Standard contractual clauses (SCCs) are a contract addendum with provisions governing the handling of personal information. The express language of the SCCs has been preapproved by the European Commission (Commission) to be used in a contract for lawfully transferring such information from the European Union/European Economic Area (EU/EEA) to other countries deemed to have less-stringent data privacy laws. SCCs are heavily relied upon to facilitate international data transfers and global business activities. The existing SCCs were adopted more than a decade ago, predate the General Data Protection Regulation (GDPR) and are considered to have become somewhat outdated.
On June 4, 2021, the Commission published two sets of new SCCs. The first set replaces the old SCCs for cross-border data transfers to third countries . The second set is for use between controllers and processors – previously organizations were left to craft their own contractual terms to address controller-processor obligations under the GDPR, so this will likely bring much more uniformity to such relationships.
The new SCCs better reflect requirements of the GDPR that was adopted in May 2018, as well as the July 2020 ruling by the Court of Justice of the EU (CJEU) in SChrems II that invalidated the EU-U.S. Privacy Shield with a legal opinion that also impacted transfers relying on SCCs. Generally, the new SCCs are an improvement over the previous standards as they provide greater flexibility for long and complex processing chains and a “single entry-point covering a broad range of transfer scenarios.” (See Press Release, “European Commision Adopts New Tools for Safe Exchanges of Personal Data ” June 4, 2021.)
Below is a summary of the approach and the significant changes between the old and the new SCCs, as well as suggested actions that organizations may want to consider taking to prepare for compliance. Organizations should consult with legal counsel about how to prepare and implement the new SCCs to avoid a fire drill at the end of 2022.
The first set of new SCCs is limited to ensuring appropriate safeguards for international data transfers involving for personal data by the European Commission, including the United States. This set replaces the three sets of old SCCs adopted under the Data Protection Directive 95/46/EC in 2001, 2004 and 2010. Under Article 46(2)(a) of the GDPR, a data controller or processor may transfer personal data to a third country only if such safeguards are provided and enforceable rights and effective legal remedies for data subjects are available. The use of and adherence to the SCCs in contracts that govern such data flows meet this threshold of protection. The Commission also encourages the inclusion of additional safeguards under contractual terms that supplement the SCCs.
As expected, the updated SCCs also include strong data subject protections. General responsibilities of the data exporter under GDPR include providing data subjects with information regarding intent to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the standard contractual clauses and any onward transfer. Moreover, with some exceptions, data subjects are able to enforce the SCCs as third-party beneficiaries with respect to obligations of the data exporter and data importer. Therefore, the SCCs must require the data importer to inform data subjects of a contact point and to deal promptly with any complaints or requests. In the event of a dispute between the data importer and a data subject who invokes his or her rights as a third-party beneficiary, the data subject can lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.
The new SCCs also feature significant changes that attempt to address scenarios that were not previously contemplated, including those below.
The new SCCs feature a modular structure of clauses that data exporters will use based on the nature of their roles and responsibilities in relation to the data transfer in question:
The controller is typically the data owner who decides the purpose and means of processing personal information, whereas the processor is generally a service provider engaged to process the information as needed.
The previous SCCs did not contemplate processor-to-processor or processor-to-controller transfers, so when such circumstances arose in contracting it resulted in many confused lawyers, as well as a potential gap in lawful data transfers. In addition, the updates recognize – for the first time – that a data exporter can be a non-EU entity, which is helpful when, for example, a non-EU data exporter is subject to GDPR and wants to transfer data to another non-EU party.
The updated SCCs make it possible for more than two parties to adhere to contract terms with SCCs, and that additional controllers and processors should be “allowed to accede to the standard contractual clauses as data exporters or importers throughout the lifecycle of the contract of which they form a part.” This more complex contractual “eco-system” was not contemplated by the old SCCs.
In view of the Schrems II decision, the latest guidelines include provisions that address a potential inability to comply with the new SCCs due to adverse laws in a data importer’s country. This includes provisions on how to handle government requests for access to personal information subject to the GDPR. Moreover, parties must warrant that, “at the time of agreeing to the SCCs, they have no reason to believe that the laws and practices applicable to the data importer are not in line” with new SCC requirements. An assessment of the relevant laws and practices in the data importer’s country based on specific circumstances of the transfer is also required. Many of these provisions reflect reccomendations from the European Data Protection Board (EDPB) that were issued in November 2020 in the aftermath of Schrems II.
Notably, the new SCCs do not address every concern raised in Schrems II by the CJEU, and there remains a strong interest in the U.S. and EU reaching agreement on a new Privacy Shield, and those negotiations are currently ongoing – with the primary goal of avoiding a future Schrems III. In the meantime, organizations must rely on SCCs and other available transfer mechanisms for cross-border data transfers into the U.S.
The new SCCs also apply to sub-processor scenarios. For example, when a sub-processor is engaged by the data importer, in line with Article 28(2) and (4) of the GDPR, the SCCs must delineate the procedure for general or specific authorization from the data exporter and the requirement for a written contract with the sub-processor ensuring the same level of protection as under the clauses. The new SCCs achieve compliance with both GDPR Article 28 governing data processing agreements (DPAs) and Article 46 governing cross-border transfers, avoiding the need for two separate agreements.
The second set of new SCCs provides a standard DPA and related directives, including with respect to the appointment of processors under Article 28(7) of the GDPR. This standard agreement is primarily used for processors and controllers established in the EEA. To date, organizations have relied on their own DPA forms for this purpose.
Organizations can potentially have dozens or even hundreds of supplier, customer and other relationships relying on SCCs for cross-border data transfers. Given the significance and timeline for mandatory adoption, organizations should begin preparing immediately to 1) understand the new SCCs, 2) determine whether any current administrative or technical practices are impacted and 3) update contracts, policies and procedures as necessary. Specifically, the following action items are recommended to aid in this process: