The long awaited modernised sets of transfer standard contractual clauses ("New Transfer SCCs") and controller-processor Article 28 standard contractual clauses ("Processor SCCs") were adopted by the European Commission ("Commission") on 4 June 20211. This update outlines the key elements of the New Transfer SCCs. Much like the New Transfer SCCs, the Processor SCCs are likely to represent the market standard for compliance in the coming years. As such, they merit a separate update.
New Transfer SCCs
The existing transfer SCCs date from 2001 and 20102 ("Existing SCCs"). They required updating in light of Regulation 2016/679 (the "GDPR"), the "Schrems II" decision of the Court of Justice of the European Union3 (the "Schrems II Decision") and the European Data Protection Board ("EDPB") Recommendations on Supplementary Measures published in November 20204. The New Transfer SCCs seek to address these requirements. They also recognise the realities of modern international data transfers and adopt a 'modular approach' to transfers depending on the capacity in which the parties act. They also allow parties to accede to the clauses from time to time reflecting that the parties to a contract may change during the lifecycle of a contractual relationship.
Key aspects of the New Transfer SCCs include:
Entry Into Force
Parties can, at their option, start to use the New Transfer SCCs from 27 June 2021. After 27 December 2022 (or if processing changes before then), the New Transfer SCCs must be used.
There is, in effect, a grace period of 18 months for Existing SCCs. The Existing SCCs can continue to be entered into until 27 September 2021. Thereafter, provided that the processing remains unchanged and appropriate safeguards are in place, the Existing SCCs will continue to be valid until 27 December 2022.
Modular Approach – Four International Transfer Scenarios
There are tailored clauses depending on the roles of the parties in a specific case. Parties can choose between; Module 1 controller-controller; Module 2 controller-processor; Module 3 processor-processor, and Module 4 processor-controller.
The SCCs align with the GDPR and include the contractual obligations imposed upon a processor under Article 28(3) and (4). Controllers and processors will also be required to demonstrate their compliance with the New Transfer SCCs. The New Transfer SCCs will not ensure compliance with all of Article 28. The Processor SCCs will need to be used for this purpose.
The New Transfer SCCs may be used by multiple parties. Clause 7 includes a docking clause which enables third parties to accede to the New Transfer SCCs as a data exporter or importer, without needing to conclude separate contracts.
The New Transfer SCCs allow for onward transfers by a data importer to a recipient in another third country where; (i) such recipient accedes to the New Transfer SCCs, (ii) in certain situations such as transfers necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iii) transfer to a country which is deemed adequate by the Commission.
Schrems II Decision
Clause 14 specifically addresses the Schrems II Decision. The parties warrant that they have no reason to believe that the laws in the third country prevent the data importer from fulfilling its obligations under the New Transfer SCCs. In providing this warranty, the parties declare that they have taken account of:
- The specific circumstances of the transfer;
- The laws of the third country of destination relevant in light of the circumstances of the transfer and the applicable limitations and safeguards; and
- Any safeguards in addition to those provided under these clauses.
When assessing the local laws and regulatory practice applicable to the importer, the assessment may include relevant and documented practical experience of prior instances with requests for disclosure from public authorities covering a sufficiently representative time. The absence of such requests can also be taken into account. The Transfer Impact Assessment must be documented and provided to the competent supervisory authority when requested.
Clause 15 provides for detailed rules in the event that a public authority requests the disclosure of transferred data from the data importer such as promptly notifying the data exporter of the request, documenting the request and response and taking all possible steps to avoid such a disclosure.
The New Transfer SCCs cannot be modified but data exporters and importers can include the New Transfer SCCs in a wider contract and can add other clauses or safeguards so long as they do not conflict with the New Transfer SCCs or prejudice the rights of data subjects.
Governing Law and Jurisdiction
Clause 17 allows the parties to choose the law of one Member State as governing the New Transfer SCCs, however, this law must allow for third party beneficiary rights to allow data subjects to invoke and enforce the New Transfer SCCs. The parties can also choose their jurisdiction under clause 18. Data subjects may bring legal proceedings against a data exporter / importer before the courts of the Member State where that data subject has their habitual residence.
Under clause 12, each party is liable to the other for any damages caused by breaching the New Transfer SCCs. Under Module 1 and 4, each party is liable to a data subject for any material or non-material damage suffered. Where more than one party is at fault, the parties shall be jointly and severally liable. Under Module 2 and 3, the data importer is liable to the data subject for any material or non-material damage caused by the data importer or its sub-processor and the data exporter is liable to the data subject for any material or non-material damage caused by the data importer, data exporter or its sub-processor. The data exporter can claim back compensation from the data importer or its sub-processors to the extent that the data exporter is held liable but is not at fault.
Clause 5 stipulates that if there is a contradiction between these New Transfer SCCs and any related agreements, the New Transfer SCCs shall prevail. This has specific importance for the liability provisions as it makes it difficult for parties to deviate from, or limit, the data transfer related liability in their agreement.
Transfers to the UK
The grace period for data transfers to the UK under the EU-UK Trade and Cooperation Agreement is due to expire at the end of June 20215. This grace period was intended to allow the Commission time to assess the adequacy of the UK's laws for the purposes of adopting an adequacy decision. The Commission published a draft UK adequacy decision (the "Adequacy Decision") in February 2021.
The European Parliament and the EDPB have expressed concerns in relation to the Adequacy Decision6. The Commission is considering these concerns which are not legally binding on the Commission but are highly influential. Approval from the representatives of EU Member States is needed before the Commission can adopt the Adequacy Decision. If adopted, the Adequacy Decision will be valid for an initial term of four years, only renewable if the level of protection in the UK continues to be adequate. If the Adequacy Decision is not adopted before the end of this month, a GDPR Chapter V transfer mechanism (such as transfer SCCs) will need to be put in place before 1 July 20217.
Transfers from the UK
The UK's Information Commissioner's Office ("UK ICO") announced on 6 May 2021 that it is working on bespoke UK SCCs for international data transfers from the UK and is considering recognising transfer tools from other countries such as the EU's New Transfer SCCs.
How to Prepare for the New Transfer SCCs
Organisations should now assess their data flows and transfer arrangements and determine which Module applies to them. They should develop a strategy for updating existing data transfers and completing transition to the New Transfer SCCs.
Organisations transferring personal data to the UK should ensure that they have an alternative transfer mechanism in place to mitigate against the risk of the Adequacy Decision not being approved before the end of the month.
6. https://www.europarl.europa.eu/doceo/document/TA-9-2021-0262_EN.pdf. If the Adequacy Decision is adopted indiscriminate access to personal data is possible, the European Parliament has called on Data Protection Authorities to suspend transfers of personal data to the UK. The EDPB Opinions are available at https://edpb.europa.eu/system/files/2021-04/edpb_opinion142021_ukadequacy_gdpr.pdf_en.pdf and https://edpb.europa.eu/system/files/2021-04/edpb_opinion152021_ukadequacy_led_en.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.