On 4 June 2021, the European Commission (EC) released the highly anticipated new Standard Contractual Clauses (SCCs) for cross-border transfers of data under the European Union’s (EU) General Data Protection Regulation (GDPR). The SCCs are a vital tool to enable the compliant international transfer of personal data from the EEA. The new SCCs take into account both the Schrems II decision and the requirements under the GDPR.
The new SCCs will come into effect on 27 June 2021 and businesses currently using the old SCCs will have 18 months (until 27 December 2022) to update their existing data import and export arrangements. The new SCCs can be found here and will affect many Australian businesses who deal with personal data from the EU or EU entities.
Background – current position
The GDPR contains restrictions on transfers of personal data from the European Economic Area (EEA) to third parties outside the EEA (including to countries such as Australia, the US and UK).
The GDPR only allows personal data (i.e. all information related to an identified or identifiable living individual) to be transferred outside of the EEA if the EC has decided that the receiving non-EEA country (territory or one or more specified sectors) ensure an ‘adequate’ level of protection (known as ‘adequacy decisions’). The EU has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
In the absence of an adequacy decision, parties can implement ‘appropriate safeguards’, which essentially means a pre-approved data transfer mechanism used to protect the personal data. For many personal data transfers (where an adequacy decision or other exception is not in place), the only practical solution is the use of SCCs. The SCCs are template contractual provisions which are pre-approved by the EC and therefore cannot be amended.
The new SCCs will replace the old SCCs which were adopted under the EU Data Protection Directive. The new SCCs have been updated to align with the GDPR and provide a practical toolbox to comply with the Schrems II judgment. In Schrems II the Court confirmed the validity of the SCCs for the transfer of personal data processed outside the EU/EEA, while invalidating the EU-US Privacy Shield. While the Court concluded that SCCs were still valid, the Court found that the underlying personal data transfers must be assessed on a case by case basis to determine whether there is adequate protection.
The new SCCs seek to address this by providing an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary.
Key takeaways from the new SCCs
The new SCCs introduce one single comprehensive set of standard contractual clauses. The new SCCs are designed to operate on a multi-party basis allowing a single set of SCCs to cover transfers of personal data between a number of parties (allowing the entire data processing chain to be covered).
The new SCCs have been divided in a modular format, which allows for transfers from:
- controller to controller (Module 1);
- controller to processor (Module 2);
- processor to sub-processor (Module 3); and
- processor to controller (Module 4).
This provides more flexibility for complex processing chains and fills in the well-known gaps in data transfer protection.
Scherems II and Transfer Impact Assessments
The SCCs require the parties to assess (via a transfer impact assessment) – whether the laws of the country in which the data is being imported will compromise the data protections afforded under the SCCs and determine if supplementary measures should be put in place to ensure that data is protected to the requisite GDPR standard (in addition to the SCCs).
The new SCCs outline additional steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. pseudonyms and encryption). The European Data Protection Board has provided draft guidance with respect to the performance of Transfer Impact Assessments (which can be found here). However, these recommendations are yet to be finalised.
The new SCCs envision multiple parties to agreements with docking clauses enabling third parties to accede to the agreement at any point in time, thereby reflecting actual practice. This is not a concept which existed in the old SCCs and should prove helpful for many companies.
The SCCs include three annexes to be completed by the parties. The first Annex includes a list of the parties to the SCCs, a description of data transfers and the identity of the competent supervisory authority for each party of the SCCs.
The second Annex deals with the technical and organisational measures that the parties are using to ensure the security of the personal data being transferred.
Finally, Annex III sets out the list of sub-processes used under the SCCs.
Has a transition period been provided?
Yes, there is a transition period.
The new SCCs can be incorporated into contracts from 27 June 2021.
The old SCCs will be repealed (meaning they cannot be used in new agreements) with effect from 27 September 2021.
Between 27 June 2021 and 27 September 2021, businesses can elect to use either the new SCCs or the old SCCs.
Contracts that contain the old SCCs before 27 September 2021 will be deemed to provide appropriate safeguards until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards. This is a relatively generous period, that being said, this is not something that should be left to the last minute.
Do the new SCCs automatically apply to the UK?
As a result of Brexit, the new SCCs will not automatically apply for the purposes of the UK GDPR. However, the UK will likely use the new SCCs as a guide when issuing and consulting on its own version of the SCCs later in 2021.
What should you do now?
If you import personal data from the EU to Australia or are a data processor providing services to a data controller in the EU, for instance, you are likely to start to see the new SCCs featuring in agreements, Things you should start thinking about doing as soon as possible in light of the introduction of the new SCCs include the following:
- familiarise yourself with the new terms of the revised SCCs before the deadlines approach and consider if the terms affect your business’ operation processes;
- updating systems, processes and templates so that new transfers are based on the new SCCs and compliant with their provisions (as at 27 June 2021);
- if you have not already done so, implement and maintain processes for conducting transfer impact assessments;
- mapping your personal data transfers (e.g. controller to controller, processor to controller, etc.) to understand how the SCCs will apply to your business; and
- identifying all international transfers and contracts using the previous SCCs (more specifically the contracts that will still apply after 27 December 2022) and assess how to amend these contracts.