In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.
It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
The two sets of SCCs are (i) for use between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Both can be used as of 27 June 2021. Note that the effect of Brexit has added
What are the key takeaways?
- There are now approved SCCs for intra-EU agreements under Article 28. As a consequence, there is now a “safe harbor” to ensure all of an entity’s processor (Article 28) agreements are compliant. This did not exist previously.
- The SCCs have a ‘modular approach’, enabling multiple parties to join and use them. Additionally, now there will now only be a need for one agreement addressing both Article 28 and Article 46 requirements. Until the new SCCs came out, there was a need for a different agreement for each of the two Articles.
- The SCCs account for the Schrems II decision, which in 2020 considered the validity of the previous SCCs in relation to international transfers. The SCCs outline the steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. encryption, pseudonyms).
- As part of the Schrems II consideration, both data exporters and importers must warrant that they have carried out a local law assessment (i.e. relating to the jurisdiction that will receive the data) and that they have no reason to believe that local laws/practices would prevent the importer from complying with its obligations under the SCCs.
- There is an 18 month transition period for controllers and processors to update the current SCCs in their contracts, intra-group transfer agreements etc. This is a welcome improvement on the 12 month period suggested in the November drafts. The previous SCCs can still be included in new contracts until 27 September 2021, but these contracts will then need to be updated within the transition period.
The new SCCs have made some significant changes in how to implement, and how hard it is to implement, the clauses. The previous SCCs were fairly simple to implement – you just filled out the blanks in the appropriate form (i.e. controller-to-controller, or controller-to-processor) and you were done. The new SCCs are not as easy an exercise. While the original data flows under the original SCCs are still present, the new SCCs recognize that services businesses in the EU shouldn’t be left out of the thinking of the SCCs. And considering the processor in the EU working with foreign (e.g. US) data shouldn’t impose the GDPR on exclusively non-EU data, we now have “processor to sub-processor” and “processor to controller” modules.
In addition to the various modules, there are embedded “options” in the various modules as well (e.g. Clause 13). This is a significantly new format, and one which will require legal counsel to determine which module to use.
Along with the counsel needed to figure out just which modules and options to use in the SCCs, the Schrems II considerations also now demand a much higher level of legal work as part of the execution of the SCCs. Now, parties have to undertake a legal evaluation of whether or not there are local law issues which might make the enforcement of the SCCs provisions (including enforcement by 3d party beneficiaries) problematic. This evaluation has to be documented, and this documentation has to be in a form that is available to a supervisory authority should they request it. This means the documentation can’t be hidden away under attorney-client confidentiality rules. It will need to be available to a public authority.
There are a number of other tactical changes, some of which are welcome (e.g. how to deal with general authorizations of sub-processors) and some of which are less so (e.g. having to identify a specific supervisory authority where the importer doesn’t have an EU Representative). However, these will have significantly less of a “cost to implement” than the new structural and analytical requirements.
How does this affect transfers with the UK?
The SCCs are not applicable to the UK GDPR. However, the UK’s Information Commissioner’s Office (“ICO”) has said it will consider recognizing the SCCs as a valid transfer mechanism under the UK GDPR. In any event, the ICO is planning to propose, and consult on, bespoke UK SCCs for international transfers later this year. That being said, it is possible that the recognition of EU SCCs will be a contingency on the UK retaining its adequacy decision, which is currently under scrutiny. Also, the ICO has already adopted the use of the prior SCCs as part of the Brexit package. It would follow that the UK would have some sort of recognition of the EU SCCs, even in light of the UK’s promulgating their own. This is similar to the way the Swiss and the EU have managed interoperability between each of their own SCCs.