these supplemental measures (see our blog post here), a final version of which is expected to be published imminently.
We are continuously monitoring these developments, and we have significant experience in assist multinational companies and organizations in navigating complex cross-border transfer requirements in Europe and beyond.