On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries
(the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.
The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data. This approach was disputed by the European Data Protection Board (EDPB) and the European Data Protection Supervisor in their joint opinion on the Commission’s draft SCCs which was published in November 2020 (the Joint Opinion) who consider that even theoretical access to personal data is of concern.
Companies now have 18 months to update their supplier contracts and other data export arrangements.
The purpose of the New SCCs is to help companies legitimise the transfer of personal data originating in the EEA to countries outside the EEA whose data protection laws have not been found by the European Commission to offer adequate protection (Third Countries). They will also be a lawful mechanism for UK companies to use too.
The documentation published comprises both an Implementing Decision and an Annex setting out the New SCCs themselves. At the same time, the Commission also published a set of clauses for use between controllers and processors, although these are not the focus on this briefing. The new SCCs were updated to:
(a) allow for various types of transfers using a modular approach. In particular, the New SCCs now helpfully provide for processor-to-processor transfers;
(b) give the clauses a GDPR ‘face lift’, including to update cross references to legislation and to ensure alignment with the requirements of the GDPR; and
(c) address the requirements of the Schrems II judgement, noting however that use of the New SCCs do not remove the need to assess the laws of the relevant Third Countries and ensure any necessary supplemental safeguards are implemented. This is a point made clear in both the Implementing Decision and the New SCCs themselves.
Schrems II issues
The most controversial issue surrounding the new SCCs was how they would deal with the requirements of the Schrems II case. In particular, whether, as in the draft SCCs, the New SCCs would allow organisations to take a risk-based approach when making the local law assessment of a Third Country and therefore consider the “likelihood” that public authorities would in fact access the exported personal data. Fortunately, this provision remains in the New SCCs. However, there is a greater emphasis on ensuring that any practical experience that is considered as part of the assessment is “corroborated and not contradicted by publicly available… information on the absence of requests in the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies”. This emphasis on being able to provide supporting evidence when relying on practical experience seems to be a nod to the stricter position put forward in the Joint Opinion. It will be interesting to see where the EDPB and EDPS lands on this point in their final guidance on the Schrems II judgment, which is expected in a few weeks. (Clause 14).
The provisions on challenging public authority access requests are also largely unchanged since the previous draft, although clause 15.2 expands what the importer must take into account when considering the legality of the request and whether to challenge it. (Clause 15)
Other key points to note
- Timetable for implementation: The European Commission gives companies a transitional period of 18 months from the date the New SCCs come into force (27 June 2021) to replace all contracts with the New SCCs. This is slightly more generous than the one year period proposed in the draft SCCs, but it will still mean a large repapering exercise in the coming months, which organisations should start preparing for. Another welcome confirmation is that organisations may continue to use the current SCCs (even for new transfers) for 3 months following the date the New SCCs come into force. (Article 4 of Implementing Decision).
- Greater alignment with the GDPR: Many of the provisions in the New SCCs have been brought more in line with the GDPR requirements. For example:
(b) the obligation on importer controllers to notify data protection authorities now applies if a personal data breach is likely to result in a risk to the rights and freedoms of natural persons and the obligation to notify data subjects of personal data breaches is also now aligned to Art 34 GDPR. (Module 1, clause 8.5(e) and (f));
(c) the obligation to implement appropriate technical and organisational safeguards is now more closely aligned to Art 32 GDPR. (Module 1, clauses 8.5; Modules 2 and 3, clause 8.6; Module 4, clause 8.2);
(d) the timeframe within which importer controllers mist deal with data subject rights. (Module 1, clause 10); and
- Expanding onward transfer rights: The New SCCs allow importers to transfer personal data to third parties in Third Countries without entering into standard contractual clauses or similar binding instruments where the onward transfer is necessary for the establishment, exercise or defence of legal claims or is necessary to protect the vital interests of the data subject or another natural person (Clause 8.7 (Module 1), Clause 8.8 (Module 2 and 3)). Helpfully, the New SCCs also clarify that controller importers do not have to inform data subjects of all the identities of all recipients of personal data. Instead, they can provide details of the “recipients or categories of recipients”.
- Security of processing: The provisions on the security of processing have been strengthened in a couple of ways. Firstly, clause 8.5(b) of Module 1 makes clear that Annex II (Technical and Organisational Measures) must be completed where the importer is a controller. The requirement on the importer to regularly check that the measures listed continue to provide an appropriate level of security now also applies to processor importers too, which represents an important shift in responsibility (Modules 2 and 3, Clause 8.6). In addition, the explanatory note at Annex II states that the technical and organisational measures must be described in “specific (and not generic) terms” and it must be clear “which measures apply to each transfer/set of transfers”. This final point will need to be factored in when organisations undertake their New SCC repapering exercise, as it may require the security provisions to be revisited and revised.
- Data subject rights and supervision: The list of clauses that data subjects may not invoke or enforce against the data exporter and/or data importer have been expanded. In practice, this is just to exclude all the provisions that apply specifically between the importer and exporter or relation to interactions with data protection authorities and data subjects can continue to invoke and enforce the majority of the New SCCs as third party beneficiaries. In addition, clause 1 now clarifies that the data subject can lodge a complaint with the supervisory authority (SA) in the member state on his/her habitual residence or place of work or the supervisory authority provided for in the supervision clause of the New SCCs. This clause also clarifies that the relevant SA for organisations outside the EU that are relying on the New SCCs and have an Article 27 EU representative shall be the SA in the member state in which the EU representative is established. The competent SA(s) must now be listed in Annex 1. (Clauses 3, 11(c) and 13)
- Liability and indemnification: The indemnification clause in the earlier draft of the New SCCs has now been replaced with a “contribution clause”. This clause reflects Art 82.5 of the GDPR which provides that where a controller or processor has paid full compensation for damages suffered, that controller or processor shall be entitled to claim back from the others responsible controllers or processors the part of the compensation corresponding to their part of responsibility for the damage. However, the practical effect is largely the same (Clause 12).
- Identifying controllers in P2P transfers: The New SCCs helpfully remove the requirement to list the relevant controller(s) in the context of processor-to-processor transfers, a requirement which was included in the draft version of the SCCs. In addition, the requirement on the sub-processor importer to notify the controller in the event of a personal data breach now only applies where “appropriate and feasible”. This is a useful clarification since in most data processing arrangements it will not be appropriate or feasible for a sub-processor to notify a controller of such an event.
- Specificity of Annexes: The New SCCs require a greater level of specificity in the Annexes to the Appendix. Alongside the items mentioned above in relation to the increased detail needed when explaining the technical and organisational measures and the need to list the competent supervisory authorities, the Annexes must now also list out the frequency of the transfer (e.g. whether it is one-off or continuous) and the nature of the processing. In practice this will mean that many companies that have prepared template annexes in anticipation of the New SCCs coming into effect will need to revisit them before they roll out the new SCCs.
The majority of changes in the New SCCs (when compared to the earlier draft) provide useful clarification. It will also be helpful for companies to see that the Commission broadly retains its original position on companies being able to take into account the “likelihood of access” argument when assessing Third Country laws.
However, companies should not lose sight of the fact that these New SCCs impose some onerous obligations and the parties relying on them will need to quickly consider how they will comply with the non-negotiable obligations in practice, especially as they will replace the current SCCs for all new transfers in just 3 months.
Companies must also remember that the New SCCs are just part of the export picture following Schrems II. Their use sits alongside the requirement for companies to clearly understand where personal data is being sent and accessed from, the roles of the receiving parties (e.g. controllers or processors), the requirement to assess the laws of the relevant Third Countries and to understand whether any additional technical safeguards are required alongside the New SCCs. The picture remains complex.
Click here to watch an on-demand webinar where we discussed the new SCCs and their impact in more detail.