A new set of Standard Contractual Clauses for transfers of personal data from the European Economic Area (EEA)
On June 4, 2021, the European Commission adopted a revised, and much anticipated, set of Standard Contractual Clauses (SCCs) (see here). Both the existing (“old”) and the new SCCs are intended for facilitating the transfer of personal data from the European Economic Area (EEA) to third countries (countries, other than the EU member states, Norway, Iceland, and Liechtenstein) which have not been found by the European Commission to offer adequate protection of personal data (“Adequacy Decision”).
As a background, under the EU General Data Protection Regulation (GDPR) from May 2018, personal data may only be transferred from the EU to a third country if appropriate safeguards are in place. The most popular safeguard mechanisms for transferring personal data to third countries that did not receive an Adequacy Decision, were the old SCCs and the Privacy Shield arrangement, which was canceled last year.
The new SCCs have been published with the aim of bringing them in line with the requirements of the GDPR and in response to the Court of Justice of the EU’s July 2020 ruling in the case of “Schrems II”, which canceled the Privacy Shield framework and called into question the reliability of SCCs as a valid data transfer mechanism, unless transfer impact assessments were conducted and “supplementary measures” were implemented. The court has not clarified which “supplementary safeguards” are necessary or how to determine them, which led to considerable uncertainty when relying on the SCCs for transferring personal data.
Below is a general summary of the main changes and improvements of the new SCCs:
- The new SCCs are comprised of a modular set of clauses for all potential and relevant transfers of personal data, namely transfers from (a) controller-to-controller, (b) controller-to-processor, (c) processor-to-processor, and (d) processor-to-controller. We note that the old SCCs did not addressed transfers of personal data between processor-to-processor and processor-to-controller and the new SCCs now provide a comprehensive basis for all types of data transfer between parties.
- The new SCCs allow for multiple parties to contract under one agreement, and for new parties to be added to such contractual arrangement over time (this change to the SCCs is anticipated to assist in implementing the SCCs within large-scale intra-group or extra-group data transfers).
- Under the old SCCs the data exporter could only be a party established in the EU, which created legal exposure for data controllers outside the EU when relying on this mechanism for cross-border transfers. The new SCCs expressly recognize that the data exporters can be non-EU entities.
- The new SCCs include specific rules to address the standards set by the CJEU in the Schrems II case (particularly with respect to potential risks in processing personal data under the data recipient’s local laws and the parties’ obligations in case of requests to access such data by public authorities) – mainly:
-
- The parties to the SCCs are now required to warrant that they have no reason to believe that the laws and practices in the data recipient’s country, which are applicable to the processing of the personal data by the data importer, prevent the data importer from fulfilling its obligations under the SCCs.
In providing such warranty the parties are required, in particular, to take due account of the following elements: (i) the specific circumstances of the transfer (such as the purpose of processing and the categories and format of the transferred personal data); (ii) the laws and practices of the country of the data recipient, in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; and (iii) any relevant contractual, technical or organisational safeguards which should put in place to supplement the safeguards under the SCCs. The parties are required to document such assessments and make them available to the competent supervisory authority upon request. - The data importer is required to notify the data exporter promptly if it has reason to believe that it is, or has become, subject to laws or practices not in line with the above-mentioned warranty. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In such case, the data exporter is entitled to terminate the applicable agreement, insofar as it concerns the processing of personal data under the SCCs.
- The data importer is required to notify the data exporter of any request concerning the disclosure of the personal data by a pubic authority (including access to such data) unless prohibited by law to do so, and, if prohibited, to use best efforts to obtain a waiver of the prohibition. Furthermore, the new SCCs require data importers to review the legality of requests from authorities, challenge unlawful requests and ensure that only the minimum information necessary to comply with its legal obligations is provided. For transparency, the data importer must also provide regular reports concerning the above-mentioned requests it receives.
- The parties to the SCCs are now required to warrant that they have no reason to believe that the laws and practices in the data recipient’s country, which are applicable to the processing of the personal data by the data importer, prevent the data importer from fulfilling its obligations under the SCCs.
- The new SCCs specifically requires that, where the data importer conducts an onward transfer of the data to sub-processors, the subject matter, nature and duration of those transfers will be specified in the Annex of the SCCs.
- The new SCCs require the parties to include more detailed information (specific and not merely generic) regarding the technical and organizational security measures implemented to protect the transferred data.
- The parties may “add other clauses” to the SCCs, provided that they do not directly or indirectly contradict the SCCs or reduce their protections for data subjects.
We note that according to the language of the new SCCs, they only apply to transfers between controllers and processors (data exporter) that are subject to the GDPR to a controller or (sub-)processor (data importer) whose processing of the data is not subject to the GDPR. Therefore, based on such language it seems that the new SCCs cannot be used where a transfer is made to a data importer whose processing of the exported data is already subject to the GDPR (the SCCs can be considered as redundant if the data importer’s processing activities is already subject to the GDPR). As such, it seems that unlike in the case of the old SCCs, the new SCCs are not required to be put in place with respect to transfers of the personal data from the EEA to entities which are directly subject to the GDPR, even if they are located outside the EEA and in a country which has not received an Adequacy Decision. If this interpretation is correct, we anticipate that it will result in a significant reduction in the number of SCCs needed for global data transfers from the EU. It is hopeful that EU regulator will issue further guidance on this matter in the near future, and clarify whether transfers which are not subject to the new SCCs would still require implementation of “supplementary measures”, per the Schrems II case decision.
The new SCCs become effective on 27 June 2021. Organization may use the old SCCs for new data transfers until September 27, 2021, thereafter the old SCCs may no longer be used for new contracts. The old SCCs will remain in force for another 15 months for existing data transfers as long as the subject matter of these contracts is not changed and provided that the old SCCs included the standards set by the CJEU in the Schrems II case. As of 27 December 2022, the use of the “old” SCCs will no longer provide the necessary appropriate safeguards for a data transfer to a third country, and by then, they need to be replaced by the new SCCs (or other appropriate safeguards).
Lastly, we note that in parallel, the EU Commission has also published new standard contractual clauses for data processing agreements (see here) which aim to standardize data processing agreements between controllers and processors and ensure that the parties fully comply with the requirements of Article 28 (regardless of whether the parties are established in the EU or not). It remains to the be seen if these standard contractual clauses become widely used and will reduce the need to negotiate data processing agreements.
It is highly recommended to review as soon as possible the status of the organization’s international data transfers from the EU to third countries. The organization should be prepared to use in new contracts from 28 September 2021 only the new SCCs and to replace by 28 December 2022 any “old” SCCs previously implemented.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice, at [email protected] or 03-6074588.