Blog: The New SCCs – what businesses need to know
Sarah Slevin and Natalie Dillon of Ronan Daly Jermyn explore the fundamental objectives of the new SCCs and the key dates and steps organisations should now take.
On 4 June 2021 the European Commission issued its eagerly awaited decision publishing the new Standard Contractual Clauses, or SCCs (New SCCs) for the GDPR-compliant transfer of personal data to third countries.
Overall, the New SCCs bring much needed clarity to the steps required to transfer personal data to third countries; however, the obligations on both data exporters and data importers to comply with the clauses remain onerous.
The real outcome of these New SCCs is not that it will be any easier to transfer data outside of the EEA; rather, it is the resolution of certain practical issues affecting the prior sets of SCCs (Prior SCCs), aligning with Directive EU 2016/679 General Data Protection Regulation (GDPR), as well as more clearly spelling out what data exporters and data importers need to assess, and what further steps they need to take, to ensure that protection equivalent to that afforded to personal data in the EU is ensured in the importing country.
This article will address those fundamental objectives of the New SCCs, the impact of Schrems II on the European Commission’s final decision and detail some of the notable differences between the Prior SCCs and the New SCCs.
The New SCCs will be available for use from 27 June 2021, with the Prior SCCs being repealed three months following publication of the new rules. Contracts that incorporate Prior SCCs will remain valid until the end of 27 December 2022, after which time the New SCCs must be entered into in replacement of the Prior SCCs, however any new arrangements must use the New SCCs after 27 September 2021.
In practice, this means that contracts entered into from 27 June 2021 to 27 September 2021 can choose the new regime or the old regime; if parties choose to be bound by the Prior SCCs they will need to update their contract before the expiration of the above 18-month period. Contracts then entered into after 27 September 2021 must be in compliance with the New SCCs.
Schrems II: The Genesis of the New SCCs
The use of SCCs as a means of transferring personal data to third countries has become a critical focus for privacy professionals following the decision of the Court of Justice of the European Union (CJEU) in Schrems II.
- The decision struck down Privacy Shield, a key other mechanism that allowed for the exchange of personal data between the EU/EEA and the US specifically. As a result, many organisations sending personal data to the US could, from then on, only transfer personal data by means of employing SCCs underscoring the importance of SCCs as the only mechanism to transfer personal data outside the EEA without a third country having obtained an adequacy decision under the GDPR.
- However, Schrems II scrutinised the effectiveness of the SCCs as well. Although the Prior SCCs were upheld as a valid means of exchanging personal data with a third country the CJEU stressed that organisations must, on a case by case basis, verify that EU personal data being transferred outside of the EU will be adequately protected in the destination country in line with the level of protection set out in the GDPR.
The Schrems II decision cast significant uncertainty just how to legally transfer personal data outside of the EEA, notwithstanding that the SCCs were upheld. There was a particular concern as to whether the risk-based approach to assessing a destination third country’s local laws would be maintained (see further on this ‘risk-based approach’ below).
Aligning with the GDPR
Fundamentally, the New SCCs seek to extend the protections for personal data set out in the GDPR to third countries (who have not secured an ‘adequacy’ decision from the European Commission) when those third countries process EU citizens’ personal data. Here are some of the key obligations that data importers are subject to ensure this level of protection (these requirements sometimes impact data exporters also).
- Clause 8 sets out many of the fundamental protections to which EU personal data is entitled and applies them to data importers, as well as including a warranty from the data exporter that it has used reasonable efforts to determine that the data importer can, through technical and organizational measures, meet its obligations under this Clause. Helpfully, the modular approach newly incorporated into the New SCCs (see further on this below) allows for the New SCCs to be adapted to the particular relationship in question (for example, controller to controller transfers or controller to processor transfers). These New SCCs also incorporate the requirements of Article 28 of the GDPR, and so can also be used as the ‘data processing agreement’ required to be entered into between controllers and processors under that Article. Clause 9 deals with any transfers to sub-processors by a processor, again in line with Article 28.
- Clause 10 sets out data subject rights equivalent to those contained in the GDPR and that data importers are obliged to vindicate. Broadly speaking, these reflect obligations on data controllers/data processors under the GDPR.
- Clause 11 requires data importers to provide data subjects with an easily accessible contact authorised to handle complaint related to the new SCCs. The data importer may also allow data subjects lodge complaints to an independent dispute resolution body. If the data subject invokes third party beneficiary rights and files a complaint, the data importers must agree to accept a binding decision under EU or Member State law. It is important to note here that Clause 17 provides that parties must agree to be bound by the laws of a country allowing for third party beneficiary rights.
Key improvements in the New SCCs
- Modular clauses
A difference which will have a major practical benefit is the introduction of a ‘modular approach’ Rather than having different SCCs for different relationships between exporters and importers (controller to controller transfers, controller to processors etc.), we now have one set only, with ‘modules’ to be used as is appropriate to the relationship in questions. This shift away from the previous separate sets of clauses, is welcome as the old approach failed to recognize the complexity of modern data processing chains.
- Docking clause
The modular approach of the New SCCs is further complemented by the introduction of an optional ‘docking clause’ in Clause 7 to enable third parties to accede to the agreement at any point in time provided the existing parties all agree. This is a major improvement which will likely benefit large scale intra-group or extra-group data transfers when compared to the Prior SCCs, which would have required a new or additional agreement to be re-executed.
- Onward transfers
Clause 8 prohibits onward transfer of the personal data to a third party located outside of the EEA unless that party agrees to be bound by the New SCCs. However, a number of exemptions are allowed, including where express consent of the data subject is obtained, where the third country benefits from an adequacy decision and where it is necessary in the case of a legal claim.
- Requests from authorities
The New SCCs include detailed requirements regarding the actions that a data importer must take in the event that it receives a request from a government authority for access to personal data transferred using the New SCCs. These changes also are intended to address Schrems II-related (more below).
- Data subjects to benefit directly
The New SCCs, like the Prior SCCs, require that data subjects be made third-party beneficiaries of many of the New SCC’s provisions. The New SCCs place greater emphasis on those third-party beneficiary rights by requiring that they must be enforceable under the law governing the contract. Although this may have been problematic in Ireland (Irish law not generally recognising third party rights under contracts), we have been promised new legislation to address this question.
It is important to emphasise that data importers and data exporters cannot simply prepare and sign the New SCCs and take no further action – in our post-Schrems II world, much more is required.
One of the key questions to be addressed as part of the proper implementation of the New SCCs by data exporters and data importers will be the assessment as to whether or not there is reason to believe that “the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under [the New SCCs].” Clause 14 goes on to require that parties consider:
- the nature of personal data transferred and purpose for processing;
- the law and practice of the third country; and
- any relevant contractual, technical or organisational to supplementary measures implemented.
Transfer Impact Assessment
This assessment must be available to be provided to the Competent Supervisory Authority (in Ireland, the Data Protection Commission) if requested. This assessment has become known as a ‘Transfer Impact Assessment’, a term with which data importers and data exporters are going to become intimately familiar and which will take on an importance equivalent to a data protection impact assessment under the GDPR. This Transfer Impact Assessment will require significant collaboration between data exporters and data importers in assessing the circumstances of the transfer and the relevant laws and practices of the recipient country (see further on this below), as well as further action by data importers to implement those ‘relevant contractual, technical or organisational safeguards’ to supplement protections under the New SCCs where necessary to ensure that the parties can give the above warranty.
Regarding what such safeguards could or should look like, the parties should look, primarily, to the European Data Protection Board’s (EDPB) ‘recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’. The Recommendations provide a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place. The Recommendations set out six key steps to GDPR-compliant personal data transfer. We have incorporated these into our section entitled ‘what I need to do’ below. The suggested supplementary measures incorporated into the Recommendations are divided into three categories (technical, contractual and organisational) and, helpfully, the Recommendations applies the measures it suggests in a number of different use cases to show how in some circumstances supplementary measures can be effective but in others supplementary measures may still not be enough.
It is important to note that it is explicitly recognised in the Recommendations that some supplementary measures may be effective in some countries, but not necessarily in others, and it may be the case that a combination of supplementary measures may be required. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take. And, according to the EDPB: “[y]ou may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.”
This is another reminder that the New SCCs are no panacea for deficiencies in regimes for protecting personal data in non-European countries. It is very likely that particular transfers to many countries, including, for example, the USA, may be incapable of benefitting from the protections necessary to effect transfers legally.
It is also important to note that the requirements set out in Clause 14 are of an ongoing nature, meaning that if at any point in time the data importer discovers that adequate protection will not be possible the data importer must notify the data exporter who can then either adopt supplementary measures to ensure adequate protection or suspend the transfer if such measures cannot be applied. These supplementary measures will be identified by parties in Annex II to the New SCCs at the outset of the agreement.
Assessment of Transfer: ‘Risk-Based Approach’?
In setting out the obligations on the parties to the New SCCs regarding the assessment of the ‘laws and practices’ of the recipient third country, one of most anticipated elements was always whether or not the New SCCs would allow for an assessment to include the practical experience of the parties or whether an approach based solely on strict legal rules would be maintained. It appears that the New SCCs have sought a balance here – requiring an assessment of the laws and practices of the recipient country that require disclosure, etc. but also noting, by way of a footnote, that ‘different elements’ can be considered as part of this assessment, including ‘relevant and documented practical experience’ with requests for access, including the absence of any such requests, as long as this experience is supported by relevant, objective elements. These elements must be weighted by ‘reliability and representativeness’ to support whatever conclusion is reached. This position represents somewhat of a step back from the more hardline approach advocated by certain parties, such as the EDPB and the European Data Protection Supervisor, however it is clear that the European Commission has taken account of the advice of these bodies when drafting the updated clauses.
What do I need to do?
If you are a data exporter (sending personal data controlled by you outside of the EEA) or a data importer (outside the EEA and receiving personal data on European residents) looking to rely on the New SCCs, then the following are the key steps that, in our view, should be taken by you.
- Assess your transfers: Review, map and document all data transfers currently being undertaken, including detail on the importing country, the processing being undertaken in that country, etc.
- Identify your basis for your transfers: If currently relying on the Prior SCCs, then it will soon be time to make a change. Consider also whether other transfer mechanisms are available – for instance, if there is an adequacy decision in respect of the third country to which the personal data is being transferred.
- Assess the need for these transfers: Although not a separate step in the Recommendations, we have called out this requirement separately due to its in ensuring compliance with the New SCCs and the GDPR. Consider why the data transfers you have identified need to be made – under the GDPR, you must ensure that all processing, including any transfers, is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (in the case of transfers, transferred to and processed in the third country).
- Undertake a Transfer Impact Assessment: As required by Clause 14, the parties (i.e. both the data exporter and the data importer) will need to collaborate on the preparation of a comprehensive assessment on their ability to give a warranty regarding the ‘laws and practices in the third country’ and their impact on the parties ability to comply with the New SCCs, as discussed above.
- Consider any possible ‘supplementary measures’: This step is necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the protections afforded to personal data in the EU. Use the Recommendations to assess what options are available to you.
- Decide whether to proceed with the transfer: As noted above, it may ultimately be the case that a compliant transfer is simply not possible. In that case, it the duty of the data exporter not to proceed with the transfer. Although potentially problematic for the data exporter, it is a necessary inconvenience to ensure that the organization does not find itself in breach of its legal obligations to protect personal data, with the consequent financial and reputational consequences.
- Keep under constant review: Neither laws nor transfers are static, and thus what was previously a compliant transfer may not always remain so. For this reason, data exporters should monitor, on an ongoing basis and in collaboration with data importers where necessary, developments in laws, practices and the specific processing activities. Accountability never ceases.
RDJ’s experienced data protection team is ready to assist data exporters and data importers in implementing and ensuring compliance with the New SCCs.