Businesses should update their contractual agreements according to the new SCCs by 27 December 2021. It would be sensible to have a data privacy lawyer review any cross-border personal data transfers.
On 4 June 2021, the European Commission ("the Commission") adopted the Commission Implementing Decision on standard contractual clauses ("SCCs") for the transfer of personal data to third countries along with its new standard contractual clauses (the "New SCCs"). All contracts existing before 27 September 2021 must change to the new SCCs by 27 December 2021.
The Commission published its draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries in November 2020. It explained that the previously adopted SCCs required updating and modernising due to the new requirements in the General Data Protection Regulation ("GDPR"), developments in the digital economy and the Schrems II judgment.
In the Schrems II judgment, the Court of Justice of the European Union ("CJEU") found that the Commission's adequacy decision for the EU-U.S. Privacy Shield Framework was invalid. In response to this, the CJEU ruled that companies were required to conduct individual analyses to determine whether the privacy protections afforded by those countries outside the European Economic Area ("EEA") (so-called "third countries") (except countries on which the EU has conferred an adequacy decision) met EU standards to transfer personal data.
The New Standard Contractual Clauses
The intention of the New SCCs is to provide a comprehensive template for businesses to use, taking into account the various transfer scenarios and ensuring when implemented, companies are compliant with data protection requirements.
The Commission distinguished four sets of scenarios/modules under the GDPR which controllers and processors should review and select as applicable:
- Module 1 – controller to controller
- Module 2 – controller to processor
- Module 3 – processor to processor
- Module 4 – processor to controller
This approach allows businesses to tailor their obligations and ensures they are compliant with the relevant data protection requirements.
If the Commission has issued an adequacy decision in respect of a third country, data may be transferred outside of the EEA to that country freely. However, where a third country has not been recognised as 'adequate', certain safeguard measures must be implemented. The SCCs are one of these safeguard measures.
Under the New SCCs, it is the data exporter's obligation to assess the level of protection of personal data in the third country and insert the New SCCs in its agreements. There is also an obligation on the data importer to notify the data exporter if there are any reasons why they cannot comply with the New SCCs. If such a notification is received, all data transfers must be suspended or the agreement must be terminated.
The New SCCs also provide guidance on what factors you must consider when performing a transfer impact assessment, which should be made available to the competent supervisory authority on request.
Data importers also have further obligations for when a public authority in the third country requests access to EU personal data. Where possible, the data importer must notify the data exporter and the data subject(s) that a request for access to personal data by a public authority has been received. The data importer is obligated to assess the legality of the request and challenge the order where necessary. All requests and steps taken should be documented and made available to the data exporter.
Transferring data outside of the EEA
Any data exporter who transfers personal data out of the EEA to a third country should also carry out a Data Transfer Impact Assessment ("DTIA"). A DTIA is an assessment process that helps an exporter identify (amongst other things) what data is being transferred, the purpose of the transfer and the lawful grounds for the transfer. It is an internal, non-public document, which helps to record the decision that a data exporter has made that there are appropriate safeguards in place in relation to the personal data that it is transferring.
When Will the New SCCs Be Adopted?
The New SCCs were implemented on 27 June 2021. However, businesses did not need to adopt the New SCCs straight away; the previously adopted SCCs continued to be usable for the first time by data exporters until they were repealed with effect from 27 September 2021. For those businesses which have used the previously adopted SCCs, the Commission has also implemented a transitional period of 18 months from the effective date for controllers and processors using the previously adopted SCCs to shift towards the New SCCs.
See our previous advisory on this topic "Implementation of New Standard Contractual Clauses" for more details.
How we can assist you
If your current data processing contracts need to be updated to include the new SCCs, or you may need to carry out a DTIA as mentioned above, please let us know and we would be happy to assist you with this.
Nicole Akinyemi, a Paralegal in the Financial Markets and Funds practice, contributed to this advisory.