EU: New Standard Contractual Clauses – From theory to practice
The EU Commission has issued their long awaited new Standard Contractual Clauses (SCCs). These are a vital tool to enable international transfers of personal data. We consider the key changes and how to use these new SCCs in practice.
The General Data Protection Regulation (GDPR) contains a restriction on transfers of personal data to third countries. While there are number of exceptions, for many transfers the only practical solution is the use of SCCs. These are a template contract prepared by the EU Commission. Most large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients, many of which will depend on SCCs.
The validity of the SCCs was considered by the CJEU last year in Schrems II (Case C‑311/18). The Court concluded that while the SCCs were still valid, the underlying transfers must be assessed on a case by case basis to determine whether the personal data will be adequately protected. This is, in effect, a transfer impact assessment.
In light of Schrems II, the EU Commission has overhauled the old clauses to produce the new SCCs released today. The EDPB also issued recommendations in November 2020 (discussed here) though one of the recommendations has not yet been finalised.
The good news is that the structure of the new SCCs follows the draft issued last year. It is modular and allows transfers:
- from controller to controller (Module 1);
- from controller to processor (Module 2);
- from processor to sub-processor (Module 3); and
- from processor to controller (Module 4).
The option to cover transfers from processor to sub-processors is long overdue and solves a long-standing problem of trying to justify transfers by processors to third countries. These provisions are broadly sensible though there are some interactions between the sub-processor and the controller which may be difficult to organise in a commercial relationship. For example, if the sub-processor wishes to use further sub-processors, it must obtain consent from the controller (see Article 9(a), Module 3).
Similarly, the new SCCs are also designed to operate on a multi-party basis allowing a single set of SCCs to cover transfers of personal data between a number of parties. While the old Standard Contractual Clauses were often used in this way, it is helpful to see this practice formalised.
Added to this there is a “docking clause” allowing new parties to be added over time. This will be useful in a number of situations, especially in case of intra-group transfers.
The substantive obligations under the SCCs are more burdensome. In broad terms, the new SCCs impose a light-weight form of the GDPR on the data importer, all backed up by third party rights for data subjects. Some of these obligations are new (stemming from the GDPR) while others already existed in the old Standard Contractual Clauses.
The exact obligations vary depending on the type of transfer but to take controller-controller transfers as an example (Module 1):
- Purpose limitation: The data importer can only use personal data for the purposes described in the new SCCs, unless it obtains the data subject’s consent, the processing is necessary for legal claims or to protect vital interests.
- Transparency: The data importer must, directly or via the data exporter, provide data subjects with various information, including its identity and onward transfers.
- Other principles: The data importer must comply with the principles of accuracy, data minimisation and retention.
- Security: The data importer must keep the personal data secure. If there is a breach it may need to notify the data exporter, data subjects and the supervisory authority(ies), depending on the severity of the breach.
- Onward transfer: There are specific controls on onward transfers to third parties outside the EU, unless certain conditions are met (including the third party signing up to the SCCs).
- Data subject rights: The data importer must comply with data subject rights, including data subject access rights, and rights to correct, object and erase personal data.
- Complaints mechanism: The data importer must provide a complaints handling process for data subjects.
- Submission to jurisdiction: The data importer must submit to EU jurisdiction. This includes submitting to the jurisdiction of the relevant supervisory authority(ies) and the courts in which the data subjects have their residence. Data subjects will be entitled to material and non-material damage and the data exporter and the data importer will be jointly and severally liable.
These are onerous obligations and data importers will need to consider compliance with these obligations carefully. In particular, while the old Standard Contractual Clauses were sometimes just signed and “put in the drawer”, the regulatory and civil litigation risk for non-compliance with data protection requirements has increased significantly over recent years. Some data exporters and importers should anticipate close scrutiny of their compliance with these clauses.
Transfer Impact Assessments
The most onerous provisions in the new SCCs are the Schrems II-proofing clauses which require the parties to initially assess the risk of transferring personal data to a third country and take appropriate action if access to that data is sought.
In relation to such transfer impact assessment:
- Assess: The parties must carry out a comprehensive risk assessment of (i) all the facts of the transfer; (ii) the local laws of the data importer (including access by law enforcement and national security agencies) and the data importer must make best efforts to assist with this; and (iii) any relevant technical, contractual or organisational safeguards. This assessment will be a burdensome process, particularly given the local laws of the data importer may be complex or obscure in some jurisdictions.
- Document: The risk assessment must be documented and provided to the supervisory authority on request.
- Update: The data importer must notify the data exporter if local laws and practice change following which the data exporter must take appropriate action, such as using additional protection measures or stopping transfers.
If the personal data is subsequently accessed by public authorities:
- Notify: The data importer must notify the data exporter either of a public authority’s request to access data or where the public authority direct accesses personal data. If the data importer is unable to make that notification it must use best efforts to obtain a waiver.
- Information: Where allowed, the data importer must provide as much information as possible on requests, e.g. number and type of requests.
- Push back: The data importer must review requests for legality and challenge them if there are reasonable grounds to do so. It must document its legal assessment and minimise the data disclosure as much as possible.
The EDPB Guidance
While the new SCCs have now been finalised, the EDPB’s recommendation on compliance with the Schrems II judgment is still in draft (here). It is expected to be finalised shortly. (The EDPB has released its recommendations in final form on assessing the legal regime of a third-party country, referred as the European Essential Guarantees (here).)
It will therefore be interesting to see how the EDPB’s final recommendation on Schrems II interacts with the new SCCs and the extent to which it requires additional measures on top of those set out in the new SCCs.
The great repapering
The old Standard Contractual Clauses will be repealed three months after the underlying Commission Decision enters into force. This means that businesses should start to update their systems, processes and templates so that new transfers are based on the new SCCs and compliant with their provisions.
Existing transfers based on the old Standard Contractual Clauses will be grandfathered for 18 months from the underlying Commission Decision entering into force. Businesses will need to use that period to identify all such transfers and repaper them with the new SCCs.
This is a relatively generous period, but many large companies will likely have hundreds, if not thousands, of the old SCCs in place so identifying them all and migrating them to the new SCCs could take a significant amount of time and effort.
LegalTech may prove particularly helpful in this context and Linklaters is working on a technological set up that should enable us to streamline the process and assist our client in a cost-effective way.
The UK perspective
The approach of the UK to the new SCCs is not entirely clear. While the UK has announced that it is currently preparing its own contractual clauses and will consult on them in the summer, the key questions are:
- Can the EU’s new SCCs be used in the UK? The EU’s new SCCs will not be automatically valid for transfers from the UK. The UK could decide to recognise them and for large companies this would be a significant benefit as it would allow a common approach to be taken to international data transfers. Approval by the UK of the EU’s new SCCs would also cause little disadvantage to UK businesses who would always have a choice between the EU SCCs and the new UK clauses as and when they arrive.
- What will the new UK contractual clauses look like? The UK Government has a long-standing ambition to liberalise international data transfers so any new UK contractual clauses will likely be less burdensome than the new SCCs. However, the UK Government has a difficult balancing act here. If the UK clauses are not seen as sufficiently protective, that might endanger the UK’s adequacy status.
- Will the old EU Standard Contractual Clauses remain valid in the UK? The position here is clear. The validity of those clauses is recognised in UK law by virtue of paragraph 7(2) of Schedule 21 to the UK Data Protection Act 2018 and that will be unaffected by the introduction of the EU’s new SCCs. Thus, for the time being the old clauses can continue to be used in the UK.
Does this strike the right balance between burdens and protection?
The EU Commission faced a difficult balancing approach preparing the new SCCs having to ensure they are both practical but also robust against future challenge.
Making the clauses too onerous could unduly restrict global data transfers at a time when the EU economy is seeking to recover from the Covid pandemic, as well as placing extra burdens on EU business and hampering the adoption of the new SCCs. In contrast, the clauses need to be robust against any future challenge. If there is a Schrems III challenge in the CJEU, the EU Commission will want to avoid the risk of further disruption from striking down the new SCCs.
This has inevitably resulted in the new SCCs being more burdensome than the old clauses but arguably in line with the very tight constraints imposed by the CJEU in Schrems II.
The new SCCs are available here.