Transferring personal data from one EU Member State to another does not entail any formalities in addition to the basic and established requirements of the EU General Data Protection Regulation (GDPR). The reason for this is because all EU Member States are, by default, deemed to offer an 'adequate level of protection due to the robust and mostly harmonised privacy laws in place. The same can largely be said about countries within the European Economic Area (EEA).
Transfers of personal data from the EU to the so-called white-listed third countries (which now also includes the United Kingdom) are also relatively straightforward for the same reason, namely, that the EU deems these countries to offer an adequate level of protection.
What is challenging is, effecting a data transfer to a third country (outside the EU/EEA) when such country is not 'white-listed'. Such transfers must be allowed on the basis of the restrictive rules emerging from the GDPR itself.
The EU Commission's Standard Contractual Clauses (SCC) is one of several ways of legitimising such transfers of personal data to third countries. Following several delays and problems with the old SCCs (still referring to the previous legal regime rather than the GPDR), these have now finally been revamped. Going forward, parties transferring or intending to transfer personal data to third countries shall soon (subject to the transitory periods) be required to incorporate the newly released SCCs issued by the European Commission, unless another transfer method or derogation can be identified. Such other methods or derogations go beyond the scope of this brief article.
The updated SCCs are, in part, a reaction to the landmark Schrems II decision of the CJEU (Case C-311/18) which, besides highlighting certain inadequacies in the "old" SCCs, declared the EU-US Privacy Shield to be invalid. One of the main aims of the new SCCs is to incorporate terms that put certain safeguards in place to grant a minimum level of protection for international transfers of personal data in line with the requirements of the GDPR.
Particularly, the new SCCs introduce measures to address requests to access personal data by public authorities located in third countries in which data may reside. For example, a data importer must, if reasonable grounds exist, challenge a request for access by a public authority. The updated SCCs have now been updated in light of the GDPR.
The SCCs now incorporate the following modules which are applicable according to the data processing roles of the parties:
Module 1: Controller to controller
Module 2: Controller to processor
Module 3: processor to processor
Module 4: processor to controller
Therefore, controllers or processors exporting data outside the EU/EEA need only incorporate the clauses found within the module applicable to them. This certainly adds some clarity when compared to the old SCCs which did not cover the situations envisaged in Modules 3 and 4.
Interestingly, Article 1 of the Commission's implementing decision implies that the SCCs are only applicable where the data importer (controller, processor or sub processor) is not subject to the GDPR. A strict reading of this would therefore imply that the SCCs shall not be necessary where the data importer is already subject to the GDPR on an extra-territorial basis, such as where a non-EU entity targets EU data subjects (in terms of Article 3(2) GDPR). The EDPB's opinion or other authoritative elucidation on this matter would be welcomed.
Effective dates and transitory period
The SCCs became effective as of 27th June 2021. However, the European Commission has allowed a transitory period of 18 months, allowing entities to continue to use the old SCCs until the end of such period since many contracts which apply the old SCCs are already in force. Moreover, the Commission has allowed entities some room to become familiar with the new SCCs by allowing a three-month transition period whereby any new processing activities can still be performed using the old SCCs. In other words:
- The new SCCs can be used as of 27th June 2021
- Any new contracts signed after the 27th September 2021 must necessarily incorporate the new set of SCCs
- Any current contracts incorporating the old SCCs must be updated by the 27th December 2022.
The new SCCs have already received their fair share of criticism, not least by Max Schrems himself:
Unfortunately, it seems that these new SCCs are not the 'magic wand' that some might have wished them to be. In some cases, simply inserting the SCCs into a contract is not sufficient, especially when transferring personal data to third countries such as the USA, which has certain problematic national laws that conflict with the norms enshrined in the GDPR.
The new SCCs do not solve this issue and any EU entities intending to transfer personal data to countries like the USA must take this into account and take appropriate measures to safeguard against it -such as for instance encrypting or pseudonymising the personal data prior to sending it to such countries, or as a last resort, opting for a service provider located in a different country altogether. That is, of course, a delicate commercial matter that will not be debated here.