EU approves new standard contractual clauses for cross-border transfers of personal data
The European Commission published the long-awaited standard contractual clauses for transfers of personal data from the EU to third countries in early June. Companies currently relying on the old versions of the SCCs are granted a period of 18 months to implement the new SCCs. However, in any new agreements the new SCCs must be taken into use by 27 September 2021. While the transitional periods are certainly welcomed by companies, the updating work is likely to take a long time within organizations, and it will be important to start the updating projects as soon as possible. Organizations must also consider the need for possible additional technical (e.g. pseudonymization or encryption), contractual and organizational measures when transferring data, in light of the EDPB’s recommendations on supplementary measures, which were adopted on 18 June 2021.
On 4 June 2021, the European Commission adopted new standard contractual clauses (SCCs) to cover the exchange of personal data. The first set of SCCs concerns transfers between controllers and processors within the European Union (EU) and European Economic Area (EEA) and the second the transfer of personal data to third countries outside the EU/EEA. This article focuses on the latter, which contain standardized and pre-approved template clauses which organizations can implement to their data sharing contracts to ensure that cross-border data sharing meets the EU data protection standards.
The new SCCs will be available for use as of 27 June 2021, when the implementing decision will be effective. However, organizations may continue to enter into the old set of SCCs during a three-month transitional period. All SCCs entered into prior to the expiration of the aforementioned transitional period will continue to be valid for an additional fifteen-month period, i.e. until 27 December 2022, unless the underlying processing activities change, in which case organizations must start using the new SCCs.
While the EU’s General Data Protection Regulation (GDPR) governs data exchanges within the EEA, unclarity has prevailed over how organizations can lawfully transfer data outside the EEA. For example, the old SCCs were not fully aligned with the GDPR requirements and the validity of the SCCs had been questioned.
On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its landmark Schrems II ruling, setting additional requirements on GDPR compliant cross-border transfers of personal data (e.g. obligation to assess the level of data protection in the third country and adoption of so-called additional safeguards when using SCCs) and declaring the so-called Privacy Shield transfer mechanism invalid. The Schrems II ruling has been elaborated in more detail in our previous article, available here. The new SCCs take into consideration both the new requirements set out in the GDPR as well as the Schrems II ruling and provide for new efficient ways to transfer personal data overseas.
The key changes presented by the new SCCs
The modernized SCCs will replace the current SCCs which have been adopted under the Data Protection Directive. The new SCCs aim to ensure a high level of data protection by considering the requirements of the GDPR, the Schrems II ruling along with the joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), as well as the feedback from stakeholders and the EU member state representatives.
- Update in compliance with the GDPR: The new SCCs enhance GDPR compliance in data transfers by targeting the insufficiencies of the current SCCs. The old SCCs include the data protection principles of the Data Protection Directive, whereas the new SCCs comply with the principles in the GDPR, for example additional transparency requirements and accountability requirements.
- Broader range of transfer scenarios and a modular approach: The old set of SCCs only cover data transfers between controllers (C2C) and from a controller to a processor (C2P). The scope of the new SCCs extends also to data transfers between processors (P2P) as well as from a processor to a controller (P2C). The new SCCs include provisions which apply to all types of data transfer and, in addition, there are modular provisions, which apply only to certain type of data transfer. The modular provisions of the new SCCs concern, for example, the data protection principles, using of sub-processors, the rights of the data subjects, redress, liability and indemnification and supervision in different types of data transfer. Some provisions, such as the provisions regarding liability, apply to all data transfers under the new SCCs, whereas others apply only to certain data transfers. Some tailoring is therefore required before the SCCs can be taken into use.
- Docking Clause: The new SCCs offer the possibility for more than two parties to join and use the SCCs. This, along with the modular approach, offer more flexibility for complex processing chains.
- Updates based on the Schrems II ruling: Updates relating to the Schems II ruling include provisions concerning the exporter’s duty to assess the level of protection in a third country and the importer’s duty to notify the exporter on possible problems with compliance with the SCCs (transfer impact assessment). In relation to the latter obligation, there is also an (i) obligation to stop data transfers and terminate the agreement or (ii) add additional safeguards and notify the data protection authorities if the transfers will be continued despite the GDPR compliance concerns.
The new SCCs offer a toolbox to comply with the Schrems II ruling, including an overview of different steps organizations have to take to comply with Schrems II as well as examples of possible “supplementary measures”, e.g. encryption, that organizations may take into use, if considered necessary. These should be assessed in light of the EDPB’s recommendations on the supplementary measures, which were adopted on 18 June 2021.
Important notes regarding the implementation of the new SCCs – time frame and next steps
The date of effect of the Commission Implementing Decisions regarding the SCCs for controllers and processors as well as international transfers will be 27 June 2021, after which the new SCCs may be used in data transfer agreements. However, there is a 3-month grace period, meaning that organizations may use the current SCCs in data transfer agreements until 27 September 2021. From 27 September 2021 onwards, all new contracts must use the new SCCs.
Furthermore, there is an 18-month transition period, meaning that all existing data transfer contracts using the present SCCs will have to be updated to comply with the new SCCs by 27 December 2022. However, if the underlying processing activities change, organizations must start using the new SCCs already when implementing the changes to the processing activities.
In practice, the first step of implementing the new SCCs into data transfer agreements is for organizations to know their transfers. This means that data exporters must map all transfers of personal data to third countries to identify the cases in which personal data is transferred outside the EU/EEA, and thereafter assess the level of protection in the third country, to assess whether there is a need to update the transfer mechanism (e.g. implementation of the new SCCs) and introduce additional safeguards (e.g. technical measures such as encryption).
Since all of these steps require a lot of time, including contract negotiations with several contracting parties in the value chain, it may be challenging to have all steps completed within the 18-month transitional period. It will therefore be important to commence the preparation of the required changes as soon as possible with a clear prioritization plan.
Article written by Associate Trainees Suvituuli Heikkinen and Jennika Sucksdorff.