The European Commission has adopted revised Standard Contractual Clauses (New SCCs) to effectuate cross-border data transfers under the General Data Protection Regulation (GDPR). The New SCCs come into effect on June 27, 2021.
Under Article 46 of the GDPR, the Standard Contractual Clauses provide a legal basis for cross-border data transfers between entities in European Union member states and entities importing the data in non-EU countries. Cross-border data processing and transfers have become increasingly complex since the SCCs were originally drafted (Old SCCs). The New SCCs serve to address this complexity as well as the issues raised by the Court of Justice of the European Union (CJEU) in the 2020 Schrems II decision that upheld the Standard Contractual Clauses as a permissible data transfer mechanism.
Organizations may continue executing the Old SCCs until September 27, 2021. On September 27, 2021, the Old SCCS will be repealed and can no longer be used for GDPR-compliant data transfers. All new contracts and data transfers relying on the SCCs as a data transfer mechanism will need to use the New SCCs in order to comply with the GDPR. Starting on that date, both processors and controllers will have a transition period of 15 months, until December 27, 2022, to replace any Old SCCs executed before September 27, 2021.
I. Old vs. New SCCs Comparison
There are significant differences between the Old and New SCCs, and organizations utilizing the New SCCs will need to plan accordingly.
A. Modular Approach
The Old SCCs were entirely separate agreements for each transfer scenario (e.g., Controller-Processor and Controller-Controller). The New SCCs are drafted as a single agreement with a modular approach, applying certain subsections to transfer scenarios chosen by the contracting parties. The New SCCs enable multiple parties to join and utilize these clauses. Multiple controllers and processors may sign on to the same set of SCCs under the New SCCs, unlike the Old SCCs, which only contemplated a single exporter and a single importer as signatories.
The four transfer scenarios and modules outlined in the New SCCs include:
- Controller-to-Controller (Module One)
- Controller-to-Processor (Module Two)
- Processor-to-Processor (Module Three)
- Processor-to-Controller (Module Four)
The New SCCs expressly recognize that the data exporter can be established outside the EU which was not considered in the Old SCCs. The Old SCCs only allowed for transfers in Controller to Controller and Controller to Processor scenarios and did not contemplate transfers between Processor to Sub-Processor and Processor to Controller, so these new transfer scenarios are a welcome development.
B. Schrems II Provisions
One of the more significant updates is that the New SCCs include provisions aimed at addressing the concerns of the CJEU in Schrems II. The New SCCs require that the local laws and practices of countries outside the EEA be assessed prior to implementation of the SCCs. Both the data exporter and data importer must “warrant” that they have no reason to believe that the laws and practices that apply to the data importer are not in line with these requirements. Both parties must conduct a “transfer impact assessment” that takes account of the following:
- Specific circumstances of the transfer (such as the nature of the data being transferred under the contract, the type of recipient and purpose of processing);
- The laws and practices of the country of destination that are relevant in light of the circumstances of the transfer; and
- Any safeguards put in place to supplement those under the New SCCs (including relevant contractual, technical, and organizational measures).
The assessment must be documented and provided to supervisory authorities upon request. If the data importer believes it cannot comply with the New SCCs, then it must notify the data exporter who may be required to suspend the transfer if appropriate safeguards cannot be ensured, or if the data exporter is instructed by the supervisory authority to suspend the data transfer.
C. Notify Data Exporter of Legal Request for Disclosure
Additionally, if the data importer receives a “legally binding request” from a public authority for disclosure of transferred personal data, it must inform the data exporter and data subject where possible. When this information is provided by a sub-processor to a processor, the processor has an obligation to inform the controller. Further, data importers must agree to challenge any such request from a public authority and leverage any available appeals process.
D. Third-Party Beneficiaries and Data Subject Rights
Notably, data subjects themselves are considered beneficiaries of the New SCCs and must be provided with a copy of the agreement upon request by the data subject. The copy may be redacted, but the reason for such redactions must be provided to the data subject. The New SCCs also permit data subjects to enforce the New SCCs against both data exporters and data importers. Data importers must provide data subjects with contact information and promptly address complaints and requests. The data subject has a right to lodge a complaint with a supervisory authority and may be compensated for damages suffered in relation to their personal data.
E. Onward Transfers
The New SCCs will make it more difficult to implement onward transfers. Under the Processor-to-Processor Module, the data importer is only allowed to transfer personal data to a third party on documented instructions from the initial controller, as communicated to the data importer by the data exporter.
The New SCCs include an appendix with up to three annexes (depending on the modules selected) that the parties will need to complete in order to rely on the New SCCs. These annexes include the following:
- Annex I should set out the parties, a description of the transfer, and (for Modules One, Two and Three) the competent supervisory authorities;
- Annex II should contain the technical and organizational security measures to ensure an appropriate level of protection; and
- Annex III should have the list of approved sub-processors (Modules Two and Three only).
The New SCCs introduce strict liability provisions and each party is liable to the other party for any damages caused as a result of a breach of the New SCCs. Organizations will need to carefully review any commercial liability terms entered into between the parties to ensure they do not conflict with the liability provisions under the New SCCs.
Data subjects may also claim compensation for damages. Clause 12 sets forth liability clauses specific to each module. With respect to Module 1 (Controller-to-Controller) and Module 4 (Processor-to-Controller), each party is liable to the data subject for any material or non-material damages and where more than one party is at fault the parties shall be joint and severally liable. With respect to Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor): (i) the data importer is liable to the data subject for any material or non-material damages) caused by the data importer or its sub-processor; and (ii) the data exporter is liable to the data subject for any material or non-material damages caused by the data exporter, the data importer or its sub-processor. The data exporter can claim back from the data importer or its sub-processors compensation to the extent the data exporter is held liable but is not at fault.
II. Next Steps
While there is a fifteen-month transitional period permitting organizations to adopt the New SCCs, organizations will want to allow plenty of time to prepare for the potential business impacts caused by the New SCCs. Organizations should start by auditing existing contractual arrangements, identifying any changes that will be necessary, and considering the transfer impact assessment that may need to be completed. Specifically, organizations should:
- Identify which EU data flows will be impacted, and whether SCCs are necessary;
- Determine whether the organization can comply with the New SCCs’ requirements;
- Perform a “transfer impact assessment” for data flows to each country and document the result;
- Implement any necessary “supplemental measures” to enhance data protections;
- Perform diligence on customers and third-party suppliers;
- Consider which of the modules applies to their data transfers;
- Identify relevant contracts with customers and third party suppliers;
- Agree to New SCCs with customers, third party suppliers and re-negotiate commercial agreements and the liability provisions of such agreements, as needed.
Both data importers and data exporters must ensure compliance with the GDPR. An improper implementation of the SCCs will expose an organization to litigation and other legal risks in Europe and potential fines under the GDPR.
For more information about the new SCCs and how they will affect your contracts and business, please contact MMM’s Cybersecurity and Data Privacy team.