What changes can EU organisations expect from the new Standard Contractual Clauses (SCCs) and what steps should they be prepared to take to ensure compliance?
The key takeaway
Now is the time for EU organisations engaged in the transfer of personal data outside of the European Economic Area (EEA) to familiarise themselves with the newly drafted SCCs, and the obligations imposed on parties therein.
The modern global economy relies heavily on the ability to transfer data between nations efficiently. When EU organisations transfer personal data internationally to a third country, they must ensure that certain standards of protection are adhered to; one way in which the parties can do this is by using the SCCs, a template set of contractual terms and conditions which parties to a data transfer sign up to and which are specifically designed to provide protections to personal data that is transferred outside of the EEA.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in the seminal case of Schrems II (covered in our Autumn 2020 Snapshot), finding it to be inadequate as a means of lawfully transferring the data of EU subjects between the EU and the US. In doing so, the CJEU removed a low-friction data transfer mechanism available to EU businesses, placing greater reliance on the use of the SCCs. In its decision, the CJEU also considered the adequacy of the SCCs as a means of safely transferring personal data in its decision. While the CJEU did not believe that the SCCs should be invalidated as a means of safely transferring data as the Privacy Shield had been, their use was to be heavily caveated with additional obligations placed on data controllers and processors to ensure that data-recipient countries maintain adequate levels of protection before any transfer takes place.
On 12 November 2020, the European Commission published revised SCCs and a draft implementing decision. The new SCCs retain many of the principles that were considered positively in Schrems II and also bring the clauses more in line with the data protection requirements under the GDPR, namely those that increase the safeguard requirements around data transfer, afford greater rights to data subjects, and increase transparency obligations.
Whereas previously there were two separate sets of SCCs depending on whether the transaction was between a data controller and processor (C2P), or just between controllers (C2C), the new SCCs are one holistic document that not only covers C2C and C2P data transfer, but also the additional categories of processor to processor and processor to controller data transfer, so as to reflect the full range of modern processing chains.
Some specific updates to the parties’ obligations under the SCCs include:
- Governing law: under the new SCCs, the data subject has significantly increased rights as a resulting impact of GDPR compliance; while parties to the new SCCs may choose the law that will govern their contract, this law will only be permitted where it allows for third party beneficiary rights in respect of the data subject.
- Sub-processors: regarding the engagement of any sub-processor by the data importer, the SCCs now set out the procedure for general or specific authorisation from the data exporter as well as the requirement for a written contract with the sub-processor that ensures the same level of protection to personal data as under the SCCs.
- Assessment of third country data protection: in line with the CJEU decision in Schrems II, prior to agreeing any transfer of personal data, the parties must conduct an assessment of the specific circumstances of the transfer (such as the content and duration of the contract or the nature of the data transferred), the laws of the third country of destination in light of the transfer, and any additional safeguards (including technical and organisational measures applied during transmission and to the processing of the personal data in the country of destination).
- Demonstrable compliance: the parties must be able to demonstrate their compliance with the SCCs. The data importer is required to keep appropriate documentation on its processing activities and make this available to the data exporter on request. The data exporter is permitted to audit the data importer to ensure compliance.
- Rights of termination: the data importer is obliged to notify the data exporter if, after having agreed to the SCCs, it is no longer able to comply with them. The data exporter is entitled to terminate the contract where (i) the transfer is suspended and compliance with the SCCs is not restored within one month, (ii) the data importer is in substantial or persistent breach of the Clauses, or (iii) the data importer fails to comply with a binding decision of a competent court or the competent supervisory authority regarding its obligations under the Clauses.
- Public authority requests: the data importer is obliged to notify the data exporter and the data subject if it receives a legally binding request by a public authority for disclosure of personal data, or becomes aware of any direct access by public authorities to the personal data under the laws of the third country of destination. If, following a review of the legality of such a request, the data importer concludes that there are grounds to challenge the request, it must challenge to the fullest extent.
Why is this important?
Following the invalidations of the EU-US Privacy Shield, the SCCs have taken on even more importance with regards to data transfer. In light of this overhaul, organisations will undoubtedly face greater administrative and financial burdens to ensure compliance under the new SCCs. Going forward, falling foul of the SCCs will in some cases be akin to breaching the GDPR, and potentially significant penalties
The new SCCs are out for consultation until 10 December 2020 and so it remains to be seen what additional changes may be made prior to finalising. There is expected to be a one-year grace period within which parties can continue to use the historic SCCs, provided that the contract remains unchanged (with the exception of changes required to ensure that data is adequately protected). If changes are made to contracts during this grace period, then parties will have to update their SCCs contemporaneously.
Any practical tips?
Get to grips with the new requirements under the draft SCCs sooner rather than later!
Organisations who intend to transfer data out of the EEA will need to be aware of their obligations under any new contracts, and also of any updates required under historic contracts going forward.
As highlighted in our Autumn Snapshots, make sure to keep an eye on the Brexit deadline. Without a deal in sight at the time of writing, it is looking likely that the UK will become a third country on 1 January 2021 and will depend on an adequacy decision going its way in order to continue receiving data in line with the EU GDPR without other mechanisms in place (eg the SCCs).