New Standard Contractual Clauses for international data transfers – what kind of novelties do they introduce?
On 4 June 2021, the Commission issued the most awaited modernized SCCs (new SCCs) that apply to data transfers of personal data by the data exporter (subject to the GDPR) to the data importer (not subject to the GDPR).
1. Schrems II decision’s impact on (old) SCCs
The Court of Justice of the EU did not call into question the validity of the old SCCs, but it rather underlined that the data exporter and the data importer must verify prior to any transfer, on a case-by-case basis, whether an essentially equivalent level of protection to that of the EU is ensured in the third country and, if necessary, provide additional safeguards. The case-by-case analysis should take into consideration all circumstances of the data transfers, including the types of transferred personal data, the purposes of the processing and the categories of data subjects at issue.
Therefore, following the Schrems II judgment, (old) SCCs remained a valid legal instrument to transfer personal data, as long as a (demonstrable and accounted for) essentially equivalent level of protection is met in practice.
2. Key novelties introduced by the Commission’s new SCCs on international data transfers
The adopted new SCCs are more comprehensive than the previous ones (not only in terms of the length of the text). They are aligned with GDPR obligations and introduce numerous novelties that will shape future transfers of personal data to third countries. The new SCCs are flexible as parties (i) may add other clauses, provided they do not directly or indirectly contradict the SCCs’ provisions or reduce protection of data subjects and (ii) allows choice among certain options (e.g. with regards to sub-processors, prior specific or general written authorization).
- Modular approach: the new SCCs close the previous gap by covering four data transfer modules: (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller. Data exporters must select the applicable module(s) according to the types of transfers or set of transfers they conduct.
- Concluding an additional data processing agreement (“DPA”) is no longer required, as the new SCCs ensure comprehensive safeguards for the transfer of personal data, in accordance with article 28 of the GDPR. However, the age of DPAs is not over just yet, as parties will likely want to complement SCCs with clauses to govern more specifically their internal relationship and practical aspects.
- Docking clause: the newly introduced docking clause allows entities (third parties) that are not original parties to the SCCs to accede to the clauses at any time as a data exporter or the data importer – a novelty that is particularly beneficial for companies performing intra-group transfers. The acceding party will not have rights or obligations arising before its accession (clause 7).
- Sub-processing: under module 2 (controller to processor) and module 3 (processor to processor), the parties can choose to agree to either the data exporter’s prior specific written authorization of sub-processors or to the data exporter’s general written authorization to the use of sub-processors from an agreed list (clause 9).
- Third-party beneficiaries: just like with the old SCCs, data subjects as third-party beneficiaries are entitled to invoke and enforce certain provisions in the new SCCs, while the data importer is required to inform data subjects through individual notice or on its website of a contact point and deal promptly with any complaints (clause 11). Third party beneficiary rights can be invoked by data subjects, but also, for instance, by the data exporter which finds itself with an insolvent data importer, allowing the data exporter to terminate contracts with sub-processors and require return or deletion of personal data.
- Liability: No limitation of liability towards data subjects is allowed. Whereas in internal exporter-importer relationships, the clauses state that each party is liable towards the other party for any damages it causes the other party by breaching the new SCCs (clause 12). It remains unclear whether a contractual limitation of liability between the parties, which is allowed under a certain interpretation of the GDPR, would conflict with this provision and thus not be allowed. In the absence of further guidance and caselaw, parties wanting to limit liability internally would have to draft clauses that do not directly or indirectly contradict the SCCs’ provisions. In case of contradiction, SCCs prevail.
- Supervisory authority: unlike the old SCCs, the new SCCs recognize that the data exporter can also be a non-EU entity that falls under the scope of the GDPR. If the data exporter is not established in the EU, the competent supervisory authority will be that of the Member State in which the European representative is established. By entering into the new SCCs, the data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority (clause 13).
Local law assessment and obligations in case of access by public authorities (section III of the new SCCs, applicable to all four modules): the data exporter and the data importer warrant that they have carried out an assessment of the local laws in the jurisdiction in which the personal data will be transferred to and that they have no reason to believe that the laws and practices at issue will prevent the data importer from fulfilling its obligations under the new EU SCCs (risk-based approach). The parties should document such an assessment and make it available to a data protection supervisory authority on request. Importantly, elements to be considered when making an assessment include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests. The possibility to include subjective elements of proof (such as practical experience with disclosure requests, or better, the lack thereof), is an important and favorable provision for organizations, as the EDPB’s guidance on supplementary measures published in late 2020 sought to exclude reliance on subjective circumstances. The data importer is obliged to promptly notify the data exporter if it (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of transferred personal data or (ii) becomes aware of any direct access by public authorities to transferred personal data. If the data importer is prohibited from making such a notification, it should use its best effort to get the prohibition waived. The data importer must also provide regular transparency reports about the requests it receives.
- Non-compliance with the new SCCs: The data importer should promptly inform the data exporter if it is unable to comply with the new SCCs for any reason whatsoever. In the event that the data importer is in breach of the new SCCs or is no longer able to comply with them, the data exporter should suspend the transfer or terminate the contract. The data exporter is entitled to terminate the contract if: (i) the data exporter has suspended the transfer because of the data importer’s breach or inability to comply with the SCCs, and the data importer did not restore compliance within a reasonable time (or within one month of suspension in any case), (ii) the data importer is in substantial or persistent breach of the SCCs or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under the SCCs. In these cases, the data exporter should inform the competent supervisory authority (clause 16).
- Security measures (Annex II): the technical and organizational measures (“TOM”) adopted to safeguard the personal data transfers cannot be described in a generic form. The TOMs should be specific and clearly indicate which measures apply to each transfer.
- Timing: The new SCCs enter into force twenty days following publication in the Official Journal of the EU (i.e., 7 June 2021). A transitional period of 18 months is provided to allow the uptake of new SCCs for existing contracts. Until then, existing contracts can validly rely on old SCCs. In short, the timing for organization to enter into new SCCs is as follows:
- 27 June 2021: SCCs (implementing decision) enter into force and organizations may validly adopt them.
- For a 3-month period, until 27 September 2021, organizations may continue to sign old SCCs for the conclusion of contracts. After September 27th, old SCCs cannot be newly signed any longer. All new contracts must be concluded by entering into new SCCs.
- For an 18-month period, until 27 December 2022, organizations can rely on the old SCCs previously entered into. During that period, they must progressively replace old SCCs with new ones. Upon contract renewals or changes in processing operations occurring within the next 18 months, organizations must enter into the new SCCs. By 27 December 2022, all contracts must rely on the new legal instrument and old SCCs must be entirely phased-out.
3. Next steps?
Companies relying on SCCs for their data transfers should start planning the uptake of the new instrument and related compliance efforts as soon as possible. The publication of the EDPB’s guidance on supplementary measures’ final version is also shortly expected, which, together with any forthcoming guidance and practice development, will be a useful benchmark for compliance and best practices.
Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.