A new era for international data transfers: European Commission adopts new standard contractual clauses | Dechert LLP
The European Commission has published new standard contractual clauses designed to facilitate international transfers of personal data in accordance with the GDPR. The new arrangements better reflect the variety of global data flows, but do little to alleviate the regulatory burden resulting from Schrems II decision and create potential challenges for companies outside the EEA doing business under the GDPR. Organizations have 18 months to transition to the new clauses.
On June 4, 2021, the European Commission (EC) adopted new standard contractual clauses (CSC) for the transfer of personal data from the European Economic Area (EEA) to third countries whose confidentiality regimes are not deemed “adequate” by the EC.
The new CCNs were adopted after consultation and feedback on drafts (see our previous About) and following the decision rendered last year by the Court of Justice of the European Union (CJEU) in Schrems II invalidating the EU-US Privacy Shield for transfers of personal data from the EEA to the US “whitelisted” countries.
Modular format and wider applications
The new SCCs remain non-negotiable, except for the addition of trade terms that do not conflict with the provisions of the SCC, and consist of four “modules” to be implemented depending on the use case. data transfer and GDPR status of the exporter and importer. These modalities are:
- Controller to Controller
- Controller to subcontractor
- Processor to controller
Older SCCs only allowed transfers in controller-to-controller and controller-to-processor scenarios. The addition of the terms Processor-to-Sub-Processor and Processor-to-Controller significantly extends the availability of SCCs. This is a welcome development for many processors and their customers and indispensable in an increasingly complex global data ecosystem.
In addition, the new SCCs are aimed specifically at non-EEA data exporters subject to GDPR – a use case that was sorely lacking. The GDPR not only restricts data transfers outside the EEA, but also âonwardâ transfers and transfers by non-EEA companies whose activities fall within the scope of the GDPR. The old SCCs did not support restricted data transfers already outside the EEA.
While the modular format allows SCCs to be applied in a wider variety of transfer scenarios, the EC has only approved the new SCCs for transfers of personal data where the importer’s use of the data will be limited. not subject to GDPR. (See, for example, Recital 7 and Article 1 of the implementing decision).
This raises the question of what safeguards need to be put in place when the data importer processes data subject to the GDPR (for example, where the activities of the data importer are closely linked to the activities of an institution of the EEA, or relate to the offering of goods or services to individuals in the EEA), as such a transfer always appears to be subject to the international data transfer restrictions of the GDPR. Even though SCCs are not designed for this type of transfer, some may decide to consider that implementing SCCs may be reasonable to protect data, albeit without the certainty that comes with CE approval). Others may find that more limited safeguards are sufficient when processing outside the EEA is subject to GDPR (this view is supported by guidance from the UK regulator).
Since SCCs do not provide a pre-approved solution for transfers to data importers subject to GDPR, the steps necessary to legitimize such transfers are likely to be more fact-dependent and uncertain, at least until the EDPB publishes guidelines on the subject.
2-4-1 on processor conditions
In addition to the restrictions on data transfers, Article 28 of the GDPR requires the establishment of specific provisions between data controllers and processors. The EC stated that the new SPCs also meet the requirements of Article 28. However, the provisions of the SPCs do not appear to be as broad as the EDPS suggested. Businesses may therefore find that different supervisors have different standards for Article 28 compliance (an indicator would be if a supervisor has adopted standard Article 28 clauses to be used for any cross-border data transfer) . The new SCCs offer the benefit of streamlining the contracting process by eliminating the need for a separate data processing agreement, but processors may find that they are less able to include processor-friendly terms.
Schrems II Backups
One of the most important updates is that the new CPS include provisions to address CJEU concerns in Schrems II. The new SCCs appear to reflect a concerted effort by the EC to ensure that the clauses withstand the kind of challenge that has been fatal to the Privacy Shield and compromised their use for data transfers from the EEA to the United States. . the risk that law enforcement or foreign intelligence services access personal data disproportionately and offer no recourse to the persons concerned. The new SCCs include clauses requiring a multi-stage assessment and the implementation of technical, organizational and administrative guarantees. Note, however, that the new SCCs do not exempt companies from the need to undertake their Schrems II evaluations (see our About for more information).
The British position
The UK ICO has indicated that the new SCCs are not valid for transfers subject to UK GDPR. Instead, old SCCs remain the appropriate form for transfers by exporters subject to UK GDPR. The British ICO should consult this summer on the new âBritishâ SCCs. It will be interesting to see if the new UK SCCs are influenced by and adhere to the EC approach, or if the new UK SCCs will mark a divergence between UK GDPR and EU GDPR.
While companies subject to UK GDPR may continue to use current SCCs in the interim, it seems likely that contracts involving transfers subject to GDPR from the EU and UK (not to mention other jurisdictions with export restrictions such as Switzerland and Israel), will become even longer and more complex in the future, in order to take into account different sets of CCS. The EC recognized this and said it will strive to improve international cooperation.
The new CCNs come into effect on June 27, 2021. The current CCNs will cease to be valid as of September 27, 2021, but companies will be able to continue to use them, even for new contracts, until that date. After that, companies will have an additional 15 months (until December 27, 2022) to transition to the new versions.
Given the transition period, not all companies need to rush to change all of their contracts containing old SCCs (especially those with EU and UK GDPR touchpoints being given the new UK SCCs due by UK ICO). That said, companies will want to allow sufficient time to prepare for the potential business impacts induced by the new CCNs. Companies can start by auditing existing contractual agreements and identifying the changes that will be necessary. In addition, exporters in processor roles or non-EEA exporters who have used the old SCCs (although technically they did not apply in such scenarios) may want to be more proactive in setting new documentation in place now that SCCs are likely to be more fit for purpose. Along with their contractual audits, companies should also undertake their Schrems II assessments, including transfer risk assessments, to the extent that they have not already been carried out.
We will continue to keep you informed of major developments.