European Commission Finalizes the Standard Contractual Clauses for Cross-Border Personal Data Transfers
On June 4, 2021, the European Commission (EC) published the long-awaited final version of the new Standard Contractual Clauses (New SCCs) for personal data transfers outside of the European Economic Area (EEA), annexed to Implementing Decision 2021/914 (Implementing Decision). The New SCCs—replacing the controller-to-controller and controller-to-processor SCCs (Prior SCCs), which were adopted in 2001, 2004 and 2010—are intended to address concerns set out in last year’s groundbreaking European Court of Justice (CJEU) Schrems II decision. In that decision, the CJEU questioned reliance on the Prior SCCs as a cross-border transfer mechanism for compliance with Article 46 of the General Data Protection Regulation (GDPR)1 and suggested that parties to SCCs should conduct a data transfer impact assessment and adopt supplementary measures for the protection of personal data transferred, where necessary. There was general consensus, therefore, that the Prior SCCs were insufficient and that revisions were needed for them to provide an adequate transfer mechanism.
To be clear, not all cross-border transfers require execution of the New SCCs. Such transfers are permissible without executing the New SCCs, for example: (i) if the data importer is located in a so-called “adequate” jurisdiction (e.g., Canada); (ii) when the GDPR applies extraterritorially to the processing, although this is an unsettled proposition, as discussed below; (iii) if another GDPR-compliant transfer mechanism, such as binding corporate rules, would be more appropriate to the specific circumstances of the transfer; or (iv) where the personal data is exported from Switzerland or the United Kingdom (UK), in which case the Prior SCCs may still be used. In many instances, however, the New SCCs will remain the primary mechanism for transferring personal data outside the EEA.
Concurrent with issuing the New SCCs, the EC also published a standard data protection agreement (Standard DPA) that reflects the requirements of Article 28 of the GDPR. While the use of the Standard DPA is not mandatory and many organizations have already developed their own template DPAs, this Standard DPA provides a basic template that is per se compliant with the GDPR.
Notably, the New SCCs themselves incorporate most of the substantive provisions of the Standard DPA. In practice, this means that controllers executing the New SCCs with their processors will not be required to enter into a new or separate Standard DPA to comply with Article 28 of the GDPR. However, many companies may want to execute both the Standard DPA and the New SCCs, and add to the Standard DPA typical contract (as opposed to GDPR-specific) provisions.
Purpose, Design and Scope of the New SCCs
The New SCCs are designed to address concerns that the Prior SCCs did not sufficiently protect against the risk that personal data exported pursuant to the SCCs would be accessible to the government of the country into which the data is imported. Furthermore, the New SCCs are intended to reflect the realities of the growing digital economy, the increased complexity of data processing operations, and the potential for many parties to be involved in processing activities, as well as the evolving nature of global business relationships and the flexibility these factors demand. In contrast to the Prior SCCs, the New SCCs adopt a modular approach intended to accommodate a broader range of personal data processing and transfer situations.
Modular Approach for Multiple Personal Data Transfer Scenarios
The most apparent change in the New SCCs is the inclusion of “modular” clauses for different data transfer contexts: (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-controller, and (iv) processor-to-processor transfers. This enables organizations to select the clauses that correspond to their needs and specific contractual relationships. By including processor-to-controller and processor-to-processor arrangements, which were not encompassed by the Prior SCCs, the New SCCs reflect the realities of how personal data flows amongst various parties and bring certainty to a gray area that previously bedeviled processors and controllers.
Under the Prior SCCs, the data exporter could only be an entity “established” in the EEA. This is no longer the case with the New SCCs, as they require only that the processing of personal data by the data exporter (the entity exporting data outside of the EEA) be subject to the GDPR, even if the data exporter is not established in the EEA. Essentially, a non-EEA controller or processor that is subject to the GDPR (because, for example, it offers goods or services to data subjects in the EEA), can now use the New SCCs for personal data transfers to non-EEA controllers or processors.
What remains unclear, however, is the impact of text in the Implementing Decision indicating that the New SCCs are applicable only when the processing by the data importer is not subject to the GDPR. Specifically, Article 1 of the Implementing Decision states that “[t]he standard contractual clauses . . . provide appropriate safeguards . . . for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer).” Recital 7 of the Implementing Decision similarly provides that “[t]he standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of [the GDPR].” The implication here appears to be that, when the data importer falls under the extra-territorial scope of the GDPR, the parties do not need to execute SCCs, which is contrary to the general practice under the Prior SCCs and the common perception of compliance with Articles 44-45 of the GDPR. This practical ambiguity may be explained further in future guidance from the EC or the European Data Protection Board (EDPB).
Possibility of Multi-party Agreements
The New SCCs are more flexible than the Prior SCCs with respect to multi-party agreements. It is now clear that more than two parties are able to execute the New SCCs. Moreover, an optional “docking clause” allows third parties—whether data exporters or importers—to accede to the New SCCs executed by existing parties, as long as they complete the Appendix and sign Annex I.A (List of Parties). This will allow for simple addition of other processing parties during the processing period.
Overview of the Key Changes
Schrems II Provisions
As mentioned above, a major motivating factor in drafting the New SCCs was the implication in Schrems II that the Prior SCCs may not provide adequate protections for personal data transferred to non-EEA countries, such as the United States, in which the government may have broad surveillance powers and provide limited opportunities for data subjects to exercise their rights. In addressing Schrems II, the New SCCs require the parties to determine whether the third country provides adequate protection based on the nature of the personal data and the protections afforded under local law.
As in the Prior SCCs, the parties are required to warrant, at the moment of concluding the SCCs, that they do not believe or have reason to believe that the destination country’s laws will impede the ability to comply with its obligations under the New SCCs. The New SCCs impose additional obligations on both data exporters and data importers to “prove” they can comply with their obligations by conducting a data transfer impact assessment. The New SCCs set out the assessment criteria and risk factors to be taken into account, namely: (i) the transfer’s specific circumstances; (ii) the destination country’s laws and practices; and (iii) the relevant contractual, technical, and organizational safeguards that the parties implement in addition to obligations under the New SCCs. The parties may also consider the data importer’s previous practical experience with public authorities’ requests for access to personal data.
In addition, the New SCCs place additional obligations on the data importer when public authorities, including judicial authorities, request access to personal data subject to the GDPR and pursuant to the New SCCs. Data importers must, inter alia, (1) notify the data exporter, and where possible, the data subject; (2) if local law prohibits such notifications, attempt to obtain a waiver of the prohibition; (3) identify potential grounds to challenge the request, and exhaust those challenges if available; and (4) share only the minimum amount of personal data in response to the request. All actions and assessments performed by the data importer should be documented and shared with the exporter and the supervisory authority upon request, while the data importer should also update the data exporter at regular intervals with relevant information on the received requests, to the extent this is permitted.
Restrictions on Onward Transfers
The data protection safeguards set out in the New SCCs include restrictions on onward transfers of personal data from the data importer to another third party outside the EEA. Onward transfers can occur only in certain circumstances that depend on the modular configuration of the data transfer arrangement chosen by the parties. Common circumstances for lawful onward transfers under all the transfer scenarios include situations where (i) the third party agrees to be bound by the New SCCs (which is where the docking clause comes into play); (ii) the third party’s country has been deemed “adequate” by the EC; (iii) the third party otherwise guarantees appropriate safeguards under Articles 46 and 47 of the GDPR; (iv) the onward transfer is necessary for legal claims; or (v) the onward transfer is necessary to protect a natural person’s or the data subject’s vital interests.
Third-Party Beneficiary Rights
The New SCCs enable data subjects to invoke and enforce specific provisions of the New SCCs against both the data importer and the data exporter, as did the Prior SCCs. For this purpose, the parties should make sure that the Member State law they select as the law governing the New SCCs allows for third-party beneficiary rights. In addition, the data importer should facilitate the exercise of these rights by providing a contact point to data subjects and promptly handling any complaints or requests.
Use of Sub-Processors
When personal data is transferred to a processor, the data importer may not subcontract with a sub-processor without the prior authorization of the data exporter. The New SCCs give the parties the flexibility to agree to either (1) a general authority for a processor to retain sub-processors; or (2) specific authority for an enumerated list of sub-processors. In either case, the subject matter, nature, and duration of transfers to sub-processors must be indicated in Annex 1 of the New SCCs for transparency purposes.
Enhanced Accountability and Transparency Requirements for All Parties
Under the New SCCs, the parties are subject to enhanced accountability and transparency obligations. The data importer should maintain appropriate documentation for the processing activities it conducts and promptly inform the data exporter if it is unable for any reason to comply with the New SCCs. Data importers should also provide a notice (for example, in a privacy notice posted to a website) to data subjects with details of data processing. The data exporter should warrant and represent that it has used reasonable efforts to assess and confirm the ability of the data importer to abide by the obligations imposed by the New SCCs.
Can Parties Deviate From the Text of the New SCCs?
Given the structure of the New SCCs, parties will need to select the appropriate modules reflecting their roles and responsibilities and for the purposes of detailing the data transfers in the Annexes. The text of the New SCCs should not be modified. However, the parties may incorporate New SCCs into a broader contract and add provisions, as long as those provisions do not contradict the New SCCs or otherwise prejudice the fundamental rights or freedoms of data subjects.
The UK and Switzerland
The New SCCs are not applicable, at least for the moment, to personal data transfers from the UK to “non-adequate” countries—which are governed under the UK data protection legislation. Only the Prior SCCs have been approved by the UK and therefore only the Prior SCCs can be used for such transfers. The UK supervisory authority has, however, announced that it will publish a UK version of the New SCCs in 2021. It remains to be seen whether that text will essentially duplicate the New SCCs, which would alleviate, to some extent, the burden of companies to conclude different contracts to address international data transfers from the EEA and the UK. Similarly, for personal data transfers from Switzerland to third countries, the Prior SCCs have been approved by the Swiss data protection authority. The Swiss data protection authority has not taken a position yet on whether it will endorse the new SCCs issued by the EC, although this is very likely to be the case.
The New SCCs will affect many organizations engaged in transfers of personal data from the EEA to countries that have not been deemed adequate by the EC, including the United States. Organizations may continue to conclude agreements based on the Prior SCCs for a period of three months starting from June 7, after which period the Prior SCCs will be repealed, although as noted they remain valid for now for transfers from the UK and Switzerland. Organizations can still, however, rely on pre-existing transfer agreements based on the Prior SCCs for an additional period of 15 months, provided that the processing operations remain unchanged and that the Prior SCCs ensure appropriate safeguards. Organizations should, therefore, begin assessing their current data processing and transfer agreements and plan to update or revise such agreements before the end of 2022. Meanwhile, data exporters establishing new data transfer arrangements should adopt the New SCCs.
Organizations should assess which data transfer scenarios and related modular provisions of the New SCCs apply to their data transfer arrangements and data processing flows involving different subcontractors, customers, and other parties. More importantly, in accordance with the New SCCs, organizations should develop a strategy for conducting data transfer impact assessments, particularly in light of Schrems II and in anticipation of the related final EDPB guidance expected to be published shortly.2
We will continue to monitor further developments and guidance by EU bodies regarding the New SCCs and their implementation in practice.
*Samantha Smith contributed to this Advisory.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.