Read this quarter’s Intermedia here

BLOG

New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA

21.06.2021
Share this

New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA – Adopted On the Eve of Publication.

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4. They should be implemented by 2021 and published in the next few weeks.

The new SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”). The old SCCs will be repealed three months after that date (“Date of Repeal”).

Here are some preliminary comments on the new SCCs:

Timelines for organisations

The decision of the EU Commission contains a sunset clause whereby:

  • Companies entering into new contracts shall use the new SCCs after the Date of Repeal; and
  • Companies having the old SCCs in place before the Date of Repeal may continue to use them for fifteen (15) months following the Date of Repeal. The organisation will thus have a transition period of eighteen (18) months after the date of effect.

A diverse and modular approach

The old SCCs addressed only two transfer scenarios (i.e., controller to controller, and controller to processor). The new SCCs apply a more diverse and modular approach covering four data transfer scenarios:

  1. Controller to Controller;
  2. Controller to Processor;
  3. Processor to Processor; and
  4. Processor to controller.

In addition, they apply to subsequent transfers.

Geographical scope

The new SCCs make clear that they can be used not only by Controllers and Processors established in the EEA. But also by Controllers or Processors that are not established in the EU, for their processing activities that are subject to the General Data Protection Regulation 2016/679 (“GDPR”) because of the targeting criterion of Article 3(2) GDPR.

Article 28 GDPR data processing provisions

The Controller to Processor module also incorporates the requirements of Article 28 of GDPR’s data processing provisions. No separate data processing agreement will need to be entered into, avoiding any contradictions between the two and thus setting a standard for Article 28 GDPR provisions.
However, the new SCCs may be incorporated into broader commercial contracts and further clauses may be included provided these do not prejudice the fundamental rights of data subjects or contradict the SCCs. Moreover, the new SCCs contain a clear rule on hierarchy, stipulating a general precedence of the SCCs.

Parties

The new SCCs envision multiple parties to agreements with docking clauses enabling third parties to accede to the agreement at any point in time, thereby reflecting actual practice.

Content

The new SCCs are more onerous and impose GDPR-like obligations on data importers, such as transparency and GDPR data subject rights. Furthermore, the new SCCs contain, amongst other provisions, the rights of data subjects as third party beneficiaries, liability (including in some cases joint and several liability of the parties vis a vis data subjects) and indemnification as well as supervision by EU Member State supervisory authorities.

Aftermath of the Schrems II decision

One of the main reasons why the new SCCs are so highly anticipated is because of the potential extent of protection they will offer to companies transferring personal data outside of the EEA, in the aftermath of the Schrems II Judgement. (CJEU Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, dated July 16, 2020).

The consequences of the Schrems II judgement have been addressed by the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor in their “Joint Opinion 2/2021 on SCCs for the transfer of personal data to third countries from January 14, 2021” and in the EDPB’s (yet to be finalized) “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data from November 10, 2020.”

The EDPB and EDPS notably stressed that the parties must assess whether there is anything in the law or practice of the third country of destination. Which prevents the data importer from fulfilling its contractual obligations and, depending on the outcome of this assessment, must implement ad hoc supplementary measures (contractual and technical) to ensure adequate protection to data subjects. Therefore, a key question in this regard was whether the use of the new SCCs would make it unnecessary for the parties to carry out such assessment and implement ad hoc supplementary clauses.

The new SCCs (clause 14) will still require the parties to carry out such assessment and “warrant” that neither party has “reason to believe” that the laws and practices applicable to the data importer. Including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the new SCCs.

In giving this warranty the parties must make an assessment taken into account (i) the specific circumstances of the transfer (e.g., nature of data transferred, purpose for processing); (ii) the law and practices of the country of destination and (iii) any supplementary measures implemented.

The possibility to take into account circumstances that go beyond the law and practices is welcome. Some importers that are in principle covered by legislation on access to law enforcement but are not likely to effectively be required to handle data, may be able to warrant that they have no reason to believe that such legislation would prevent the importer from complying with the new SCCs.

Furthermore, the SCCs contain additional commitments that cater to what parties need to do in case of access by public authorities of the country of the importer. Some commitments had been de facto enforced by some data protection authorities under the current SCCs and had been recommended by EDPB in the above-mentioned draft opinion. The SCC requires, amongst other things, the importer to notify the exporter of (i) any “legally binding request from a public authority”, or (i) if it “becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses”. The data importer must also ”challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful.”

We will provide a more detailed description of the new SCCs in a follow-up article. Please do not hesitate to contact our Data Privacy and Cybersecurity team should you need assistance with the new SCCs or international transfers of personal data generally.

This article was originally published in the Squire Patton Boggs’s Security Privacy Bytes blog on 8 June 2021.

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.

Theme:
Privacy, Safety, Security
Region:
Europe
Rosa Barcelo Rosa Barcelo Partner, McDermott Will & Emery; Chair, IIC Brussels Chapter Matúš Huba Matúš Huba Data Privacy Advisor, McDermott Will & Emery Stephanie Faber Stephanie Faber Business law and data protection law specialist, Squire Patton Boggs
You may also like... Blog
Regulatory Watch – January 2025 22.01.2025
Blog
Regulatory Watch – December 2024 10.12.2024
Blog
Regulatory Watch – November 2024 26.11.2024

Latest

Blog
Regulatory Watch – January 2025 22.01.2025
Publication
North America Forum 2024, Washington D.C. – December 2024 15.01.2025
Publication
International Regulators Forum – November 2024 13.01.2025
Publication
Annual Conference – November 2024 02.01.2025
View All
Back to the top

The IIC is the world's only policy debating platform for the converged communications industry

We give innovators and regulators a forum in which to explore, debate and agree the best policies and regulatory frameworks for widest societal benefit.

Insight: Exchange: Influence

We give members a voice through conferences, symposiums and private meetings, as well as broad exposure of their differing viewpoints through articles, reports and interviews.

The new website will make it easier for you to gather fresh insights, exchange views with others and have a voice in the debate

Take a look Learn more about our updates
Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The International Institute of Communications website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.