The CJEU ruling in Schrems II (Case C-311/1) not only brought an end to the EU-US Privacy Shield, but also was the impetus for the European Commission to take on the task of issuing new standard contractual clauses ("SCCs 2021") – more than two years after the GDPR came into force.
Since June 2021, the old standard contractual clauses can no longer be used for new or modified data transfers from the EU to a third country. For existing data transfers, the European Commission had granted the parties a transitional period; this ends on 27 December 2022. As of this date, only the SCCs 2021 can be used to secure third country transfers (unless other justification mechanisms under the GDPR apply).
What steps do data exporters need to take now?
If not already done, data exporters should do the following:
- Identify data transfers to third countries.
- Determine which of these transfers are currently still safeguarded with the old SCCs.
- Contact data importer to initiate the conclusion of SCCs 2021.
What needs to be done in preparation for the conclusion of the SCCs 2021?
1. Determine "conclusion mode"
Unlike the previous standard contractual clauses, the SCCs 2021 follow a modular approach. This means that four different transfer scenarios are covered in one document:
- Module 1: Controller-to-Controller
- Module 2: Controller-to-Processor
- Module 3: Processor-to-Processor
- Module 4: Processor-to-Controller
The EU Commission expects from the parties to assemble individual contracts from the bundle depending on which module is applicable to their particular situation. If you want to save yourself this effort, you can use the Taylor Wessing SCC Generator.
Alternatively, it seems reasonable to include the SCCs 2021 "by reference" in a main contract. This approach gives the advantage that the entire (very long) contract does not have to be embedded in the main contract, but the standard contract clauses can simply be "referred to". It should be noted, however, that even in this case it must be made clear which module the parties want to conclude. Furthermore, a decision must be made regarding all optional clauses as well as the placeholders (see below). Thus, it is necessary that, in addition to the actual reference to the SCCs 2021, the required information must be provided, for example in the form of an annex to the main contract.
2. Selection on optional clauses
Clause 7 (Docking clause), clause 9 (Use of sub-processors) and clause 11 (Redress) of the SCCs 2021 contain optional clauses. Furthermore, one of the questions regularly emerging addresses the issue whether a liability clause can/should be included:
- Clause 7 allows for subsequent accession of additional parties on the part of both the data exporter and importer. The clause creates flexibility for the parties because it allows for subsequent adjustments to be made by the parties to the data transfer without having to complete the SCCs 2021 again. A new party can join simply by completing and signing Appendix I.A. Clause 7 becomes relevant particularly for intra-group data transfers. However, if the number of such transfers is very high, other solutions, such as a more flexible "Intra-group Transfer Agreement", will regularly offer more appropriate solutions in practice.
- Clause 9 regulates the use of sub-processors. The data exporter can choose between two options: (1) individual authorization of every new sub-processor or (2) right to object. In both cases, a time limit for the exporter needs to be determined. This time limit has to be chosen by adequately considering both parties' interests. Regarding option 2, the parties may further consider providing for a rule on the consequences of an objection by the data exporter as the SCCs 2021 themselves remain silent on this.
- Clause 11 refers to the additional possibility of submitting complaints to an independent dispute resolution body. As this clause usually offers little advantage to the parties, it is of limited relevance in practice.
- Regarding liability, clause 12 stipulates that the parties, in principle, are liable without limitation regarding the transfer of data. Liability clauses set out in the main contract that include this specific aspect and concurrently contradict clause 12 are therefore problematic. A corresponding contradiction could lead to the invalidity of the SCCs 2021 as a whole. In this case, the SCCs would cease to be a safeguard for the third country transfer and the parties would be exposed to a breach of the GDPR. Special attention is therefore required when drafting a liability clause.
3. Applicable law and place of jurisdiction
Unlike before, the SCCs 2021 allow the parties to choose the applicable law (clause 17) and the place of jurisdiction (clause 18) themselves. In regard to these possibilities, the following options exist:
Choice of law
Law of an EU Member States allowing for third-party beneficiary rights
Usually law of the data exporter
Any law worldwide
Place of jurisdiction
Court of an EU Member State
Court of an EU Member State
Any court worldwide
As far as we know, all EU member states now grant corresponding third-party beneficiary rights in the area of data protection, so, that in fact any EU law can be chosen for module 1.
The choice of applicable law and jurisdiction is particularly relevant for cases where the main contract is not governed by EU law/courts and, thereby, creating a divergence between the main contract and SCCs 2021.
4. Completion of attachments
As before, the details on the data transfer (information on the parties, details on the transfer, information on TOMs and sub-processors), that shall be secured with the SCCs, needs to be included in the annexes to the clauses. However, unlike the old SCCs, the Commission's expectation of the level of detail has increased significantly. An example of what is expected can be found in question 39 of the Q&A on the SCCs 2022 published by the EU Commission.
5. Conducting a Transfer Impact Assessment (TIA)
The core element of the new SCCs is the so-called TIA. The contractual obligation arises directly from clause 14 lit. b and d of the SCCs 2021 and, in this regard, mirrors the corresponding obligation from the GDPR and not least the Schrems II decision.
5.1 What is the TIA?
The TIA requires the parties to make an assessment of whether the applicable laws and practices in the third country of the data importer (in particular with regard to data access by intelligence services) prevent the data importer from fulfilling its obligations under the SCCs 2021. It is therefore necessary to assess the national legislation in the recipient country.
Strictly speaking, the data exporter would have to initiate a detailed evaluation - for example, with the help of a local lawyer. However, in practice, it seems more common that the data exporter requests the importer for respective information on the national law and relies on the importer's feedback. This approach does not seem unacceptable. However, in any case, the exporter cannot avoid at least a plausibility check.
When considering the approach, it should also be borne in mind that there is a certain probability that for most national laws the assessment will show that the local law does not provide for adequate safeguards. In this context, it should be taken into account that even national provisions of the EU Member States are subject to occasional concerns under data protection law, as recently shown by the CJEU's judgment on the German regulation on data retention (Case C-793/19, C-794/19 et al., "Vorratsdatenspeicherung"). It therefore seems advisable, especially regarding efficiency, to adopt a pragmatic approach which, in case of doubt, focuses less on the evaluation of the law and instead more on the identification of possible further safeguards.
Note: In early October this year, President Biden signed an Executive Order (EO) to improve data protections for data subjects in US intelligence activities. The EO is intended to clarify the issues raised by the CJEU in the Schrems II decision and to pave the way for a new EU-US data transfer agreement. The regulations came into force with immediate effect. A final EU assessment by the European Commission is expected by March 2023. Even prior to this date, however, the requirements set out in the EO could influence the outcome of a TIA in case of a data transfer to the USA and, thus, reduce the risk of corresponding transfers.
5.2 Who has to conduct the TIA?
The EU Commission seems to lay the (main) responsibility (also contractually) primarily on the data exporter. The wording of clause 14 suggests that there is at least a duty of cooperation on the part of the data importer. This seems appropriate because the data exporter is dependent on the importer's assistance while executing the assessment.
5.3 Which transfers need to be evaluated?
Clause 14 is ambiguous with regard to the question of how far "along the chain" the TIA must be carried out, in particular whether sub-sub-processors must still need to be included as well. Although the data protection supervisory authorities seem to assume a rather comprehensive obligation, in practice a more pragmatic approach seems to prevail in many cases: Many data exporters include only the first stage (i.e. transfers of the data importer to subcontractors) in the assessment, and disregard any further transfers down the line.
5.4 What does the TIA obligation determine for EU first level data transfers?
For data transfers from an exporter in the EU to an importer in the EU, there is no obligation to conduct a TIA because there is no transfer to a third country. In such scenarios, however, the data importers usually use (sub)processors in a third country. If this transfer is secured with the SCCs (module 2 or 3), the EU importer and the (sub)processor are the addressees of clause 14 and, thus, responsible for the TIA, not the EU controller. The latter, however, arguably still has an obligation under Art. 28 GDPR to ensure that the TIA is carried out in a reasonable manner. One control measure could be to include a corresponding contractual obligation for the processor to carry out the TIA in the processing agreement.
5.5 What about data transfers from Switzerland and the UK?
For data transfers from Switzerland and the UK, the SCCs only apply directly to the extent that these transfers are subject to the GDPR. However, usually Swiss or UK data protection law also applies. The authorities in UK and Switzerland have therefore decided in each case that they will also recognize the SCCs for data transfers under the respective national law if the parties make certain adjustments.
There are deviations in the expiration of the transitional period:
- Deadline for the conversion in Switzerland: 31 December 2022
- Deadline for the conversion in the UK: 21 March 2024
But beware: of course, this only applies to transfers that fall exclusively under UK or Swiss data protection law. For data transfers that are (also) subject to the (EU) GDPR, the deadline remains 26 December 2022.
5.6 Guidance concerning the TIA
Particularly data exporters, who have to assess a large number of third-country transfers, will hardly be able to manage these "manually" within a reasonable time period, especially not within the next two months.
Support can be provided by the Taylor Wessing TIA Tool. It is a solution for the management, implementation and documentation of all TIAs. The TIA Tool simplifies and automates all relevant processes in connection with TIAs. If you have any questions, please do not hesitate to contact us.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.