On June 4th, the European Commission has announced the adoption of the long-awaited new Standard Contractual Clauses (SCCs). The model contracts are intended to facilitate cross-border transfers of personal data between entities within the European Union (EU) plus Norway, Iceland and Liechtenstein (altogether, the European Economic Area, EEA), to entities in other countries (so-called third countries). In addition to the SCCs for international transfers, the Commission has also adopted model clauses that can be used as part of a data processing agreement with an EU entity, as required under Article 28 GDPR.
Scope and content of the international transfer SCCs
The new SCCs intended for international transfers are based on four scenarios: controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller. In addition, the model clauses contain a so-called docking clause, allowing parties that are joining the processing operation to be part of the same contract, instead of signing a whole range of individual agreements with organizations. This could for example be useful if multiple legal entities of a controller or processor need to be part of the contract.
By using the SCCs, organisations can ensure that their data transfers meet the basic requirements of the EU’s General Data Protection Regulation (GDPR) and that the necessary “appropriate safeguards” are in place. This includes requirements on transparency towards the data subject, as well as provisions on dealing with individual rights and regulator requests. The “regulator” refers to one of the European data protection authorities (DPAs) – the clauses must stipulate which of the DPAs will be responsible to oversee a particular data transfer. The SCCs furthermore deal with the key data protection principles of the GDPR, including data minimisation, data security, and accountability.
These new SCCs retain the annex requirement that needs to be completed for the SCCs to be valid. The annex includes an overview of the parties involved and an extensive description of the transfer as well as a list of the technical and organisational security measures that have been implemented. Finally, the SCCs must include an overview of the subprocessors involved in a processing operation. All in all, it is fair to conclude that the new SCCs have embraced an accountability approach for both the data exporters and the data importers. Both should properly document their compliance assessments, and be ready to make that documentation available to the DPA upon request.
Organisations that have contracts in place using SCCs, or are looking to use SCCs in the future, should first of all confirm if they are allowed to do so. One of the major changes compared to the old SCCs, is the scope of application. Based on recital 7 of the Commission Decision, the SCCs can only be applied for situations where the recipient’s organisation (the data importer) would not be directly subject to the GDPR for the processing operation at hand. This means that if an organisation is offering goods or services, or is monitoring the behaviour of individuals in the EEA, the SCCs cannot be invoked, since the data processing operation would already be subject to all the rules of the GDPR. An onward transfer, for example to a processor of the data importer (which would be a subprocessor of the data exporter) should in that situation be covered by SCCs.
Post Schrems-II requirements
The new SCCs not only bring the model clauses in line with the GDPR – the old versions date back to the early 2000s – but also include a section dedicated to the data transfer risk assessment, that has become mandatory since the Schrems-II judgment. In the ruling, the Court of Justice of the European Union confirmed that even if using appropriate safeguards like SCCs, organisations should always assess on a case-by-case basis if the recipient of the data in the third country would be able to comply with all the requirements of the GDPR, in order not to “undermine the level of protection” offered by the Regulation. Organisations need to conduct a data transfer risk assessment, specifically taking into account government surveillance and access laws. The assessment needs to be documented, since the outcomes are important for organisations to comply with Clause 2 of the SCCs (“Local laws affecting compliance with the Clauses”). Where legislation exists that may interfere with the fundamental rights and freedoms of the individuals whose personal data are transferred, supplementary measures will need to be put in place. These can be of a legal, operational, or technical nature, as was also explained in the (draft) guidance from the European Data Protection Board.*
It is critical that organisations be aware that the new SCCs are not as fool-proof a transfer mechanism as they were in the past. After doing an assessment of the third country in scope for a particular data transfer, the conclusion may be that no measures would suffice to properly protect personal data against the risk of government interference. If so, the data transfer cannot take place, in any case not without a conversation with the DPA appropriate for the organization.
The UK Conundrum
Please do keep in mind that the United Kingdom (UK) is no longer a part of the EU. Thus, transfers from the EU to the UK also require a transfer mechanism in place, until or unless the UK is deemed to be adequate by the Commission. A decision on the UK adequacy status is expected by the end of June 2021, when the final Brexit transition period for data flows expires. The views expressed by the European Data Protection Board (EDPB) and the European Parliament however were not very positive, especially when it comes to government surveillance. Also recent case-law from the European Court of Human Rights and the Court of Appeals in the UK itself has raised additional doubts as to the essential equivalence of the UK legal system. That said, the UK still applies the GDPR in full, having adopted the UK GDPR as part of their national legislation with the same provisions as the EU GDPR.
Going forward, both transfers to and from the EU/EEA and to and from the UK will require data transfer mechanisms to be put in place. The UK ICO is expected to provide further guidance on data transfers originating from the UK later this year, including a consultation on UK-specific SCCs. To what extent these will be aligned with the new EU SCCs is as yet unclear. Should the UK receive the coveted adequacy decision, that will facilitate EU-UK data transfers (the UK government has indicated previously that the EU will be considered adequate from a UK perspective), although that does not impact transfers to other jurisdictions.
The new international transfers SCCs will enter into force later this month, on the 20th day following their publication in the EU Official Journal. From that moment on, organisations have three months to conclude any pending negotiations based on the old SCCs, if they would still want to use those. That means that by late September, any new contracts dealing with international transfers will need to include the new SCCs.
All contracts based on the old SCCs, including the ones for which the negotiations are concluded in the coming months, will need to be updated at the latest 18 months from the moment the Commission decision enters into force – roughly speaking by the end of 2022.
How TrustArc Helps
As the primary resource for privacy and data protection compliance, TrustArc has you covered. As always, TrustArc will incorporate relevant legal and regulatory information in our platform and knowledge solutions. We are already in the process of adding an overview of government access and surveillance laws from all countries around the world to our database. The first iteration of the relevant maps and charts are currently available as part of Nymity Research, with further automated assessments on our roadmap. Additionally, you can use our Privacy Management Platform in order to properly document your business processes, the underlying compliance policies and procedures, as well as the details of your transfer risk assessments. Feel free to ask us for a demo if you would like to know more.
TrustArc is committed to adopt the new SCCs as soon as possible. Our legal team is currently analysing the new model clauses and preparing standard versions of the required annexes, just like we had done for the old SCCs. Once requested by our customers, we are happy to update any existing SCCs with a new version. Given our headquarters are based in the U.S., TrustArc also stands ready to support customers with data transfers originating from Europe with their data transfer risk assessments. More detailed information on transfer risk is available in this document.
* The EDPB will likely adopt a new version of their data transfer recommendations during the plenary meeting of 15 June 2021.