Raising the Standard – New Standard Contractual Clauses for International TransfersThursday, 10 June 2021
On 4 June 2021, the European Commission (the Commission) published its Implementing Decision to adopt the final form of the Standard Contractual Clauses for transfers of personal data to ‘third countries’ (i.e. territories outside the European Economic Area (EEA) not considered by the Commission to provide an adequate level of protection to data subjects by virtue of an ‘adequacy decision’) (the New SCCs, available here).
The New SCCs will replace the existing form of Standard Contractual Clauses that were adopted more than a decade ago under the predecessor to the GDPR, the now repealed Data Protection Directive 95/46 (the Old SCCs). The New SCCs were published in draft consultation form in November last year (read our earlier report on the draft SCCs). The New SCCs have been adopted in order to:
- Update references and obligations on the parties with their equivalent provisions in the GDPR.
- Ameliorate shortcomings in the Old SCCs such as limitations on the number of parties to the contract or provision for processors as the party exporting the data out of the EEA.
- Address the obligations identified by the Court of Justice of the European Union in its Schrems II (Case C‑311/18) judgment in July 2020 (see our previous report on the judgment).
Scope of the New SCCs
The New SCCs demonstrate greater cognisance of the complexity of data processing relationships in the modern digital economy.
The New SCCs are significantly more onerous than the Old SCCs and extend GDPR obligations to data importers, including enforceability of the third party rights of data subjects.
As with the Old SCCs, the parties are free to include the New SCCs in a wider contract and to add other clauses or additional safeguards, provided they do not contradict the New SCCs or prejudice the fundamental rights or freedoms of data subjects.
The Old SCCs provide only for bilateral relationships between controller to controller transfers or controller to processor transfers. The New SCCs combine general clauses with a modular approach to cater for four transfer scenarios:
- Controller-to-controller (module one)
- Controller-to-processor (module two)
- Processor-to-processor (module three)
- Processor-to-controller (module four)
The New SCCs also permit the incorporation of an optional ‘docking clause’ whereby additional parties can accede at a later stage.
The New SCCs allow for the data exporter to be located outside the EEA, a situation not recognised in the Old SCCs.
The New SCCs are effective from 27 June 2021 and can be utilised by data exporters and importers from that date. Parties do have the option to enter into the Old SCCs for a period of three months (until 27 September 2021). All transfers relying on Old SCCs must however be replaced by 27 December 2022 with the New SCCs. In effect, there is an 18-month transition period for the introduction of the New SCCs.
- Obligations on the Parties – Section II of the New SCCs sets out substantive obligations on the parties to reflect their respective roles and responsibilities under GDPR (i.e. as controllers and/or processors).
- Onward Transfers – Onward transfers by data importers to other recipients are permitted only in limited circumstances, for example where required to defend or establish legal claims or where the sub-processor agrees to be bound by or accede to the New SCCs.
- Data Processing Agreements/Data Sharing Arrangements – Parties will need to consider in respect of any data processor relationships (Article 28) and joint data controller relationships (Article 26) involving international data transfers, whether the mandatory GDPR requirements for inclusion of particular provisions are met. There are variations depending on which module applies.
- Liability and indemnification – Under the Old SCCs, parties were free to negotiate liability and indemnification provisions with one another in their data processing and sharing agreements (and this remains the case for intra-EEA arrangements). The New SCCs now prescribe the specific liability and indemnification provisions to apply for each module/relationship, which are reflective of the requirements of Article 82 of GDPR.
- Transfer risk assessments – The New SCCs provide, in response to Schrems II (see our earlier report on the judgment), that the parties must warrant, at the time of signing the New SCCs, that they have no reason to believe that the laws and practices in the destination third country prevent the data importer from fulfilling its obligations under the New SCCs. A risk assessment will be required in order to comply with this requirement and the New SCCs provide further guidance on the methodology to be used. Further guidance from the European Data Protection Board is expected by mid-June when it is expected to publish its final recommendations on risk assessments and supplementary measures. These should be reviewed in tandem with the New SCCs.
- Businesses will need to identify what SCCs are already in place or under negotiation and prepare to migrate them to the New SCCs and working with the data importing or exporting counterparty to ensure they are in place before the end of the transition period.
- Any transfer risk assessments already undertaken in response to Schrems II will need to be reviewed against the formal requirements introduced by the New SCCs.
Our data protection team is available to assist you with understanding the implications of the New SCCs for your business, assessing which SCCs apply and drafting the required SCCs, as well as advising you on compliance with Schrems II transfer risk assessments in this context. For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace LLP Data Protection/GDPR Team.