Today, the European Commission published the final Implementing Decision on standard contractual clauses (“New SCCs”) for the transfer of personal data to third countries. The New SCCs repeal the existing SCCs (dating from 2001, 2004 and 2010) and aim to address the entry into force of the General Data Protection Regulation (“GDPR”) and the decision of the European Court of Justice (“CJEU”) in Schrems II.
The New SCCs follow the draft implementing decision on standard contractual clauses (“Draft SCCs”) issued by the European Commission on 12 November 2020.
We highlight the following key takeaways:
- model terms for processor to processor and processor to controller transfers – these are types of transfers that the previous SCCs didn’t expressly allow for (as they were limited to controller to controller and controller to processor transfers).
- consolidation of all four model terms into one document – allowing controllers and processors to select the relevant clauses that apply on a modular basis.
- provision for multi-party use, as well as an optional “docking” clause – allowing additional controllers and processors to join the terms throughout the life cycle of the SCCs.
- inclusion of Article 28 GDPR processor terms – addressing a gap in the legacy SCCs which were drafted before the GDPR requirements for minimum processor terms came into force.
- ability to select the governing law and choice of jurisdiction of any Member State – this is helpful given the SCCs may cover multiple originating country transfers.
- use by non-EU established data exporters to the extent the processing is subject to the GDPR pursuant to the extraterritorial reach of Article 3(2) GDPR.
- inclusion of new clauses to address the concerns raised by the CJEU in Schrems II – including a requirements to carry out and document an assessment of the laws of the third country to confirm that the local law in the importing country does not prevent the importer complying with the terms in the SCCs having regard to the circumstances of the transfer and any supplementary measures adopted; and to apply additional transparency and notification controls covering government access requests.
The New SCCs are published today, but will only enter into force 20 days after official publication in the Official Journal of the European Union (“OJ“) (“Effective Date“) (update: the New SCCs were published in the OJ on 7 June 2021 and will enter into force on 27 June 2021 ).
- Three months after publication in the OJ (update: 27 September 2021), the legacy SCCs will cease to be valid for future use (“Repeal Date“).
- During this three month transition period you can enter into either the new or the legacy SCCs.
- Use of the legacy SCCs must stop altogether 18 months after publication in the OJ (update: 27 December 2022). Data controllers and processors will need to use this time to complete a review and repapering exercise to fully migrate to the new SCCs,
- Organisations processing data will need to assess data flows and transfer arrangements and be ready to incorporate the New SCCs in respect of all new transfers. This will need to be done within the three-month window from the Effective Date. Whilst this ‘buys some time’ it will impact any in-flight contractual negotiations which have not yet signed but may close after that time window.
- When updating templates note the New SCCs adopt a modular approach which means there are some decision points to make and adopt additional / more onerous flow down obligations to sub-processors, which mean adopting the new SCCs is likely to require more effort than simply swapping out / in the old and new clauses
- For existing arrangements where you are using the legacy SCCs contracts there’s effectively an 18 month window to migrate to the new SCCs. You will need to undertake a remediation project to analyse which data transfers may be impacted (i.e. will continue beyond that extended transition period) and take measures to update with the New SCCs.
- Recognise that the New SCCs contain Article 28 GDPR compliant terms. Consider what this means for any standard data processing agreements (“DPAs”) that you may be currently using in conjunction with the SCCs. As the New SCCs cannot be modified and will take precedence over other contract provisions, this may lead to changes in standard DPAs to remove conflicting provisions. We might also expect to see a different approach taken to negotiation of DPA provisions, with a move towards greater standardisation to the base data processing terms contained in the SCCs. This will be impacted further by the new standard clauses published by the EU to address the contractual requirements under Article 28 GDPR. These Article 28 Clauses have also been published today and while the terms will not be mandatory we do expect to see a gradual move towards standardisation given this and the New SCCs.
- Conduct a risk-based assessment of the law in the relevant third country. This follows the Schrems II decision and EDPB Guidelines, codified as a contractual requirement as the New SCCs require the parties to warrant that they have no reason to believe that the laws and practices in the country of destination prevent the importer from fulfilling its obligations under the New SCCs. The assessment must be documented and revisited if there are any changes to the relevant legal framework and be available for review by supervisory authorities on request. If the warranty can’t be met (i.e. the assessment fails to confirm equivalent levels of protection), the data exporter has an obligation to suspend the transfer and the right to terminate the contract.
- Although the New SCCs contain a number of provisions to deal with the Schrems II decision, businesses will need to consider whether any additional safeguards are required to protect personal data in the third country, in accordance with the judgement. The New SCCs will have to be used with the EDPB Recommendations on supplementary measures, the final version of which are yet to be published, and therefore there may be situations where additional supplementary measures will need to be implemented in order to ensure that data subjects are afforded a level of protection that is, essentially, equivalent to that guaranteed within the EU.
- The new SCCs will not apply for transfers of personal data from the UK to a third country. Data exports from the UK should continue to be based on the legacy SCCs until the UK publishes its own SCCs. Consultation on those is expected to take place this summer. For organisations with a mixed EU / UK estate, this adds complexity as you will need to delineate transfers as originating from these two different geographies and apply different SCCs for each. We will provide updates in due course once the UK position becomes clearer.
- Transfers from the EU to the UK continue to be covered by the EU-UK Trade and Cooperation Agreement which provides a 6 month ‘bridging period’ to allow transfers to continue to the UK without the need for any additional measures (such as a the New SCCs). We are currently waiting for the European Commission to confirm it will finalise approval of the draft decision to grant UK adequacy.
Given the time limits involved, organisations will need to act quickly to analyse their current data transfer arrangements and develop a strategy for updating templates to address the New SCCs and ultimately migrate ongoing transfers to the new terms.
The DLA Piper Data Protection, Privacy & Security are planning a webinar and supporting tools, guidance notes and templates to provide practical help to clients in addressing these changes in the coming weeks, building on our global data transfer methodology. More information will be available to subscribers of Privacy Matters in the coming days.
For further information and advice, please get in touch with firstname.lastname@example.org or your usual DLA Piper contact.