Data transfers to countries outside the EU / EEA (so-called third countries) are permissible under the GDPR only if certain safeguards are implemented to ensure an adequate level of data protection in the country of the data importer. The 'standard contractual clauses' represent the most common safeguard for securing third country transfers. However, since the existing standard contractual clauses were issued based on the Data Protection Directive and consequently did not fully comply with the provisions of the GDPR, their revision had been expected for some time. Today, the EU Commission published the new SCCs.
The existing standard contractual clauses may only be used for three more months from the time of the - still pending - official publication of the new SCCs. After a further 15 months at the latest, all existing standard contractual clauses must also be converted to the new regulations. Extensive renegotiations of SCCs are therefore required.
Schrems II implementation
The new standard contractual clauses contain a large number of 'Schrems II' obligations in order to comply with the requirements of the European Court of Justice and the European Data Protection Board on third country transfers. Nevertheless, the conclusion of the new standard contractual clauses alone will usually not be sufficient to fully comply with these requirements. Rather, the implementation of supplementary safeguards will still often be necessary.
Mandatory transfer impact assessment
The new standard contractual clauses provide for a mandatory data transfer impact assessment to be carried out by the contract parties. Both parties have to warrant that they have no doubts that the data importer's country's requirements comply with European standards. In view of the ECJ's Schrems II decision, this could become problematic in some cases, especially for US importers. The impact assessment must be documented and submitted to the supervisory authorities upon request.
Furthermore, the new standard contractual clauses follow a modular approach: Instead of different sets of standard contractual clauses, there will be only one set of standard contractual clauses in the future, which can be adapted by using certain modules and omitting others, depending on the specific details of the respective data transfer. Although this increases flexibility, it remains to be seen whether this will make use of the clauses more difficult.
In addition, two new constellations have been introduced with 'processor-to-processor' and 'processor-to-controller' transfers, whereby the second scenario has rarely been missed in practice and will probably lead to problems.
Hierarchy and liability
In addition, the new standard contractual clauses contain a strict hierarchy clause as well as a liability clause that will make it very difficult for data importers to limit their liability with respect to data transfers under the new standard contractual clauses.
Outlook and measures by the authorities
In summary, the new standard contractual clauses are better adapted to the GDPR and implement some of the Schrems II requirements. However, due to the necessity of an accompanying transfer impact assessment, the conclusion of the new standard contractual clauses will no longer be a mere 'tick a box' exercise.
All ongoing data transfers based on standard contractual clauses will have to be switched to the new clauses within the next (approximately) 18 months. Therefore, be prepared and
(1) do your data mapping to determine in which cases the new standard contractual clauses need to be concluded,
(2) prepare the standard contractual clauses based on the modules required in your case and pre-filled for your needs,
(3) prepare a template transfer impact assessment and - as always -
(4) constantly document and re-evaluate the measures taken.
Third-country transfers are a key focus of investigative measures by data protection supervisory authorities: The German authorities have just announced this week that they will conduct nationwide audits of international data transfers by German companies: The authorities will send out questionnaires to a large number of companies in Germany in order to assess "Schrems II" compliance with respect to cross-border data transfers. The questionnaires will particularly focus on the use of third-party providers providing e-mail-services, webhosting, web tracking, application management, and intra-group exchange of customer and employee data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.