EU Releases New Standard Contractual Clauses for Cross-Border Data Transfers
Sets Deadline for Adoption
- The European Commission published two sets of new standard contractual clauses (SCCs) governing cross-border data transfers and data exchanges between controllers and processors (i.e., service providers), marking the first updates to SCCs in more than a decade.
- The long-awaited new SCCs reflect evolved data protection laws such as the General Data Protection Regulation (GDPR), as well as account for the legal analysis in the recent Schrems II decision, which invalidated the EU-U.S. Privacy Shield.
- Organizations must stop using the old SCCs in new contracts by Sept. 27, 2021, and all existing contracts must be transitioned to the new SCCs by Dec. 27, 2022.
Standard contractual clauses (SCCs) are a contract addendum with provisions governing the handling of personal information. The express language of the SCCs has been preapproved by the European Commission (Commission) to be used in a contract for lawfully transferring such information from the European Union/European Economic Area (EU/EEA) to other countries deemed to have less-stringent data privacy laws. SCCs are heavily relied upon to facilitate international data transfers and global business activities. The existing SCCs were adopted more than a decade ago, predate the General Data Protection Regulation (GDPR) and are considered to have become somewhat outdated.
On June 4, 2021, the Commission published two sets of new SCCs. The first set replaces the old SCCs for cross-border data transfers to third countries. The second set is for use between controllers and processors – previously organizations were left to craft their own contractual terms to address controller-processor obligations under the GDPR, so this will likely bring much more uniformity to such relationships.
The new SCCs better reflect requirements of the GDPR that was adopted in May 2018, as well as the July 2020 ruling by the Court of Justice of the EU (CJEU) in Schrems II that invalidated the EU-U.S. Privacy Shield with a legal opinion that also impacted transfers relying on SCCs. Generally, the new SCCs are an improvement over the previous standards as they provide greater flexibility for long and complex processing chains and a "single entry-point covering a broad range of transfer scenarios." (See Press Release, "European Commission Adopts New Tools for Safe Exchanges of Personal Data," June 4, 2021.)
Key Dates for the New SCCs
- The new SCCs take effect on June 27, 2021.
- The old SCCs may still be used for new data transfers (i.e., new contracts) during a three-month transition period that ends on Sept. 27, 2021.
- Existing data transfers (i.e., contracts) that rely on the old SCCs can continue to be used until Dec. 27, 2022, by which time all data transfers relying on the old SCCs must be moved over to the new SCCs. The timeline also applies to any downstream subcontracting agreements.
Below is a summary of the approach and the significant changes between the old and the new SCCs, as well as suggested actions that organizations may want to consider taking to prepare for compliance. Organizations should consult with legal counsel about how to prepare and implement the new SCCs to avoid a fire drill at the end of 2022.
Cross-Border Data Transfers
The first set of new SCCs is limited to ensuring appropriate safeguards for international data transfers involving for personal data by the European Commission, including the United States. This set replaces the three sets of old SCCs adopted under the Data Protection Directive 95/46/EC in 2001, 2004 and 2010. Under Article 46(2)(a) of the GDPR, a data controller or processor may transfer personal data to a third country only if such safeguards are provided and enforceable rights and effective legal remedies for data subjects are available. The use of and adherence to the SCCs in contracts that govern such data flows meet this threshold of protection. The Commission also encourages the inclusion of additional safeguards under contractual terms that supplement the SCCs.
As expected, the updated SCCs also include strong data subject protections. General responsibilities of the data exporter under GDPR include providing data subjects with information regarding intent to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the standard contractual clauses and any onward transfer. Moreover, with some exceptions, data subjects are able to enforce the SCCs as third-party beneficiaries with respect to obligations of the data exporter and data importer. Therefore, the SCCs must require the data importer to inform data subjects of a contact point and to deal promptly with any complaints or requests. In the event of a dispute between the data importer and a data subject who invokes his or her rights as a third-party beneficiary, the data subject can lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.
The new SCCs also feature significant changes that attempt to address scenarios that were not previously contemplated, including those below.
A Modular Approach
The new SCCs feature a modular structure of clauses that data exporters will use based on the nature of their roles and responsibilities in relation to the data transfer in question:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3)
- Processor-to-controller transfers (Module 4)
The controller is typically the data owner who decides the purpose and means of processing personal information, whereas the processor is generally a service provider engaged to process the information as needed.
The previous SCCs did not contemplate processor-to-processor or processor-to-controller transfers, so when such circumstances arose in contracting it resulted in many confused lawyers, as well as a potential gap in lawful data transfers. In addition, the updates recognize – for the first time – that a data exporter can be a non-EU entity, which is helpful when, for example, a non-EU data exporter is subject to GDPR and wants to transfer data to another non-EU party.
The updated SCCs make it possible for more than two parties to adhere to contract terms with SCCs, and that additional controllers and processors should be "allowed to accede to the standard contractual clauses as data exporters or importers throughout the lifecycle of the contract of which they form a part." This more complex contractual "eco-system" was not contemplated by the old SCCs.
Accounting for Schrems II
In view of the Schrems II decision, the latest guidelines include provisions that address a potential inability to comply with the new SCCs due to adverse laws in a data importer's country. This includes provisions on how to handle government requests for access to personal information subject to the GDPR. Moreover, parties must warrant that, "at the time of agreeing to the SCCs, they have no reason to believe that the laws and practices applicable to the data importer are not in line" with new SCC requirements. An assessment of the relevant laws and practices in the data importer's country based on specific circumstances of the transfer is also required. Many of these provisions reflect recommendations from the European Data Protection Board (EDPB) that were issued in November 2020 in the aftermath of Schrems II.
Notably, the new SCCs do not address every concern raised in Schrems II by the CJEU, and there remains a strong interest in the U.S. and EU reaching agreement on a new Privacy Shield, and those negotiations are currently ongoing – with the primary goal of avoiding a future Schrems III. In the meantime, organizations must rely on SCCs and other available transfer mechanisms for cross-border data transfers into the U.S.
The new SCCs also apply to sub-processor scenarios. For example, when a sub-processor is engaged by the data importer, in line with Article 28(2) and (4) of the GDPR, the SCCs must delineate the procedure for general or specific authorization from the data exporter and the requirement for a written contract with the sub-processor ensuring the same level of protection as under the clauses. The new SCCs achieve compliance with both GDPR Article 28 governing data processing agreements (DPAs) and Article 46 governing cross-border transfers, avoiding the need for two separate agreements.
Controllers and Processors
The second set of new SCCs provides a standard DPA and related directives, including with respect to the appointment of processors under Article 28(7) of the GDPR. This standard agreement is primarily used for processors and controllers established in the EEA. To date, organizations have relied on their own DPA forms for this purpose.
Recommended Action Items
Organizations can potentially have dozens or even hundreds of supplier, customer and other relationships relying on SCCs for cross-border data transfers. Given the significance and timeline for mandatory adoption, organizations should begin preparing immediately to 1) understand the new SCCs, 2) determine whether any current administrative or technical practices are impacted and 3) update contracts, policies and procedures as necessary. Specifically, the following action items are recommended to aid in this process:
Before Sept. 27, 2021
- Review or obtain professional legal briefing regarding the new SCCs to understand whether any internal administrative or technical changes must be implemented in order to enter into the new SCCs with contracts
- Prepare DPAs and new SCCs for contract forms and templates
- Identify all current contracts with suppliers, customers or others that include and rely on the old SCCs for data transfers, including those involving sub-contractors
Before Dec. 27, 2022
- Identify all existing contracts that will need to be updated or amended to the new SCCs by Dec. 27, 2022
- Identify contracts reflecting processor-to-controller or processor-to-processor relationships – scenarios not previously accounted for – to determine if new SCCs are necessary even though no SCCs are currently in place
- Communicate with counterparties and enter into contract negotiations to ensure timely adoption of the new SCCs
How Holland & Knight Can Help
As experienced in the recent past when the GDPR and California Consumer Privacy Act (CCPA) went into effect, the adoption of new requirements and execution of data privacy terms across a large number of contractual relationships can take significant time. For more information about the new SCCs, compliance or other questions regarding this topic, contact the authors or Mark Melodia, chair of Holland & Knight's Data Strategy, Security & Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.