On 4 June 2021, nearly six months after closing its consultation on updated draft standard contractual clauses for transfers of personal data to third countries (SCCs), the European Commission (EC) adopted final versions. The updates aim to bring the SCCs into line with the GDPR and the judgment of the Court of Justice of the European Union (CJEU) in the Schrems II case.
What are the key changes?
The new SCCs look very different in a number of ways from the previous versions. Some of the key changes that the EC has made include:
- Scope of use: In an easily-missed, but interesting, change, the implementing decision confirms that the SCCs can only be used for international transfers to the extent that the data importer is not directly subject to the GDPR. The GDPR applies to controllers and processors outside the EU where they process personal data in connection with offering goods or services to EU citizens or monitoring their behaviour within the EU. This clarification suggests that, where a transfer is to a third party that is directly subject to the GDPR itself, SCCs will not be required. This reflects the position in some regulatory guidance (including from the Information Commissioner’s Office (ICO)) but has been confirmed for the first time in the SCC documentation itself.
- New data transfer scenarios: One crucial gap in the previous SCCs that has caused challenges for many organisations is that they do not allow for transfers from a processor in the EU to a sub-processor in a third country. The new SCCs rectify this by providing a set of processor-to-processor clauses, as well as a set of clauses to cover transfers from an EU processor to a non-EU controller.
- Modular structure: Previously, three different sets of SCCs existed (one for controller-to-processor transfers and two for controller-to-controller transfers). The new SCCs are structured in a modular approach which brings these different sets of clauses into one document. Alongside a set of general clauses which apply to all scenarios, there are four “modules” which include clauses covering specific transfer scenarios. This approach is more flexible and allows multiple parties to sign up to the SCCs. A “docking” clause also allows additional parties to accede to the SCCs after they have been signed by the original parties.
- Article 28(3) and (4): When the previous SCCs were originally adopted, there were only minimal requirements for mandatory clauses in data processing arrangements. Articles 28(3) and (4) of the GDPR introduced far more extensive mandatory clauses and these are now reflected in the SCCs. This does not prevent the parties from incorporating the SCCs into their own negotiated contracts, however any additional clauses between the parties must not conflict with the SCCs and the SCCs will prevail to the extent there is any conflict.
- Local laws affecting compliance: Both parties have to warrant that they have no reason to believe that the laws of the data importer’s country prevent the data importer from complying with the SCCs. This reflects the requirements of the Schrems II judgment to review the third country’s laws and practices and ensure that personal data will remain adequately protected if the SCCs are entered into. The SCCs give an indication of what must be taken into account in making this assessment, helpfully confirming that the circumstances of the transfer should be considered alongside the third country’s laws and practices.
- Government access requests: In another Schrems II-inspired change, the SCCs contain provisions governing what happens if the data importer receives a request for access to personal data by a public authority. Importers are required to notify the exporter, review the legality of the request and explore opportunities to challenge it before responding.
What are the next steps?
The SCCs will now be published in the Official Journal of the EU and will be in force 20 days after that publication. From that date, organisations subject to the EU GDPR that carry out international personal data transfers in reliance on SCCs will have 18 months to transition to the new SCCs.
For organisations carrying out data transfers subject to the UK GDPR, the ICO intends to issue draft new UK SCCs for consultation this summer.
What are the practical implications?
- Organisations subject to the EU GDPR will now need to be reviewing their international personal data transfers in earnest to identify the contracts that they will need to remediate by transitioning to the new SCCs. Whilst the 18 month transition period is a longer period than was originally suggested (the EC’s draft of the SCCs allowed just 12 months), this is likely to be a long and time-consuming exercise and we recommend starting this review as soon as possible, if not commenced already. It is also worth noting that, whilst entering into SCCs has previously been somewhat of a “tick box” exercise, the new modular structure means that more thought will be required to identify the appropriate clauses to be included and to implement them.
- Organisations will also need to think about how they deal with the interplay between the SCCs and any agreements already entered into which contain negotiated Article 28(3) and (4) clauses. Amendments may be required to ensure that there is no conflict between these clauses and the relevant provisions in the SCCs and it will be interesting to see how businesses approach issues such as liability in light of these provisions. The inclusion of Article 28(3) and (4) clauses in the SCCs and associated conflict provisions could lead to increased standardisation of standard data processing clauses and may be very helpful for small businesses struggling to negotiate against much larger players.
- Multinational organisations that carry out data transfers subject to both the UK and the EU GDPR will now face an additional challenge whilst we await the ICO’s UK SCCs. Until the UK SCCs are finalised, UK organisations must continue to rely on the previous EU SCCs and will not have clarity on how the EU SCCs and future UK SCCs might work together. The question therefore arises as to whether to start the lengthy contract remediation process now, in the knowledge that a further exercise may be required when the UK SCCs are finalised, or wait until final UK SCCs are issued and risk losing some time in what is already likely to be a tight timeframe for remediation.
How can we help?
Data mapping and identifying contracts that will require remediation will be crucial to put organisations in the best possible position to kick-start their repapering exercises. We are working with a number of clients in the early stages of their contract remediation projects and have configured our LegalTech tools to use AI to extract relevant information from supplier contracts and enable swift and cost-effective identification of relevant contracts for remediation. Please do contact the team if you would like to discuss how we can assist.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions.