The European Commission (“EC“) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs“) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs“). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs.
The Ex-EU SCCs are a mechanism that companies can use to address the restrictions under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) on the cross-border transfer of personal data to third countries. The EC has adopted the Ex-EU SCCs under Art. 46(2)(c) GDPR to replace earlier versions of standard clauses adopted by the EC pursuant to the cross-border transfer restriction in the predecessor to GDPR, the 1995 EC Data Protection Directive (95/46/EC). In particular, the Ex-EU SCCs now replace the EC’s 2001/4 standard clauses for cross-border transfers to data controllers in third countries (“Old C2C Clauses“) and the EC’s 2010 standard clauses for cross-border transfers to data processors in third countries (“Old C2P Clauses“).
The Ex-EU SCCs arrive at a critical juncture in the regulation of cross-border data transfers. Last summer, in a ruling called “Schrems II,” the Court of Justice of the European Union invalidated the EC’s decision approving the EU-U.S. Privacy Shield Arrangement (“Privacy Shield“) as providing adequate protection for cross-border data transfers to the US. See the ConnectOnTech Resource Hub on Schrems II here. Negotiations are now aggressively underway between the United States Government (“USG“) and the EC for the development of an update to Privacy Shield to address Schrems II (“Privacy Shield 2.0“). In the meantime, the Ex-EU SCCs, which include language specifically aimed at addressing elements of the Schrems II ruling and related guidance from authorities, will play a central role in virtually all companies efforts to address cross-border data transfers under GDPR Art. 5.
The Intra-EU SCCs are a relatively new type of standard clauses. The EC has adopted the Intra-EU SCCs under Art. 28(7) GDPR to help data controllers to address the obligations to implement appropriate contractual clauses with data processors under Art. 28(3) and (4) GDPR. The EC has clarified that controllers and processors may choose to negotiate their own contracts containing the compulsory elements in Art. 28(3) and (4) GDPR, or may use the Intra-EU SCCs to address these obligations. Companies should monitor, however, whether the Intra-EU SCCs become a standard benchmark in negotiations about data processing agreements as they represent a somewhat “official” opinion on what a data processing agreement should look like under Art. 28 GDPR.
The Ex-EU SCCs present a form of “choose your own adventure” structure as the EC sought to modernize the options for companies facing different types of cross-border data transfers. The four different options or modules are as follows:
- Module 1: Controller to controller. This module generally could be used where a controller within the territorial scope of GDPR transfers personal data to a controller in a third country. This could include data transfers between and among affiliates in a group setting, or between customers and service providers where each act as data controllers.
- Module 2: Controller to processor. This module generally could be used where a controller within the territorial scope of GDPR transfers personal data to a processor in a third country. This could include data transfers between customers and service providers where the former is within the territorial scope of GDPR and acts as a controller, while the latter is in a third country and acts as a processor.
- Module 3: Processor to processor. This module generally could be used where a processor within the territorial scope of GDPR transfers personal data to a processor (or sub-processor) in a third country. This module represents an innovation in standard clauses, as the old versions of standard clauses always assumed that the entity in the European Union acted as a controller. This module could be used to help address cloud and other multi-layered service provider arrangements where a processor is within the territorial scope of GDPR and a processor (or sub-processor) is in a third country.
- Module 4: Processor to controller. This module generally could be used where a processor within the territorial scope of GDPR transfers personal data to a controller in a third country. This module also represents an innovation in standard clauses, as the old versions of standard clauses always assumed that the entity in the European Union acted as a controller. This module contains relatively fewer provisions that reflects the relatively lighter obligations that apply directly to processors under GDPR. This module could be used to help address situations where a service provider, acting as a processor within the territorial scope of GDPR, delivers services to a controller in a third country.
Several key aspects of timing related to the Ex-EU SCCs are as follows:
- The EC Decision on the Ex-EU SCCs enters into force on 27 June 2021 (20 days from publication in the Official Journal).
- The Old C2C Clauses and Old C2P Clauses will be repealed as of 27 September 2021 (three months from date the EC Decision enters into force). As such, the Ex-EU SCCs will need to be used for any new data transfers of personal data to third countries as of 27 September 2021; and
- For Old C2C Clauses and Old C2P Clauses concluded before 27 September 2021, these remain valid until 27 December 2022 so long as the processing and subject matter do not change and the existing clauses ensure appropriate safeguards are in place within the meaning of Schrems II and otherwise. Thus, as of 27 September 2021, it will not be possible to add new data categories or processing purposes to Old C2C Clauses or Old C2P Clauses. This applies in particular to umbrella-style intra-group data processing agreements.
In practice, this means there is just over:
- Three (3) months to prepare for using the Ex EU SCCs for new agreements/transfers of personal data from the EU; and
- Eighteen (18) months to replace any existing data transfer agreements based on the Old C2C Clauses or Old C2P Clauses with the Ex EU SCCs or other suitable arrangements.
It should be noted that the Ex-EU SCCs, while answering many questions, created new challenges for companies. Among other issues, open questions include: (i) how to handle transfers to non-EU controllers subject to the GDPR according to Art. 3(2), (ii) why exporters and importers should not be able to limit their mutual liability as Clause 12(a) suggests and (iii) whether the transition period (see below) also applies to current Schrems II measures taken by companies.