On Friday, 4 June 2021, the European Commission published new "standard contractual clauses " ("SCCs") under the General Data Protection Regulation ("GDPR") for data transfers to countries outside of the European Union.

The Commission aimed to reflect the technological and legal developments after the Schrems II decision of the CJEU and offer instruments for more complex processing chains. Any existing SCCs based on the former clauses must be replaced by 27 December 2022.

INTERNATIONAL DATA TRANSFER AFTER SCHREMS II

International data transfers, and especially data transfers to the US, were left surrounded in uncertainty after last year's decision of the Court of Justice of the European Union in C-311/18 ("Schrems II", see our client alert for further information). While the CJEU upheld the validity of the former SCCs, it required data exporters to assess the legal framework in the country of the data's destination. Data transfers may only be based on the SCCs, where the third country provides an essentially equivalent level of data protection.

Transfers to countries not providing such guarantees require "additional safeguards" in order to maintain the privacy standards of the GDPR. As a result, national supervisory authorities and the European Data Protection Board published guidelines on possible measures (see our client alert). However, as these guidelines are non-binding, none of them offered clear solution to practical issues in outsourcing or web services.

INCREASE IN OBLIGATIONS

The SCCs contain several new obligations aiming to ensure that the local law of the data importer does not endanger the enforcement of the SCCs. Most prominently, there is an obligation to notify the data exporter if the data importer becomes subject to laws or practices that may infringe the SCCs. Furthermore, data importers will also be obliged to reasonably challenge governmental access requests where they infringe fundamental rights of the data subjects. Nonetheless, the data exporter must still assess the legal situation applicable to the processing in the country of destination. The SCCs list specific criteria that must be considered (e.g. the specific circumstances of the transfer, laws and practices in the third country, relevant safeguards).

Attention should also be drawn to the extension of the third-party beneficiary rights of data subjects. The SCCs stipulate that data subjects may invoke or enforce a significant part of the SCCs including data security and transparency provisions. A breach of the third-party beneficiary rights triggers the liability of the data importer, including for material and non-material damages of data subjects.

NEW MODULAR APPROACH OF THE SCCS

The former SCCs were issued separately for controller-to-controller and controller-to-processor situations. As a particularly noteworthy change, the new SCCs are designed on a modular basis bringing together provisions for all four possible processing constellations:

  1. controller to controller,
  2. controller to processor,
  3. processor to processor and
  4. processor to controller data transfers.

Additionally, some modules contain optional provisions, where it is up to the parties to choose which of the alternative clauses shall apply.

One significant novelty compared to the former SCCs is the extended scope of application for processors. Accordingly, EU-based processors will be entitled to directly conclude SCCs with third country (sub)-processors in their own name as data exporters. Therefore, complex solutions where SCCs could only be concluded on behalf of each controller will likely disappear.

The new SCCs also contain a "docking-clause", which allows further controllers or processors to accede to SCCs already concluded. With the approval of the existing parties, the acceding party merely needs to be added to the annexes and co-sign the contract. This brings an important relief for the administration of processing chains, as conclusion of separate contracts will be avoided. The option to accede to the SCCs is especially helpful for onwards transfers to further processors.

Another formal improvement is the compliance of the new SCCs with the requirements of Art. 28 of the GDPR, making "shell processing agreements" around the SCCs obsolete.

PROBLEM OF UNSAFE THIRD COUNTRIES NOT FULLY SOLVED

Even though the new SCCs address some issues of recent case law, the SCCs may still not guarantee full compliance with the GDPR for all data transfers to third countries by the same token. The data exporter remains obliged to assess whether the SCCs can effectively be enforced under the local law applicable to the data importer. Therefore, the core issue for international data transfer is left unsolved by the new SCCs.

In this regard, attention should also be paid to the recently announced coordinated audit of international data transfers by German supervisory authorities and similar developments throughout the EU. Data exporters must thoroughly review and document their transfers and the level of data protection provided by the implemented clauses and supplementary measures.

KEY TAKE-AWAYS

What changes:

  • Increase in data protection obligations, liabilities and third-party beneficiary rights
  • Modular approach for processing chains
  • Processors can conclude SCCs directly with sub-processors
  • Additional parties may accede to the SCCs
  • SCCs provide options that must be adapted by the parties
  • SCCs include guidance and criteria for supplementary measures

What to do with "old" SCCs still in place:

  • Review and document the adequacy of the level of data protection for any third country where data is being transferred on the basis of SCCs
  • Document supplementary measures implemented in addition to the SCCs
  • Replace the existing SCCs by 27 December 2022 with the new ones
  • Double check privacy notices and inform data subjects which SCCs are in place and how they can receive a copy thereof

CONCLUSION

The new SCCs impose further obligations on controllers and processors in the EU and abroad . The modular approach allows the data exporter to reflect modern processing chains with multiple levels of (sub-)processors. Nonetheless, controllers and processors remain liable for assessing national and international laws that may intervene with the fundamental rights established by the EU.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.