Data transfers and their legal mechanisms are changing. Standard Contractual Clauses (SCCs) have been an integral part of international data transfers. Under EU data protection law, organisations handling EU personal data cannot transfer such data to third countries without some form of protection. SCCs have become the most practical, and hence most used, form of ensuring such protection. Following the publishing of new draft SCCs back in November and a subsequent consultation period, the EU commission announced on the 4th June 2021 that they had adopted two new sets of SCCs, updating previous clauses which were adopted before the introduction of GDPR. Hence the new SCCs are a product of the ramped up regulatory environment created by GDPR. Additionally, and significantly, the new SCCs respond to the ruling last summer (July 2020) in Schrems II.

What are Standard Contractual Clauses?

SCCs are essentially a set of clauses to enable lawful data transfers of EU personal data. They can be copied into a contract or form an independent agreement between a data exporter (based in the EU or UK) and a data importer (based in a third country) to ensure an adequate level of protection for personal data being transferred between two entities. Two sets of clauses have been published by the EU commission: one for the transfer of personal data to third countries and one for use between controllers and processors based in the EU.

Schrems II

The ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18)was significant for SCCs for two reasons. Firstly, it invalidated the EU-US Privacy Shield. Which many US organisations relied upon to transfer personal data out of the EU. In the same way that SCCs are considered to give personal data transfers out of the EU adequate protection, the Privacy Shield, if all principles were adhered to, could also offer such protection. Now that it has been invalidated more US organisations will be relying upon SCCs to ensure adequate protection of personal data transfers.

Secondly the ruling reviewed the effectiveness of the SCCs in place at the time and, whilst considering them to be a valid mechanism for data transfers, introduced new obligations on both data importers and data exporters. It was said that organisations should review the agreements they have in place by assessing whether to implement additional technical and organisational as well as contractual measures. This amounts to what has been described as a ‘data transfer impact assessment’ and is directly addressed in the new SCCs published by the EU commission.

New SCCs for data transfers

The new SCCs have therefore been introduced to make sure they align with the high standards of data privacy introduced by GDPR, amend previous deficiencies, such as a lack of variety of potential arrangements, and to address uncertainties into how to assess whether or not to implement organisational/technical measures after the ruling in Schrems II. These are dealt with respectively below.

New obligations/liabilities

Firstly, the new SCCs impose a ‘light-weight’ form of the GDPR on data importers. This comes in the form of third party rights for data subjects. This includes data importers considering the following obligations: purpose limitation, transparency, accuracy, data minimisation, retention, security, onward transfers, data subject rights, complaints mechanism and submission to jurisdiction. The final obligation means a data importer must submit to the laws of the EU country from which the personal data is being exported, including its courts and data protection regulatory authority.

Secondly, the data importer must now notify the data exporter in case of requests from public authorities or any direct access by public authorities to data transfers protected by SCCs. Data importers are also expected to try and obtain a waiver of a prohibition for a data exporter to be notified of such public authorities’ access.

And thirdly, data importers and exporters are now liable in relation to any damages to data subjects caused by a breach of the SCCs – material or non-material. In contrast to the GDPR, which requires a breach of both parties in case of joint liability, in some scenarios created by the new SCCs (controller-to-processor and processor-to-processor), the data exporter in Europe is now liable for violations by its processor or even sub-processor.

Modular approach for data transfers

The new SCCs employ a modular approach i.e. they create potential for an increased number of data transfer scenarios/modules. This includes:

  • controller to controller;
  • controller to processor;
  • from processor to sub-processor; and
  • processor to controller.

The processor to sub-processor module solves a long-standing problem. Up until now processors have been unsure of how to justify transfers to third countries. Now specific clauses exist to enable such data transfers. The only possible issue with the new modules is that any sub-processor wishing to engage a further sub-processor will have to get the permission of the original controller.

The new SCCs also allow the clauses to be used in a multi-party agreement without having to be replicated for each individual relationship. In practice this has been going on for a while but now it has been officially sanctioned. A related innovation in the new SCCs is also the possible introduction of a docking clause. The docking clause allows new parties to be added to the agreement over time.

Data transfer impact assessments

Clause 14 lays out the ways in which parties to an agreement can ensure compliance with the obligations introduced by Schrems II for data transfers. It says the parties must take due account of:

  • the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs, and the storage of the data transferred.
  • the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities.
  • any relevant contractual, technical, or organisational safeguards put in place to supplement the safeguards under the SCCs, including measures applied during transmission and to the processing of the personal data in the country of destination.

Additionally:

  • the parties agree to document the assessment described and make it available to supervisory authorities on request.
  • the data importer warrants that it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with this assessment.
  • the data importer must notify the data exporter either of a public authority’s request to access data or where the public authority directly accesses personal data. If the data importer is unable to make that notification it must use best efforts to obtain a waiver.
  • the data importer must review access to personal data requests for legality and challenge them if there are reasonable grounds to do so. It must document its legal assessment and minimise the data disclosure as much as possible.

Moving forwards with data transfers

Organisations will be relieved to know that the European Commission has allowed for an 18-month transition period in which the previous SCCs will still be legally recognised (opposed to the 12-month transition period suggested in the drafts). This should give time to review current data transfers, agreements and update clauses where needed.

We are also still waiting for the final ‘Recommendations for Supplementary Measures’ in relation to the ruling in Schrems II from the European Data Protection Board (EDPB), which were open for feedback after being published in draft form in November. The EDPB have said ‘the recommendations… were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing’.

UK perspective

As it stands the new SCCs are not recognised in the UK and it will be up to the ICO to decide whether to accept their usage. The ICO is currently preparing its own contractual clauses and will consult on them over the summer. Allowing the use of both EU and UK approved SCCs will no doubt be of benefit to the EU’s adequacy decision for the UK (meaning whether the EU considers the UK adequate for data protection purposes and hence allow free flows of data to occur between the two regimes).

It is important to note however that the UK has been wanting to liberalise data transfers for some time and so the new ICO sanctioned clauses may well be less cumbersome than the new EU ones. Finally, for clarity, the old EU SCCs remain valid in the UK and should be, for the time being, the place where organisations transferring UK personal data go when putting agreements in place. You can find the clauses on the ICO’s website here.

Here to help

Data transfers have up until now often been a case of signing up to some clauses or entering into an agreement and then leaving it be. With the introduction of GDPR, the ruling of Schrems II and now the old pre-GDPR SCCs outdated, organisations need to be mindful of new obligations and most significantly the need for transfer impact assessments. Such assessments may need to be undertaken by a third party. If you need your current data transfer agreements reviewed, we are here to help.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.