New EU Standard Contractual Clauses – Introduction and Initial Evaluation
On 4 June 2021, the European Commission adopted new Standard Contractual Clauses (SCC) for the transfer of personal data to third countries. Standard Contractual Clauses, an instrument provided for in Art. 46 of the EU GDPR, are intended to be appropriate safeguards for the protection of personal data if the destination country of a data transfer does not provide an adequate level of data protection.
There has already been a need for an update since the introduction of the EU GDPR in May 2018. The SCCs still in force date from the era before the EU GDPR. Accordingly, they lack some of the protective measures required by the EU GDPR. In addition, the CJEU judgement in the “Schrems II” case has called into question the reliability of SCCs as a data transfer mechanism, unless a data transfer impact assessment has been carried out and “additional measures” are implemented. In short, it was now urgent to adopt updated SCCs.
The new SCCs will enter into force on 27 June 2021 (i.e. 20 days after their publication in the EU Official Journal on 7 June 2021). The previous SCCs can still be used for “new” data transfers during a transition period of three months. For data transfers that have already taken place or are ongoing, the transition period is 18 months. This gives organisations until the end of 2022 to adapt their existing data transfers to the new SCCs.
1. Modular structure
The new SCCs consist of a modular set of clauses for each of the following areas:
- Controller-to-controller transfers (C2C Module 1)
- Controller-to-processor transfers (C2P Module 2)
- Processor-to-processor transfers (P2P Module 3)
- Transfers between processor and controller (P2C Module 4).
In this respect, the new SCCs are a clear improvement over their predecessors, which did not consider P2P or P2C data transfers and thus provided many data-exporting organisations with limited (or no) means to achieve legal compliance for these types of data transfers.
In simple terms, the data exporting parties choose the module that is applicable to the type of their exports and use only the clauses intended for that module. What sounds simple can be cumbersome in practice; because all clauses are entered as options in the continuous text of one and the same document.
Therefore, we have created a version of the SCCs using the DocIQ software, where you can select the desired module and, based on that, dynamically fill in all the text fields and options in a form. The form is located right next to the text. The text adjusts accordingly in real time. This saves a lot of time and helps to avoid mistakes. The SCCs can also be partially filled in and saved as a template via DocIQ so that they can be copied and used again and again.
We are happy to provide you with the automated modular SCCs via DocIQ in German and English free of charge. Simply get in touch with your Laux Lawyers contact.
2. Multi-party clauses and the docking clause
The new SCCs allow for multiple data exporting parties to enter into a contract and for new parties to be added over time (the so-called “docking clause”).
In contrast, the previous SCCs were set up as a bilateral contract that was intended to record the relationship between two parties at a static point in time. There was no provision for adding other parties over time. This often led to challenges when trying to implement SCCs for large intra-group or extra-group data transfers. Although in and of itself it only required a relatively simple editorial change to the previous SCCs to allow for additional parties (whether this was to be done at the time of contracting or only over time), it was at least debatable whether this type of change was permissible at all and whether, instead, separate SCCs should have been signed for each individual data flow.
The new SCCs now explicitly allow for the conclusion of contracts with multiple parties and the addition of new parties over time. This will be a welcome relief, especially for companies that rely on SCCs for intra-group transfers.
3. Schrems II
An entire section of the SCCs (Section III) is now focused on the requirements of “Schrems II” and contains clauses on “local laws and customs affecting compliance with the clauses” and “obligations of the data importer in the event of access to the data by authorities”.
The Commission had the not-so-easy task here of enacting provisions that are in line with the CJEU judgement in Schrems II, but still allow international data transfers (including to the USA).
Fortunately, the Commission has adopted a risk-based approach. Parties must guarantee that they have “no reason to believe” that the laws of the importing state will result in the data importer being unable to fulfil its obligations under the SCCs. In providing this guarantee, the parties must take due account of the “particular circumstances of the transfer”, the “relevant laws and practices of the third country of destination” and “any relevant contractual, technical or organisational safeguards”. The crucial change arguably arises from the fact that this assessment must be newly documented and made available to the competent data protection authorities upon request.
In practice, a footnote reference in the SCCs could become significant. According to this, the assessment can include “relevant and documented practical experience” from previous cases of requests for information from authorities or the lack of such requests. This could become quite helpful especially for organisations that have had little or no practical experience with government requests for their data. Thus, the risk that data exports would be severely or unduly restricted by an (overly) strict interpretation of the CJEU judgment (as, for example, the European Data Protection Board EDPB had laid out in its draft supplementary measures guidelines) should have been largely averted.
Moreover, these new “Schrems II provisions” largely reflect what by now seemed to be emerging anyway as the market standard for compliance with Schrems II (and also more generally): that the data importer informs the data exporter of any request (or access) by a government authority, unless prohibited, and that in the case of an information ban, the data importer must use its best efforts to have the information ban lifted. The data importer must verify the legality of information prohibitions and of such authority requests and challenge unlawful requests. In addition, the data importer must only provide the minimum amount of information necessary to comply with the requests for data disclosure.
The data importer must also produce regular transparency reports on the requests it receives (these become relevant in light of the footnote reference mentioned above). And the data importer must notify the data exporter if it believes it is no longer able to comply with the SCCs.
Like the previous SCCs, the new SCCs consist of a main part (with non-negotiable clauses) and three annexes in which the parties can specify the details of the data export agreements:
- Annex 1 contains a description of the parties, the transfers and the competent supervisory authority. The question of jurisdiction is answered according to where the data exporter is established, unless the data exporter is established outside the EU (or the EEA) (in which case jurisdiction is determined by where its representative is established according to Article 27 EU GDPR). The subject matter, nature and duration of downstream transfers to sub-processors must also be specified.
- Annex 2 contains the technical and organisational security measures taken to protect the transmitted data. These must be stated in detail and not just generically.
- Annex 3 provides a list of sub-processors and is intended to be used in the event that the data importer needs to obtain specific authorisation from the data exporter to appoint sub-processors. If instead the option of a general authorisation to appoint sub-processors is chosen in the main body (subject to prior notification and objection requirements), this annex does not apply.
5. And Switzerland?
The Federal Data Protection and Information Commissioner (FDPIC) has not yet commented on the new SCCs. As in the past, it is to be expected that the FDPIC will accept these SCCs as sufficient guarantees for the transfer of personal data to so-called “unsafe countries”. The adaptation of the SCCs to Swiss conditions (especially with regard to applicable law and jurisdiction) is still recommended.
6. What to do now?
It is still worthwhile to proceed in a considered and sober manner. With the new SCCs, it is becoming apparent that organisations are likely to regain more legal reliability in the medium term. However, this does not come entirely for free. The existing data transfers must be adapted to the new SCCs within a short period of time. In addition, the correct implementation and documentation of the SCCs (especially the filling and updating of the annexes) will involve administrative, organisational and legal efforts that should not be underestimated.
The Advisors at LAUX LAWYERS AG have many years of practical experience in the area of international data transfers, particularly in connection with so-called Intragroup Data Transfer Agreements. They will be happy to assist you in planning the right course for your company and to accompany the implementation of the new SCCs in a legally secure but pragmatic manner.
11 June 2020