EU Standard Contractual Clauses – finished with the old and with the new!
On June 4, 2021, the European Commission (THIS) published the long-awaited new standard contractual clauses (CSC) for cross-border data transfers within the framework of the European Union (EU) General Data Protection Regulation (GDPR). SCCs are an essential tool to enable the compliant international transfer of EEA personal data. The new SCCs take into account both the Schrems II decision and the requirements of the GDPR.
The new SCCs will take effect on June 27, 2021, and businesses currently using the old SCCs will have 18 months (until December 27, 2022) to update their existing data import and export provisions. New SCCs can be found here and will affect many Australian businesses that process personal data from the EU or EU entities.
Context – current position
The GDPR contains restrictions on transfers of personal data from the European Economic Area (EEE) to third parties outside the EEA (including to countries such as Australia, United States and United Kingdom).
The GDPR only allows the transfer of personal data (i.e. all information relating to an identified or identifiable living individual) outside the EEA if the EC has decided that the recipient country is not a member of the EEA. ‘EEA (territory or one or more specified sectors) ensures an’ adequate level of protection (called ‘adequacy decisions’). The EU has so far recognized Andorra, Argentina, Canada (trade organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as offering adequate protection.
In the absence of an adequacy decision, the parties can implement “appropriate safeguards”, which essentially means a pre-approved data transfer mechanism used to protect personal data. For many transfers of personal data (where an adequacy decision or other exception is not in place), the only practical solution is to use CSC. CCAPs are standard contractual provisions which are pre-approved by the EC and therefore cannot be changed.
The new CCPs will replace the old CCPs which were adopted under the European Data Protection Directive. The new SCCs have been updated to align with the GDPR and provide a practical toolkit for complying with the Schrems II ruling. In Schrems II, the Court upheld the validity of SCCs for the transfer of personal data processed outside the EU / EEA, while invalidating the EU-US Privacy Shield. While the Court concluded that the CSCs were still valid, the Court held that the underlying personal data transfers must be assessed on a case-by-case basis to determine whether there is adequate protection.
The new SCCs seek to address this issue by providing an overview of the different steps businesses need to take to comply with Schrems II as well as examples of “extra steps”, such as encryption, that businesses can take if necessary.
Key takeaways from new SCCs
The new CCAPs introduce a unique and comprehensive set of standard contractual clauses. The new SCCs are designed to operate on a multi-party basis allowing a single set of SCCs to cover transfers of personal data between multiple parties (allowing the entire data processing chain to be covered).
The new SCCs have been split into a modular format, allowing transfers from:
- controller to controller (Module 1);
- from the controller to the processor (module 2);
- sub-processor (module 3); and
- processor to controller (module 4).
This provides more flexibility for complex processing chains and fills well-known gaps in data transfer protection.
Program II and transfer impact evaluations
SCCs require parties to assess (via a transfer impact analysis) – whether the laws of the country into which the data is imported will compromise the data protections granted under the SCCs and determine whether additional measures need to be put in place. to ensure that data is protected according to the required GDPR standard (in addition to SCCs).
The new CCPs describe the additional steps that controllers / contractors must take to comply with the decision and provide for any additional measures that can be taken, if necessary (e.g. pseudonyms and encryption). The European Data Protection Board has provided draft guidance on carrying out impact assessments on transfers (which can be consulted here). However, these recommendations have yet to be finalized.
The new SCCs envision multiple parties to agreements with docking clauses allowing third parties to join the agreement at any time, thus reflecting actual practice. This concept did not exist in the old SCCs and should prove useful for many companies.
The CSCs include three schedules to be completed by the parties. The first annex includes a list of the parties to the CCPs, a description of the data transfers and the identity of the competent supervisory authority for each party of the CCPs.
The second annex deals with the technical and organizational measures that the parties use to ensure the security of the personal data transferred.
Finally, Annex III presents the list of sub-processes used in the context of the CCS.
Has a transition period been foreseen?
Yes, there is a transition period.
The new SCCs can be integrated into contracts from June 27, 2021.
The old CCPs will be repealed (i.e. they cannot be used in new agreements) with effect from September 27, 2021.
Between June 27, 2021 and September 27, 2021, companies can choose to use either the new SCCs or the old SCCs.
Contracts that contain old SCCs before September 27, 2021 will be deemed to provide appropriate guarantees until December 27, 2022, provided that the processing operations covered by the contract remain unchanged and that recourse to these clauses guarantees that the transfer of personal data is subject to appropriate guarantees. It is a relatively generous period, however, it is not something to be left to the last minute.
Do the new SCCs automatically apply in the UK?
Due to Brexit, the new SCCs will not automatically apply for UK GDPR purposes. However, the UK will likely use the new SCCs as a guide when releasing and reviewing its own version of the SCCs later in 2021.
What should you do now?
If you are importing personal data from the EU to Australia or if you are a processor providing services to a data controller in the EU, for example, you will probably start to see new SCCs included in the agreements. . as soon as possible in light of the introduction of the new CSCs include the following:
- Familiarize yourself with the new conditions of the revised CCNs ahead of deadlines and consider whether the conditions affect your company’s operating processes;
- update systems, processes and models so that new transfers are based on the new CSCs and comply with their provisions (as of June 27, 2021);
- if you haven’t already, implement and maintain processes to conduct transfer impact assessments;
- map your personal data transfers (e.g., controller to controller, processor to controller, etc.) to understand how SCCs will apply to your business; and
- identify all international transfers and contracts using previous SCCs (more specifically the contracts that will remain applicable after December 27, 2022) and assess how to modify these contracts.