The New EU Standard Contractual Clauses Have Arrived: Next Steps for Compliance
Starting today, the new EU standard contractual clauses (“SCCs”) officially replace the old SCCs for use as a GDPR-compliant transfer mechanism for EU personal data. On June 4, 2021, the European Commission released its Implementing Decision on the final version of the new SCCs for the transfer of personal data to third countries. The new SCCs entered into force on June 27, 2021. During an initial three-month transition period, the old SCCs could still be used for new personal data transfers (i.e., new contracts). On or after September 27, 2021, any new contracts must utilize the new SCCs. With regard to existing contracts, the old SCCs must be replaced with the new SCCs, or another lawful transfer mechanism (e.g., binding corporate rules, derogations), by December 27, 2022.
SCCs are a key lawful transfer mechanism under the General Data Protection Regulation (“GDPR”). Lawful transfer mechanisms are required to support the transfer of EU personal data to countries outside of the EU for which an adequacy decision has not been issued by the European Commission. Other lawful transfer mechanisms include binding corporate rules, derogations under Article 49 of the GDPR, contractual clauses that have been specifically authorized by the supervisory authority of the member state from which the data is being exported, approved codes of conduct, and certification under an approved certification mechanism.The European Commission implemented the new SCCs because it did not deem the existing SCCs to be comprehensive or nuanced enough to address the widespread use of complex processing operations involving multiple data importers and exporters. The new SCCs take a modular approach that recognizes various transfer scenarios and the complexity of today’s modern processing chains.[1] The four modules within the new SCCs cover: (1) controller to controller transfers, (2) controller to processor transfers, (3) processor to processor transfers, and (4) processor to controller transfers.[2] The Implementing Decision for the new SCCs includes introductory clauses, four articles that are applicable to all SCCs, an annex containing the new SCCs themselves, and an appendix with three procedural annexes.
The principal annex contains the “meat” of the new SCCs. Clauses 1 through 7 of the annex (covering purpose and scope; effect and invariability of the clauses; third-party beneficiaries; interpretation; hierarchy; description of the transfer(s); and docking clause) are applicable to all of the SCCs. The remaining clauses – 8 (data protection safeguards), 9 (use of sub-processors), 10 (data subject rights), 11 (redress), 12 (liability), 13 (supervision), 14 (local laws and practices affecting compliance with the clauses), 15 (obligations of the data importer in case of access by public authorities), 16 (non-compliance with the clauses and termination), 17 (governing law), and 18 (choice of forum and jurisdiction) – contain some variation as to whether and what specific language must be incorporated into those clauses depending on which SCC module is applicable.
The procedural annexes in the appendix are referenced within the new SCCs themselves and have varied applicability. The first procedural annex requires the insertion of a list of parties, a description of the transfer, and the competent supervisory authority. Entities utilizing the processor to controller module do not have to identify the competent supervisory authority. The second procedural annex is titled “Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data” and contains examples of the categories of measures that the parties may utilize. This procedural annex does not apply to the processor to controller module. The third procedural annex, which requires information concerning authorized sub-processors, is only applicable to the controller to processor and the processor to processor modules.
Prior to the publication of the new SCCs, the Schrems II decision by the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework. The Privacy Shield Framework had previously amounted to an adequacy decision for those U.S. entities certifying to be Privacy Shield-compliant. The Schrems II decision made it more difficult for U.S. companies with transatlantic operations to remain in compliance with EU data transfer protection rules and regulations. One important impact of the Schrems II decision is that entities relying on the existing SCCs have been required to verify on a case-by-case basis that each transfer of personal data is adequately protected. This process has been referred to as a “transfer impact assessment.” The new SCCs incorporate this assessment process in Clause 14.
In addition, Clause 15 of the new SCCs requires the data importer to notify the data exporter (and, where possible, the data subject(s)) if it (1) receives a legally binding request from a public authority, including judicial authorities, of the destination country for the disclosure of any personal data transferred pursuant to the SCCs; or (2) becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs in accordance with the destination country’s laws. If the laws of the destination country prohibit the data importer from notifying the data exporter and/or data subject(s), the data importer agrees to use its best efforts (and to retain documentation of such efforts) to obtain a waiver of the prohibition and to provide as much information as possible as soon as possible. If disclosure is permissible, the data importer agrees to provide as much relevant information as possible on requests received (e.g., the number of requests, type of data requested, requesting authorities, whether requests have been challenged, and the outcome of any such challenges, etc.). For processor to processor transfers, the data importer is also required to forward this information to the data controller. The data importer is also required to review the legality of any such disclosure requests and to challenge such requests if there are reasonable grounds to consider such requests unlawful. The data importer agrees to document its legal assessment and any challenges made, and to provide such documentation to the competent supervisory authority upon request. Further, the data importer agrees to provide the “minimum amount of information permissible” to the requesting public authority when responding to such requests.
To ensure timely compliance with the GDPR and the new SCCs, entities should develop a plan that includes the following steps:
Between now and December 27, 2022:
- First, entities should carefully consider the nuances and ramifications of new SCCs and gain an understanding of the potential need for any internal technical or administrative changes necessary to begin using the new SCCs in contracts.
- Entities should update their contract templates and forms to include the new SCCs, because as of September 27, 2021, all new contracts utilizing SCCs as the transfer mechanism for EU personal data are required to include the new version of the SCCs.
- Long before December 27, 2022, entities should identify and analyze all personal data transfers out of the EU/EEA (including transfers by and to a given entity) and the respective contracts currently in place governing such transfers, including transfers of EU personal data of not only customers, but also suppliers, subcontractors, and other individuals.
- Entities should determine whether SCCs are the most appropriate lawful transfer mechanism. If so, on a case-by-case basis, entities should consider whether each such transfer involves a controller to controller transfer, a controller to processor transfer, a processor to processor transfer, or a processor to controller transfer. After making that determination, entities should identify the applicable clauses for the appropriate module(s) of the new SCCs to utilize as a lawful transfer mechanism for each personal data transfer. For example, if the personal data transfer is a controller to controller transfer, then the entity should utilize the clauses with provisions applicable to Module One.
- For each personal data transfer and respective contract, entities should assess and evaluate the laws and practices of each country of data importation to determine if the use of the SCCs provides sufficient safeguards. If such laws and practices may hinder the data importer from complying with the SCCs, then the contract should include provisions supplementing the SCCs with requirements relating to the implementation of appropriate technical or organizational measures to ensure security and confidentiality of the transmission of personal data.
- Finally, utilizing the information gained from the prior steps, entities should negotiate and enter into the appropriate version of the new SCCs for all existing and future contracts involving EU personal data transfers.
Entities should be aware that this process of identifying relevant transfers and current contracts, negotiating and entering to updated contracts, and updating relevant technical and administrative measures is likely to take a significant amount of time. Thus, entities transferring personal data out of the EU should begin this process as soon as possible. It is also worth noting that, due to Brexit, different processes and agreements will be required for transfers of UK personal data.
[1] Implementing Decision (EU) 2021/914.
[2] Annex to Implementing Decision, Sections II and III, Clauses 8-15.
Sarah Wiese contributed to this post.
Will Davis, a law clerk with Fey LLC and a law student at the University of Florida-Levin College of Law, contributed to this post.