Today, 4 June 2021, the European Commission has formally adopted new standard contractual clauses for international personal data transfers from the European Union to third countries ("New EU SCCs").
The 34-page New EU SCCs, which have been adopted to reflect the introduction of the General Data Protection Regulation ("GDPR") and the pending EDPB Recommendations on supplementary measures, will replace the controller-to-controller and controller-to-processor standard contractual clauses that were adopted under the previous Data Protection Directive for personal data transfers outside the European Union ("Old SCCs").
Businesses that currently rely on the Old SCCs as a transfer mechanism for international personal data transfers outside the European Union will have 18 months to update their intra-group transfer agreements and renegotiate their contracts with customers, vendors and other counterparties they share personal data with to replace the Old SCCs with the New EU SCCs. There will be a limited period of three months during which businesses can still enter into new contracts using the Old SCCs. However, these contracts will also need to be updated to the New EU SCCs within the 18-month period.
The European Commission commented that the new EU SCCs offer a "practical toolbox" to comply with the
Schrems II judgment with an overview of the steps businesses have to take to comply with the judgment and encryption and pseudonymisation as examples of possible supplementary measures. The formal adoption of the New EU SCCs follows a public consultation by the European Commission and feedback from the European Data Protection Board on the draft version of the New SCCs published on 12 November (see our client alert with detailed comments on the draft version).
Together with the New EU SCCs, the European Commission also adopted standard clauses that may be used between controllers and processors which meet the requirements in Article 28 of the GDPR ("Article 28 Clauses"). The Article 28 Clauses might bring a simplification of the negotiations between controllers and processors over data processing agreements.
What should businesses expect from the New EU SCCs?
- Modular approach: The New EU SCCs use a modular approach where specific sets of clauses can be used not only for controller-to-controller and controller-to-processor transfers, but also for processor-to-processor and processor-to-controller personal data transfers. Additionally, the New EU SCCs offer the possibility for more than two parties to join and use the clauses through the docking clause.
- 18-month transition period: Businesses will have 18 months (as opposed to 12 months in the draft published by the European Commission in November 2020) from the date the European Commission's decisions enters into force to update all contracts incorporating the Old SCCs for transfers outside the European Union with the New EU SCCs.
- No separate Article 28 GDPR provisions required: Entering into the New EU SCCs will replace the need for the controller to impose separate contractual measures on the processor to comply with the controller's obligations under Article 28 of the GDPR, which should simplify negotiations with counterparties in the future.
- Local law assessment: Both the data exporter and data importer will be required to warrant that they have carried out an assessment of the local laws in the jurisdiction in which the personal data will be transferred to under the New EU SCCs and have no reason to believe that the laws and practices in such jurisdictions will prevent the data importer from fulling its obligations under the New EU SCCs when taking into account the relevant safeguards put in place to supplement the safeguards in the New EU SCCs. Additionally, the parties will be required to document the assessment and make it available to a data protection supervisory authority on request.
- Security measures: The New EU SCCs require that the technical and organisational measures adopted to safeguard the personal data transfers are described in specific (and not generic) terms in Annex II. Additionally, the Annex II should also clearly indicate which measures apply to each transfer.
- Identification of a competent supervisory authority: The New EU SCCs specify that the data protection supervisory authority with responsibility for ensuring compliance with the GDPR by the data exporter will be the competent supervisory authority. If the data exporter is not established in an EU Member State, then the competent supervisory authority will be the supervisory authority of the Member State in which the European representative is established. Importantly, by entering into the New EU SCCs the data importer agrees to submit itself to the jurisdiction of the competent supervisory authority and respond to its enquiries, submit to audits and comply with the measures adopted by such supervisory authority.
- Data importer's obligations in case of access by public authorities: There are specific provisions that data importers will have to comply with if they receive a legally binding request from a public authority for the disclosure of the personal data transferred under the New EU SCCs.
How does the adoption of the New EU SCCs affect transfers from / to the United Kingdom?
Currently, the UK Information Commissioner's Office ("ICO") only recognises the Old SCCs as an adequate transfer mechanism for international personal data transfers from the UK. However, at the beginning of May 2021, the ICO announced that it was working on bespoke UK standard contractual clauses for international personal data transfers and it intended to publish a draft for public consultation in the summer. The ICO also stated it was considering whether to recognise the New EU SCCs as a valid transfer mechanism under the UK GDPR.
Hopefully, the ICO will make a decision whether to recognise the New EU SCCs shortly to give businesses wishing to use the New EU SCCs legal certainty that such contracts could also serve as an adequate transfer mechanism under the UK GDPR (and avoid having to use at the same time the Old SCCs for transfers outside the UK and the New EU SCCs for transfers outside the EU).
What should businesses be doing right now?
Businesses should review their contractual arrangements with external parties and their intra-group transfer agreements and identify those that currently incorporate the Old SCCs. For contractual arrangements that will continue for longer than 18 months, businesses should start approaching the external parties and group companies with the aim to transition to the New EU SCCs within the 18-month period, keeping in mind that the parties will be required to carry out local law assessments and include detailed security measures when updating the contractual arrangements.