Let the (re) contraction begin: European Commission adopts new standard contractual clauses for international data transfers | Arnall Golden Gregory LLP
The European Commission (“EC”) has adopted a long-awaited new set of standard contractual clauses (“CSC”) for the transfer of personal data to parties in third countries outside the European Union (“EU” and the European Economic Area (“EEA”) that were not found by the EU to have “adequate” data protection laws.
Under the EU General Data Protection Regulation (“GDPR”), companies are prohibited from transferring personal data from the EU to a third country, unless certain protection mechanisms are in place. . SCCs are one of those mechanisms commonly used to facilitate the transfer of personal data outside the EU. In July 2020, another commonly used mechanism, the EU-US Privacy Shield, was struck down by the Court of Justice of the European Union (“CJEU”) in its “Schrems II” ruling (previously discussed here). In the same ruling, the CJEU questioned the version of the CPS in force at the time, suggesting that, on a case-by-case basis, “additional measures” might be necessary.
Earlier SCCs were adopted before the GDPR came into effect in 2018. The new set of SCCs are intended to update the previous version and address the shortcomings that the CJEU expressed concern about in Schrems II.
Some of the key changes
- The new SCCs take a “modular” approach with variations for different transfer scenarios, including controller-to-controller transfers, controller-to-processor transfers, processor-to-processor transfers, and processor-to-controller transfers.
- The new SCCs recognize that a party outside the EU / EEA, but directly subject to the GDPR in accordance with the extraterritoriality provision of Article 3 (2) of the GDPR, may be a data exporter under the new SCC.
- New SCCs are drafted so that (i) the agreement can be multi-party (i.e. more than two parties can agree to the clauses) and (ii) new parties can be added over time via a “mooring clause”. This change will make it easier to implement SCCs for large and complex data transfers.
- The processor modules in the new SCCs incorporate the contractual processor requirements in Article 28 of the GDPR, as well as a new annex to identify the sub-processors. As a result, a separate GDPR data protection agreement will not necessarily be required (although parties may still find one useful for imposing additional safeguards).
- In response to Schrems II, the new SCCs contain enhanced requirements for parties to assess the law in the third country where personal data would be transferred. The new CCPs include a guarantee that parties have “no reason to believe” that local laws and practices in the importer’s country will prevent the importer from fulfilling its obligations under the CCNs. Under the old SCCs, this guarantee was given by the data importer alone. In providing this guarantee under the new CSCs, parties must take into account certain factors (i.e. perform an impact assessment of the transfer). This assessment must take into account the “specific circumstances of the transfer”, the “laws and practices of the third country of destination” and “any relevant contractual, technical or organizational guarantees put in place”. In particular, the assessment may take into account the “relevant and documented practical experience” of the parties concerning requests from public authorities for access to personal data.
- The new SCCs also include detailed requirements governing the steps that a data importer must take in the event that they receive a request from a government authority to access personal data transferred using the new SCCs. These changes are also intended to address concerns raised by the Schrems II decision.
- Although there are variations depending on which module to use, the new SCCs include enhanced transparency requirements, data subject rights provisions and onward transfer restrictions. The new SCCs also require data importers to “apply specific restrictions and / or additional safeguards” when the transfer involves sensitive categories of personal data.
- The new SCCs require data importers and both parties during transmission to adhere to higher data security standards. The SCC Data Security Annex requires a statement of the technical and organizational measures that the data importer will use to protect the transferred personal data, which may be more detailed than some data importers may use with older SCCs.
- The new CCPs provide additional flexibility regarding the choice of law governing CCPs and include additional specifics regarding the role of EU supervisory authorities, including requirements that parties document their compliance and agree to make this information available to the competent supervisory authority on request. .
- New CCPs, like old CCPs, require data subjects to be third party beneficiaries of specified arrangements. The new CSCs emphasize the rights of third party beneficiaries by requiring them to be enforceable under the law governing the contract.
The adoption of the new SCCs will require organizations that rely on the SCCs to integrate the new SCCs into their contracting process for new processing activities and to revise existing agreements that use the old SCCs. This could be a big undertaking for many organizations.
For new data transfer agreements entered into on or before September 27, 2021, organizations may continue to use the old SCCs (recognizing that they may need to be replaced by the new SCCs; see next paragraph). This three month grace period will give organizations time to review and become compliant with the new CCNs. The new CSCs can be used before this date if the parties so wish.
For existing data transfer agreements, organizations must replace old SCCs with new SCCs by December 27, 2022. At the end of this 18-month grace period, organizations will need to have updated their contracts to reflect the new SCCs (recognizing that Schrems II may require additional action in the interim). Also, if the treatments covered by the contract change during this grace period, the new CCPs must be used from that moment on.
In the meantime, the EU and the United States have declared they are “stepping up” negotiations on a strengthened EU-US Privacy Shield framework.