On June 4, 2021, the European Union’s (EU) executive branch, the European Commission (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border data transfers under the EU’s General Data Protection Regulation (GDPR), ending a long wait for revised SCCs. The new SCCs resolve certain practical issues companies faced when using the older versions but simultaneously introduce new obligations for businesses that transfer personal data out of the EU. The EC also released a set of SCCs to address GDPR Article 28 requirements for controller-to-processor personal data transfers within the European Economic Area (EEA). This blog post focuses on the SCCs developed for cross-border personal data transfers.
SCCs are one of the most commonly used mechanisms for transferring personal data out of the EEA to countries that, like the United States, are not considered to provide “adequate” data protection under the GDPR. The EC’s existing sets of SCCs (adopted in 2001, 2004 and 2010) have been in need of an update for some time. Issues with the old SCCs range from basic inaccuracies (for example, they still reference the now-defunct 1995 EU Data Protection Directive) to substantive problems affecting applicability, as they cannot readily be applied in many common transfer scenarios.
The push to revise the SCCs only increased following the July 2020 Schrems II decision. Schrems II questioned the legitimacy of the SCCs – ultimately finding them valid – and dismantled the EU-U.S. Privacy Shield Framework, putting pressure on U.S. companies both to rely on SCCs for continued cross-border personal data transfers from the EEA and to use SCCs more judiciously and with appropriate regard for the EU Court’s analysis of U.S. privacy protections.
A significant open question is how the European Data Protection Board (EDPB) and Member State data protection authorities will interpret the requirements of Schrems II and enforce compliance with the revised SCCs. Although the final SCCs take into account the EDPB’s feedback on the draft SCCs and “the opinion of Member States’ representatives,” the revised SCCs endorse a more nuanced approach to cross-border transfers than that allowed in the EDPB’s draft guidance on supplemental measures for cross-border data transfers. Ideally, we will see closer alignment between these SCCs and the EDPB’s final guidance on supplemental measures, which we expect the EDPB to issue in the coming weeks.
How Quickly Must the New SCCs Be Implemented?
Most businesses will have approximately 18 months to transition to the new SCCs. The EC’s implementing decision lays out the following:
- On September 27, 2021, all prior versions of cross-border SCCs will be repealed and can no longer be used for GDPR-compliant data transfers, and all new data transfers relying on the SCCs as a data transfer mechanism must use the new SCCs in order to be GDPR-compliant.
- Organizations with existing SCCs in place will have until December 27, 2022, to implement the new SCCs, but supplemental measures may be required by data controllers in the interim. Note, however, that if the underlying agreement between the parties is renegotiated or the scope of data processing is otherwise changed during the transition period, the new SCCs must be implemented at that point.
Key Practical Updates
- The SCCs are presented as a single document with four different modules applicable to various relationships between the parties: controller-controller, controller-processor, processor-processor and processor-controller.
- When the new SCCs are used for cross-border data transfers from a company subject to the GDPR to a data processor or subprocessor, it will no longer be necessary to enter into a separate data processing agreement, as the GDPR Article 28 requirements for those relationships are baked into the new SCCs.
- Multiple controllers and processors may sign on to the same set of SCCs, addressing a common problem with the old clauses, which only contemplated a single exporter and a single importer as signatories.
- An optional docking clause allows parties to be added as new signatories after the execution of a set of SCCs, subject to agreement of all parties.
The flexibility introduced by these changes should streamline the contracting process by more accurately capturing the relationships between the parties and eliminating the need to implement multiple sets of SCCs to cover various parties within the same business relationship.
Expanded Obligations for Data Exporters and Data Importers
New provisions in the SCCs squarely address concerns articulated in the Court of Justice of the European Union’s Schrems II decision, strengthening essential security measures, imposing limitations on disclosing personal data to public authorities, and stipulating assessment and audit processes to ensure compliance with the SCCs. Prior to implementing the revised SCCs, many U.S. businesses will have some work to do to ensure compliance with these new obligations. U.S.-based data processors should anticipate additional questions from data controllers prior to SCC implementation, while data controllers should be prepared to assess the ability of other parties to meet the obligations of the SCCs and the adequacy of any proposed supplemental measures. Depending on the data importer’s role, new obligations may require revisions to existing public-facing privacy notices and procedures for responding to data subject requests, ensuring personal data accuracy, regularly carrying out security checks, accessing personal data, reporting data breaches and retaining personal data. All parties to the SCCs should expect to assume active responsibility for monitoring compliance with the SCCs throughout the relationship.
- Redress and Third-Party Beneficiary Rights. All data importers must transparently provide EU data subjects with an easily accessible contact authorized to handle complaints related to compliance with the SCCs, and any such complaints must be dealt with promptly. If the data subject invokes third-party beneficiary rights and files a complaint, the data importer must agree to accept a binding decision under EU or Member State law. Note as well that SCC signatories must agree to be bound by the laws of a country, typically an EU Member State, that allows third-party beneficiary rights.
- Data Processing Purpose Limitation. While data processors have always been limited to data processing only on the explicit instructions of the data controller, the new SCCs also limit data processing by importing controllers to the explicit purposes set out in Annex I.B of the SCCs, with limited exceptions (including prior explicit consent, defense of legal claims and protection of an individual’s vital interests).
- Onward Transfer Restrictions. Onward transfers to countries outside the EEA, including further transfers within the same country as the data importer, are restricted, with limited exceptions (depending on the relationship between the parties) unless the third-party recipient of the onward transfer also agrees to the SCCs or can otherwise guarantee an equivalent level of protection.
- Recordkeeping and Other Required Documentation. All parties to the SCCs must be able to demonstrate their compliance with the SCCs and must keep documentation of the data processing activities for which they are responsible. Other parties to the SCCs as well as relevant supervisory authorities in the EU can request compliance documentation and may be able to audit the data importer’s compliance. Other required documentation includes data breach recordkeeping, processing instructions for data processors, documented assessments of recipient countries’ laws and practices, and internal records related to public authority requests for data disclosures. Businesses should ensure that this documentation is accurately maintained and can be produced easily if it is requested.
Local Laws and Obligations in Case of Access by Public Authorities
Two clauses in Section III of the revised SCCs address a central issue raised in Schrems II (access to data by public authorities). The first requires all parties to the agreement to assess third-country laws and to analyze the associated data transfer risks. The second imposes new obligations on a data importer in the event of access by a public authority.
- Third-Country Assessments and Analysis of Data Transfer Risks. The new SCCs require that the local laws and practices of countries outside the EEA must be assessed prior to implementation of SCCs. The assessment must be documented and provided to supervisory authorities upon request. Although the data importer has primary responsibility for carrying out this assessment, all parties must warrant that “they have no reason to believe” third-country laws “prevent the data importer from fulfilling its obligations” under the SCCs. The SCCs allow the parties to consider the specific circumstances of the personal data transfer, relevant safeguards in place to protect the personal data, and non-EU laws and practices relevant to the data transfer and processing.
Importantly, parties may consider “reliable information on the application of the law in practice,” “the existence or absence of requests in the same sector,” and the data importer’s “relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame.” This means parties may subjectively analyze the importer’s risk of receiving disclosure requests – an approach that the EDPB’s draft guidance on supplemental measures expressly rejected (“you should … not rely on subjective factors such as the likelihood of public authorities’ access to your data …”). Should any circumstances change the assessment of the recipient jurisdiction such that the data importer can no longer comply with the SCCs, the data importer must promptly notify the data exporter, and the data exporter must take appropriate action.
- Obligations in Case of Public Authority Access Requests. Where a data importer receives a public authority’s request for data or otherwise “becomes aware of” a public authority’s “direct access” to data, the SCCs impose two obligations on the data importer. First, the importer must promptly notify the data exporter and, where possible, the affected data subject(s). If the public authority prohibits the importer from notifying the exporter or data subject, the importer must use its best efforts to obtain a waiver of the prohibition.
Second, the importer must challenge requests by public authorities if the importer concludes there are reasonable grounds to consider the request unlawful under “the laws of the country of destination, applicable obligations under international law and principles of international comity.” These challenges must be aggressive, including appeals if possible and efforts to suspend disclosure orders until a competent judicial authority has ruled on the merits. The importer must document its assessment of potential challenges to a government request and its efforts to challenge the request. The importer must also provide regular reports on requests received from public authorities.
Technical and Organizational Measures / Supplemental Measures
Data exporters using the SCCs must warrant that they have “used reasonable efforts” to determine whether data importers can, “through the implementation of appropriate technical and organisational measures,” fulfill their obligations under the SCCs. Protections to help secure personal data must be in place during and following transfer, and the appropriate level of security can be assessed holistically with reference to the state of the art, implementation costs, risks to the individual, and the nature, scope, context and purposes of the data processing. Additional restrictions are recommended when sensitive personal data is processed. In transfers between data controllers, the importing controller is assigned primary responsibility for complying with the GDPR’s personal data breach notice and recordkeeping requirements.
Annex II of the new SCCs requires a statement regarding the technical and organizational measures taken to ensure the security of personal data. Businesses should be prepared to have this information available and updated regularly. The security information may be redacted (at least in part) if the SCCs must be disclosed in response to a data subject request, but only if a meaningful summary of the security measure(s) is provided instead. The SCCs also introduce clearer data retention requirements, and retention periods must be listed in Annex I.
The SCCs alone may not guarantee essentially equivalent protection, and a transfer assessment is always required. This means that companies likely will need to consider the SCCs in conjunction with the EDPB’s (not-yet-final) guidance on supplementary measures to ensure an EU level of personal data protection and other relevant direction from data protection authorities as such guidance develops. As with the existing SCCs, parties cannot modify the text of the new SCCs; however, supplementary measures may still be required to ensure that the transferred personal data receives a level of protection essentially equivalent to that guaranteed within the EU. Drawing on GDPR Recital 109, the revised SCCs allow adding “other clauses or additional safeguards” as long as these do not either contradict the SCCs or “prejudice the fundamental rights or freedoms of data subjects.”
What About the United Kingdom?
The new SCCs are not valid in the United Kingdom, so a company cannot use them for transfers from the United Kingdom to the United States. Data exporters in the United Kingdom can continue to use any existing EU SCCs that were valid as of December 31, 2020, and the Schrems II decision and its assessment requirements continue to apply in the United Kingdom. The UK’s Information Commissioner’s Office (ICO) plans to publish UK SCCs for cross-border data transfers, along with additional guidance, in 2021. In the meantime, the ICO has published versions of the older EU SCCs on its website, with the references updated to reflect UK law.
The EC’s adequacy decision with respect to the United Kingdom is not yet final. Recently, the European Parliament asked the European Commission to modify its draft decision on UK adequacy, echoing concerns raised by the EDPB related to the UK’s bulk data surveillance and onward transfer practices as well as certain of its international data-sharing agreements. The European Parliament’s resolution included a request that Member State data protection authorities suspend transfers of personal data to the United Kingdom if the adequacy decision was implemented without revision. Following the Brexit transition period, which ended on December 31, 2020, the EU and the United Kingdom agreed to a delay in data transfer restrictions for up to six months. The ICO recommended that UK companies receiving personal data from the EEA put alternative transfer mechanisms in place by the end of April 2021. With the bridge period quickly coming to an end later this month and no finalized adequacy decision in place, businesses should consider whether they need to revisit their EEA-United Kingdom transfers.