The Background: Transfers of personal data to countries outside the European Economic Area ("EEA") must meet certain requirements under the General Data Protection Regulation ("GDPR"). If the third country does not provide an adequate level of data protection, the most common safeguards are Standard Contractual Clauses ("SCCs").
The Development: On June 4, the European Commission published the Commission Implementing Decision on SCCs for the transfer of personal data to third countries. These "new" SCCs are intended to replace the "old" SCCs, which were developed under the predecessor of the GDPR, the European Union Directive 95/46/EC.
Looking Ahead: As from the entry into force of the new SCCs on 27 June 2021, entities can enter into the old SCCs for a period of only three months. Those that have implemented the old SCCs can rely on them as transfer safeguards for an additional 15 months, for a total transition period of 18 months ending on 27 December 2022 for entities relying on "old" SCCs.
On 4 June 2021, the European Commission adopted new SCCs for the transfer of data to third countries that do not meet GDPR requirements for an adequate level of data protection. Countries that do meet GDPR adequacy requirements can be found here. SCCs are model data transfer terms that are implemented between entities in the EEA exporting personal data and entities in third countries importing the data. This Commentary addresses some of the key differences between the old and new SCCs, and important considerations moving forward under these new requirements.
Main Differences Between the "Old" and the "New" SCCs
There are many differences between the old and the new SCCs. The old SCCs were developed under the predecessor of the GDPR, the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The old SCCs consisted of different sets developed in 2001 (amended in 2004) and 2010. Recent legislation and case law has made it necessary to modernize the SCCs.
Modular approach: One of the many important differences is that the new SCCs provide for a modular approach. The old SCCs were structured for transferring personal data either from an EEA data controller to a data controller or data processor outside the EEA. The new modular SCCs also provide safeguards for data transfers from a data processor to a data controller or data processor.
The new types of SCCs address (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-)Processor and (iv) Processor-to-Controller transfers and incorporate the various types of data transfers in a modular concept. The old SCCs are separate, free-standing agreements for each type of data transfer, whereas the new SCCs contain certain content which is applicable to all four transfer scenarios such as, for example, introductory provisions or provisions on noncompliance and termination. The new SCCs also contain modular content, which is only applicable to specific types of the four data transfer scenarios.
Additional data processing agreement: Another difference concerns the need to implement provisions of a data processing agreement between controllers and processors, and processors and sub-processors respectively, in addition to the SCCs. Under the old SCCs, it was necessary to implement certain additional contents of a data processing agreement, as the old SCCs were established under the predecessor of the GDPR and did not take into account all of the requirements under Article 28 GDPR. The new SCCs set out appropriate safeguards for transfers of personal data from controllers to processors and processors to sub-processors respectively, pursuant to Article 28 GDPR. Therefore, a separate data processing agreement is no longer required.
Strengthened data subject rights: Data subjects are able to enforce several provisions of the new SCCs against both the data exporter and the data importer. Under the old SCCs, data subjects could enforce third-party beneficiary clauses only against the data importer or the sub-processor, if the data exporter, and in case of a sub-processor also the data importer, had factually disappeared or ceased to exist in law.
Multiparty SCCs: The new SCCs expressly permit that more than two parties may adhere to the SCCs. Moreover, additional data controllers and data processors may accede to the new SCCs as data exporters or data importers. The new SCCs are particularly designed to be used by multiple parties and to allow for change over time by including arrangements for new parties to accede to them via a "docking clause".
Use by non-EU data exporters: While the old SCCs could only be used by controllers established within the EEA, the new SCCs address (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-)Processor and (iv) Processor-to-Controller transfer scenarios and may also be used by controller or processor entities not established in the EEA, to the extent that the processing falls under the GDPR (pursuant to Article 3(2) thereof).
Transfer Impact Assessment Remains Required Under the New SCCs
The new SCCs incorporate elements of the Schrems II decision of the European Court of Justice (see our previous Alert, "Schrems II Confirms Validity of EU Standard Contractual Clauses, Invalidates EU-U.S. Privacy Shield"). In particular, the data exporter is required to document the transfer impact assessment and make it available to the competent supervisory authority on request. The new SCCs also provide guidance on performing a transfer impact assessment by prescribing criteria that the data exporter must take into account for such assessment.
Enforcement by the Competent Supervisory Authority
The competent supervisory authority of the EU Member State in which the data exporter is established is responsible for ensuring compliance with the GDPR in connection with the data transfer. Where the GDPR applies to companies not established in the EEA by virtue of Article 3(2) GDPR, determining the competent supervisory authority will depend on whether the data exporter has appointed a "EU representative" under Article 27 GDPR.
Data subjects invoking their rights as third-party beneficiaries may lodge a complaint with the competent supervisory authority specified in the new SCCs or refer the dispute to the competent courts in the EU. In order to ensure effective enforcement, the data importer is required under the new SCCs to submit itself to the jurisdiction of and cooperate with such authority and abide by any binding decision under the applicable EU or Member State law, including decisions issued by a court of an EU Member State.
SCCs for Data Transfers from the EEA to the United Kingdom and from the United Kingdom to Non-EEA Countries
Transfers of personal data from the EEA to the UK can continue unrestricted until 1 July 2021 by virtue of the Trade and Cooperation Agreement between the EU and the UK. After this date, SCCs will be required to transfer personal data from the EEA to the UK, unless the European Commission grants an adequacy decision for transfers of personal data from the EEA to the UK. The procedure for the adoption of such an adequacy decision was commenced by the EU Commission on 19 February 2021.
For data transfers from the UK to non-EEA countries, companies should not use the new SCCs. The Information Commissioner's Office ("ICO") has issued guidance that the olds SCCs can continue to be used for these data transfers. The ICO intends to publish and consult on UK SCCs during 2021. Given the need to comply with the Schrems II decision and the requirement to apply comparable protections to the GDPR to obtain an adequacy decision, it is hoped that these UK SCCs will be comparable to the new EU SCCs. However, until they are adopted and the extent of any transition period is known, UK companies should continue to use the old EU SCCs together with supplementary measures to take account of the requirements of Schrems II. For more information, please visit the ICO's website on SCCs here.
Standard Contractual Clauses for Data Processing Agreements
The European Commission has also adopted another decision on a set of standard contractual clauses under Article 28 GDPR for the use between controllers and processors established in the EEA. These standard contractual clauses concern the provisions necessary for a data processing agreement pursuant to Article 28 GDPR and should not be confused with the SCCs which are safeguards for the transfer of personal data to third countries.
Four Key Takeaways
- The EU Commission has adopted new SCCs for the transfer of personal data to third countries. The new SCCs address (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-)Processor and (iv) Processor-to-Controller transfers. They incorporate the various types of data transfers in a modular concept.
- Entities having entered, or entering, into the old SCCs before 27 September 2021 will be able to rely on them for a transition period ending 27 December 2022.
- While the new SCCs incorporate elements of the Schrems II decision, companies remain required to conduct a data transfer impact assessment for each transfer.
- Besides SCCs as transfer safeguards, the EU Commission has also published standard contractual clauses for a data processing agreement under Article 28 GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.