On 4th June 2021, the European Commission (EC) published a final Implementing Decision on Standard Contractual Clauses (SCC) for the transfer of data to countries outside of the EEA. These new SCCs replace the existing clauses, which have been approved under Directive 95/46/EC. The EC considered extensive feedback from a range of stakeholders before publishing the final Decision, as well as taking into account the Schrems II decisions for this final version. The new SCCs are, thus, now up to date with the GDPR and have some important changes, which we outline in brief here.
What are the key changes?
The SCCs are very similar to the draft clauses published in the consultation draft. However, there are some notable changes, which we summarise below:
The new SCCs were updated to apply to various types of transfers in a modular approach. These now provide separate and free-standing agreements that are applicable only for a specific type of transfer (Controller to Controller, Controller to Processor, Processor to Processor and Processor to Controller). They however also provide certain content that applies to all situations (e.g., introductory provisions, provisions on non-compliance and termination). The new Clauses also have specific provisions on the use of sub-processors (see the useful table published by Bird&Bird) These can be used whenever the exporting party is subject to the GDPR even if they are not established in the EU.
A ‘Docking clause’ is now included, which facilitates the formation of multilateral contractual relationships by allowing new parties, including sub-processors, to enter to an already existing agreement.
Guidance on local laws and practices
In response to the Schrems II ruling, the new SCCs seek to address any effect that destination country’s local law might have on the data importer’s compliance. This also sets out what an importer must do if it receives a binding request from a public authority to access transferred personal data, which includes notifying the data exporter, challenging the request (if there are reasonable grounds to consider it unlawful) and to use “best efforts” to obtain a waiver of the prohibition to inform the data exporter about such cases.
This goes some way to satisfy the Schrems II ruling but not all concerns raised by the CJEU are addressed, so organisations transferring data outside the EEA will still need to undertake risk assessments and implement technical and organisational safeguards to supplement the SCCs. The EDPB is updating its current draft recommendations regarding this, and these will be published imminently.
The new SCCs include a strict hierarchy clause and a liability clause that will make it very difficult for data importers to limit their liability with respect to data transfers.
Mandatory transfer impact assessments
The new clauses mandate that data transfer impact assessments are carried out by the contract parties, and both must warrant that they have no doubts that the data importer’s country’s requirements comply with EU standards. The impact assessment must be documented and submitted to the supervisory authority upon request.
What are the timelines?
The new Decision gives a longer transition period, of which these are the most significant dates:
- The clauses can be used from 27th June 2021, which is 20 days after they were published in the OJEU.
- Parties can use the existing clauses in contracts, until these are repealed on 27th September 2021, but no new contracts can be signed using the old SCCs after this date.
- Parties then get 18 months from the effective date of the Implementing Decision (i.e., until 27 December 2022) to replace contracts using the current SCCs with the new clauses. However, should the actual underlying processing operations change, the new clauses should be used from that point on.
Relevance to UK organisations
The new Standard Contractual Clauses can be used as a transfer safeguard for data transfers originating in the EU. This means that – due to Brexit – data transfers originating in the UK cannot be automatically safeguarded using the new EU SCCs. This is due to the fact that EC decisions do not affect the EU legal regime post-Brexit.
However, the ICO has announced plans to create a UK version for the SCCs to facilitate the transfer of personal data outside the UK. Given the current alignment of the UK data protection regime with the EU regime, it seems reasonable to assume that the upcoming UK clauses will share the same core principles as the EU ones.
What do you need to do?
Although the transition period has been lengthened compared to the one originally proposed, it is time to start preparing for the new SCCs and the next 18 months are a good time to get organised and:
- Update existing template contracts for use after 27th September 2021;
- Create an inventory of any SCCs that are in place with entities under the previous version of SCCs;
- Identify data transfers that are reliant on the draft SCCs;
- Review these to identify whether updating provisions are required or whether other amendments are needed;
- Familiarise yourself with the modular nature of the new SCCs;
- Set out a timeline and allocate time to make relevant updates over the next 18 months, e.g., when agreements are coming up for renewal/renegotiation;
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations to make lawful data transfers using Standard Contractual Clauses. For more information, please feel free to contact our advisers, who would be more than happy to help.