EU Releases New Standard Contractual Clauses Language
On Friday, June 4, 2021, the European Commission approved and adopted a new version of the Standard Contractual Clauses (SCCs) that updates the rules on how data may be transferred outside of the EU. Companies will have approximately 18 months (as of June 7, 2020) to replace all existing SCCs.
What are Standard Contractual Clauses?
Transfers of personal information from the EU to countries outside the EU are regulated by the General Data Protection Regulation (GDPR), which requires that any personal information transferred outside the EU is awarded an “adequate level of protection.” Some countries are deemed by the European Commission to have an adequate level of protection. Companies in countries lacking adequacy must rely on other methods to meet the requirements such as Binding Corporate Rules, SCC,s and previously Privacy Shield (Safe Harbor).
Three different sets of SCCs were adopted back in 2001, 2004, and 2010. Following the adoption of GDPR in 2018 and, most recently, the Schrems II decision, the European Commission worked on updating the SCCs. It has now published its updated SCCs, which contain a number of notable changes when compared to the old versions.
The New, Updated SCCs
The new SCCs were influenced by concerns raised under Schrems II and comply with the requirements under the GDPR. The new SCCs will still require companies to evaluate data transfers on a case-by-case basis and companies may need to supplement the SCCs with additional security protocols based upon the nature and sensitivity of the data transferred. The new SCCs take a modular approach to data transfers enabling companies’ greater flexibility in adapting their SCCs for various data transfer scenarios.
- Modular Approach: Under the old SCCs there were only provisions for controller-to-processor and controller-to-controller transfers. The new SCCs now consider a variety of transfer use cases including:
- Module 1: Transfers from an EU controller to a controller abroad (previously covered by the controller-to-controller SCCs)
- Module 2: Transfers from an EU controller to a processor abroad (previously covered by the controller-to-processor SCCs)
- Module 3: Transfers from an EU processor to a non-EU (sub-)processor (this is a new transfer scenario now covered by SCCs)
- Module 4: Transfers from an EU processor to a non-EU controller on whose behalf it processes personal information (this is also a new transfer scenario). Module 4 is particularly interesting because it covers non-EU controllers using an EU processor. In this scenario the EU service provider is subject to GDPR the non-EU controller is not. The SCCs only impose obligations on the EU service provider, recognizing the service provider is already subject to GDPR.
- Accession Feature: The new SCCs contain a “docking clause,” which allows for additional controllers and processors to be added to the SCCs as data exporters or importers.
- No Additional Article 28 Agreement. SCCs with non-EU processors will now also satisfy the requirement for an Article 28 agreement, and a separate Article 28 agreement will therefore not be required. GDPR requires that controllers establish a written data processor agreement before allowing a third-party vendor to conduct the processing of personal data.
- Government Requests. Data importers are required to notify the data exporter and affected individuals of requests from public authorities to disclose personal information. The new SCCs extend the scope of this notification obligation to cover:
- Requests by all public authorities.
- The data importer’s requirement to review the request for legality based on the receiving country’s law and obligations and principles of international law and if there are reasonable grounds to consider that the request is unlawful, challenge the request.
- The data importer should provide a minimal amount of information to the public authority.
- Breach Notifications. The previous SCCs obligated non-EU processors to notify EU controllers of any accidental or unauthorized access. The new SCCs require non-EU controllers to send notification of any personal data breach concerning personal information processed under the SCCs to:
- The EU controller from which it received the personal information
- The competent supervisory authority, and
- The affected individuals, if necessary, in cooperation with the data exporter.
- Adequacy: The new SCCs warranty each signatory to state they have no reason to believe that the laws in the data importer’s country prevent the data importer from fulfilling its obligations under the SCCs, considering the:
- Specific circumstances of the transfer
- Laws and practices of the third country; and
- Relevant contractual or technical safeguards put in place
- Additional Safeguards: The new SCCs make clear references to additional safeguards. This is directly in response to the recent Schrems II decision. The SCCs require the exporter to determine that the importer has implemented technical and organizational measures that comply with the SCCs. It is however, still unclear what the new definition of “additional safeguards” actually means.
The existing versions of the SCCs may only be used for the next three months. Companies that currently rely on the old versions of the SCCs are granted a period of 18 months (as of June 7, 2020) to implement the new SCCs. If you are relying on SCCs as a transfer mechanism, start comparing the requirements in the new SCCs to your (and third parties processing of personal data on your behalf) compliance practices.
What Does This Mean for Privacy Shield?
President Biden has stated he is committed to formalizing an agreement with the EU to restore confidence in data flowing across the Atlantic when he meets leaders in Brussels on June 15. Coming to a consensus on this would be a major step in repairing the damage to transatlantic relationships since the Edward Snowden and Schrems stories emerged. To date, Europe has invalidated two transatlantic data transfer agreements Safe Harbor and Privacy Shield. The EU and U.S. have been speaking for almost a year trying to come to terms on an acceptable replacement for Privacy Shield. Nonetheless, it is not likely to see a final agreement anytime soon.
Want to know more about what’s happening with European data transfers?
Watch the session recording to hear from Bruno Gencarelli, the EU Head of Data Flows and Protection from WireWheel’s Spokes Privacy Conference here.