Legal briefing | |

New standard contractual clauses for EU personal data transfers to third countries

Overview

Summary

  • The New EU SCCs will come into force on 27 June 2021 and data exporters subject to GDPR will have until 27 December 2022 to transition their existing arrangements to the new clauses.

  • They are modular in approach and cover the following scenarios: C to C; C to P; P to P; P to C, with some general clauses applying to all the scenarios, and some tailored to each scenario.

  • They will require the parties to carry out a Schrems II-style transfer impact assessment in respect of the local laws and practices of the destination country, but there is some flexibility for the parties to use their judgement based on the nature of the data transfer and their practical experience.

  • They will increase the compliance and accountability burden, GDPR-style, on data importers which previously might not have been used to such measures.

  • The new clauses are an improvement in some ways (particularly in terms of providing specifically for P-P transfers (a major gap in the old clauses)) and by incorporating Article 28 wording such that, when using the C-P module, the parties do not also have to enter into an Article 28-style DPA. However, the new SCCs do not improve the current duty on data exporters to consider where local laws may impact on the importer's ability to comply with the contract and the rather impossible obligation to then take some sort of corresponding action to address that. We can only hope for more guidance from the EDPB and the ICO soon on this difficult issue.

Introduction

On 4 June 2021, the European Commission adopted new standard contractual clauses (EU SCCs) for those transfers of personal data to third countries which are governed by the General Data Protection Regulation 2016/679 (GDPR)1, together with a new set of standard contractual clauses to be used between controllers and processors pursuant to the requirements of Article 28 GDPR.

This briefing focuses on the EU SCCs, how they work, how they should be used, and issues to watch out for.

1 References to GDPR in this briefing are to the EU GDPR as opposed the UK GDPR 

Background

Essentially, controllers and processors which are subject to GDPR, can only, under Chapter V of the legislation, transfer personal data to a third country outside the EU/EEA, if:

  • an adequacy decision exists in relation to that country;
  • an appropriate safeguarding mechanism is used, such as standard contractual clauses or binding corporate rules, which helps to ensure that EU standards of personal data protection 'travel with the data'; or
  • a suitable derogation exists which covers the circumstances of the transfer.

Once they come into effect, and subject to a grace period (see below), the new EU SCCs must be used whenever the parties determine that their appropriate safeguarding mechanism is standard contractual clauses. In contrast, whether a controller and a processor use the EU's approved new Article 28 standard contractual clauses, or use their own set of drafted clauses meeting Article 28 requirements, will be for them to choose although it is expected that the EU version will encourage greater standardisation.

The new EU SCCs are intended to:

  • reflect the changes to data protection law that were brought in by the GDPR when it was implemented in 2018, without at that time any corresponding update to the EU's standard contractual clauses that were in force at the time (existing SCCs);

  • incorporate aspects of the Court of Justice of the European Union's (CJEU) judgment in Schrems II which set out factors such as the local surveillance laws of the destination country which organisations must consider when transferring personal data to third countries in reliance on the standard contractual clauses;

  • better reflect the different types of international data transfer that may occur in practice and in our increasingly digital world.

When must organisations stop using the existing SCCs and from when can the new EU SCCs be used?

The EU SCCs were published in the Official Journal on 7 June and will take effect on 27 June 2021. Organisations can start using them from this date.

The existing SCCs will remain valid until they are repealed on 27 September 2021. Therefore, until this date, they can still validly be used in respect of transfers to third countries, though if it is expected that transfers under such arrangements will continue past the end of the grace period referred to below, then parties may wish to consider heading straight for the new EU SCCs to govern their arrangement.

With effect from 27 September 2021, organisations will not be able to validly use the existing SCCs in new agreements.

There is an 18 month grace period for organisations to transition any arrangements based on the existing SCCs, to the new EU SCCs, which will last until 27 December 2022. This is provided that the underlying processing operations for which the existing SCCs were put in place do not change; if they do, then the new EU SCCs should be put in place to cover the processing from that point on.

What about data transfers under UK GDPR?

The EU SCCs only apply where a data exporter is subject to GDPR (which in certain circumstances and by virtue of the extra territoriality provisions of the GDPR, can extend to exporters which are located outside the EU). They can also only be used for data transfers where the data importer is not subject to GDPR. (The thinking being that an adequate level of protection for the data should already be in place, given that the importer is already subject to GDPR by virtue of the extra territoriality provisions in Article 3(2). However, this does not square with issues such as the ability of public authorities in the third country to access the data). However, as the recent Schrems cases demonstrates, the SCCs do not actually get around this concern either and the practical takeaway whenever data is being transferred out of the EEA (whether to an entity covered on an extra-territoriality basis or to one that has signed the SCCs), is that the data should only be transferred if necessary, should be minimised as much as possible and an assessment of appropriate additional security measures should be considered.

The EU SCCs will not apply to transfers of personal data from organisations which are subject to UK GDPR. In these circumstances, and until the UK Information Commissioner's Office (the ICO) has confirmed otherwise, a data exporter should continue to use the existing SCCs in respect of its data transfers to third countries, which is, of course, quite unsatisfactory for any international companies that operate in both the UK and the EU.

In May 2021, the ICO announced that it will produce its own version of the standard contractual clauses for use under UK GDPR, and a draft for consultation is expected to be published this summer.

However the ICO has also highlighted the value of recognising transfer tools from other countries including the EU SCCs and it may well be that in time it decides to adopt the EU SCCs as a valid mechanism for use under UK GDPR, however it will be a case of 'watch this space' on this.

How are the EU SCCs structured and how do they reflect the various data transfer scenarios?

The EU SCCs are modular with certain clauses applicable depending on the role of the exporter and importer and whether they are a controller or processor.

The four modules better reflect the different types of international transfers of data than the existing SCCs (which did not cover processor to processor or processor to controller data transfers) and are as follows:

Module one

Controller to controller (C to C)

Module two

Controller to processor (C to P)

Module three

Processor to processor (P to P)

Module four

Processor to controller (P to C)

Once the parties have identified which module applies to their transfer scenario, they can then ascertain which iteration of the various clauses will apply. 

Additional parties can be added to the SCCs provided that the original parties to the SCCs opted to include the optional docking clause. The docking clause allows an entity that is not an original party to the SCCs to be added after signing.

GDPR is reflected in the obligations which are imposed on the parties, and the data subject rights which the parties must adhere to. In short, this is going to create much more of a compliance burden for data importers in particular, which previously may not have been used to GDPR-style compliance and accountability.

Obligations/data protection safeguards

Each module includes a number of obligations that apply as appropriate covering some, or all of the following areas: (i) instructions on processing; (ii) purpose limitation; (iii) transparency, and obligations around who must be told about the data transfer and to what extent; (iv) accuracy and data minimisation; (v) storage limitation; (vi) duration of processing and erasure or return of data; (vii) security of processing; (viii) onward transfers; (ix) sensitive data; (x) documentation and compliance; and (xi) use of sub-processors.

Helpfully, the EU SCCs bake into data transfers between controllers and processors and transfers between processors, the requirements set out in Article 28 GDPR for agreements between controllers and processors, which means that the parties to such data transfer agreements won't need to complete a separate data processing agreement.

Data subject rights

The EU SCCs incorporate data subject rights such as subject access, the right of erasure and the right not to be subject to automated decision-making without explicit consent. The EU SCCs also state that data subjects have the right to object to direct marketing (applicable only in the C to C scenario). Finally, the EU SCCs include more granular obligations to apply in the event of a data breach. This is an improvement on the existing SCCs which merely cross referred to sections of previous data protection law which was likely unhelpful to contracting parties which were unfamiliar with the detail of those laws.

Appendix with annexes

There is an appendix which includes annexes covering (i) the list of the parties, description of transfer and identity of the competent supervisory authority to which both parties must submit to the jurisdiction of; (ii) a specific description of technical and organisational measures used to support the data transfer and ensure the ongoing safety of the data; and (iii) a list of sub-processors (where applicable and where specific authorisation is to be agreed).

Particular clauses and issues to watch out for

1. Local laws assessment and access to data (the Schrems II effect)

Clauses 14 and 15 of the EU SCCs seek to address one of the main themes which came out of the CJEU's judgement in Schrems II. In Schrems II, the CJEU highlighted the need for data exporters to verify, prior to a data transfer relying on SCCs, whether the laws and practices of the destination country provide adequate protection for the data being transferred – or an essentially equivalent level of protection to that afforded under EU law (for example, local surveillance laws may pose a risk to data subject rights). This was further supplemented by draft guidance released by the European Data Protection Board (EDPB) in November 2020 (a final version of these guidelines is expected to be released soon).

To this end, the EU SCCs include a mutual warranty, which applies to every module of the SCCs, that the parties have no reason to believe that the laws and practices of the third country would prevent the data importer from fulfilling its obligations under the SCCs, including its obligations to keep the data safe and comply with data subjects' rights. The clause sets out those factors that the parties should take into account when providing the warranty (which in many ways reflect the EDPB's draft guidance), including the specific circumstances of the transfer, the laws and practices of the destination country (including those requiring disclosure of data to public authorities), and any relevant contractual, technical or organisational safeguards put in place to supplement the SCCs.

The mutual warranty

This warranty essentially underpins the transfer impact assessment which data exporters together with their importing counterparts will have to complete when contemplating transferring data to third countries in reliance on the EU SCCs, and which was highlighted in Schrems II and in the EDPB's substitute guidance. The fact that the parties must take due account of the particular circumstances of the transfer, is helpful, permitting the parties to assess the risk in context of the particular transfer and their experience. The footnotes to the EU SCCs indicate that different elements are to be included in this overall assessment such as "relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests". These must cover a sufficiently represented time frame and be documented internally on a "continuous basis in accordance with due diligence and certified at a senior management level," and be supported objectively, corroborated by publicly available information. Therefore, some element of subjectivity based on knowledge and experience is permitted (provided that it is also backed with available case law and public guidance), and it is anticipated that this will be helpful, for example, in relation to transfers of HR data to a subsidiary company or payroll processor in a third country.

The obligation to monitor the assessment is continuous for the data importer, as the EU SCCs oblige the data importer to notify the data exporter promptly if it believes it is (or will become) subject to laws which change the parties' assessment of the situation. In these circumstances the parties must put in place additional safeguards or suspend the transfer, and the data exporter must notify the competent supervisory authority of the situation.

Clause 15 deals with attempts by public authorities to access the data. If there is an attempt by a public authority to access the data, the EU SCCs require the data importer to:

  1. immediately notify the data exporter on receiving a legally binding request for disclosure from a public authority, or on becoming aware of a public authority gaining direct access to the relevant data;

  2. use best efforts to obtain a waiver from the public authority if local laws prohibit the data importer from notifying the data exporter of (i) above;

  3. report the requests regularly to the data exporter, keep records, preserve all documents and challenge such requests from local authorities where there are reasonable grounds to do so. Again, the data importer must document its legal assessment of government access requests, and make this available to the data exporter and/or competent supervisory authority upon request.

2. Enhanced transparency requirements

One of the effects of updating the clauses to reflect GDPR, are the enhanced transparency requirements on the data importer, particularly in controller to controller transfers, which must inform data subjects of its identity and contact details, the categories of personal data processed, and provide details of any onward transfer. The EU SCCs signed between the data exporter and importer should be made available on request to data subjects as well, although confidential information (for example, detailed technical measures that the parties may prefer not to divulge), can be redacted. The obligation can be discharged via the data exporter if the parties agree to that, and the obligation falls away if providing the information proves impossible or would involve disproportionate effort for the importer. As with data collection notices, it would seem that a public notice on a website such as a privacy notice might be deemed sufficient to meet these obligations.

3. Liability

Each party is liable to the other for the damage which results from its breach of the clauses. Each party is also liable to the data subject for the damage it causes, and for C to P and P to P transfers, the exporter is also liable to the data subject for the damage caused by either party. Where both parties are responsible for the damage, the parties are jointly and severally liable to the data subject. The liability provisions in the EU SCCs do not affect the exporter's liability under GDPR, or, where the transfer is P to P, the controller's ultimate liability to the data subject. If one party is held liable for a breach caused by another, it can claim back compensation corresponding to the other party's responsibility for the damage.

4. Governing law, choice of forum and jurisdiction

Unlike the existing SCCs, the parties may choose the law of the EU member state which is to govern the data transfer agreement, though in the case of C to P and P to P transfers the fall back is the law of the member state where the exporter is established. For P to C transfers, the parties may choose the law of a country which allows for third party beneficiary rights (in this case data subjects' rights). A similar pattern follows for choice of jurisdiction, though a data subject may also bring proceedings against either party in the courts of the Member State of their habitual residence.

5. Modification of the clauses

As with the existing SCCs, the EU SCCs cannot be modified, except to select the appropriate modules or to update information in the Appendices. However, the parties are permitted to add clauses or additional safeguards, provided they do not contradict the EU SCCs or prejudice the rights of data subjects. Quite what this means in practice is unclear – for example, would an indemnity allocating risk between the parties for damage resulting from particular clauses be viewed as a contradiction of the liability clause? Or would any attempt to allocate costs between the parties for compliance with particular obligations, amount to a contradiction or undermining of the EU SCCs?

What are the next steps for businesses?

Organisations which are exporting personal data to third countries in reliance on SCCs, and that are subject to the GDPR, will need an action plan to transition across to the new EU SCCs, to carry out the requisite transfer impact assessments, and to ensure ongoing compliance with the requirements of the EU SCCs.

Data exporters should:

  • To the extent that they haven't already done this in light of Schrems II, put together a template, taking into consideration the requirements of Clause 14 of the EU SCCs and the EDPB (draft) guidance and establish a process for conducting transfer impact assessments, and then carry these out in conjunction with importing parties and see through any follow up action arising. Some importing parties (for example, IT service provider processors which deal with thousands of exporting customers) may already have processes in place to support this, and it is worth entering into a dialogue with them first to establish this. To this end, data transfers to third countries should be audited, categorised and prioritised depending on the nature of the arrangement and the counterparty, how important the data transfer is to a business, the destination countries that a business exports data to, and the type and amount of data which is being transferred. Different approaches to handling transfer impact assessments will also be required depending on the department within a business which a data transfer agreement will relate to: for example, those data transfer agreements in respect of IT support matters, most of which will be with an importing processor, will be handled in a very different way to say, a marketing or BD partnership between two controllers.

  • To the extent that they haven't already, establish a process (and a way of documenting it) for conducting meaningful due diligence on importers to ascertain whether they can comply with their obligations under the EU SCCs – for example, via a due diligence questionnaire backed up with supporting documentation. Again, it is useful to enter into a dialogue, particularly with importers which are used to importing data, which may already have information documentation to hand to provide to the exporter.

  • Assess which of their current data transfers will need to be transitioned across to the EU SCCs, bearing in mind the grace period which is in place until 27 December 2022; and put in place a process for carrying out such transition and updating existing contracts with the new SCCs.

  • Identify those data transfers which are in the pipeline which will need to be completed on the basis of the EU SCCs (again bearing in mind that the existing SCCs can no longer be used on or after 27 September 2021, though if they are put in place before this date, then they too will take the benefit of the grace period to transition to the new EU SCCs).

  • Ensure that data can be transmitted to the importer in a secure way.

  • Update privacy policies to ensure compliance with transparency obligations under EU SCCs (or agree with the relevant data importer where the importer will do this).


Data importers:

Data importers face an increased compliance burden as a result of the GDPR-style requirements in the EU SCCs – as follows:

  • Where a data importer is importing data as a controller, the requirements in respect of data subjects' rights and the ability to respond to requests and enquiries from data subjects (for example, responding to requests for access to data processed) may well require some adjustments to business practices and new processes to be put in place, including a process for complying with the obligations on data breach notification, and establishing a point of contact for complaints from data subjects to be received.

  • Data importers should establish with their exporter counterparts, which party will meet the transparency obligations in the EU SCCs, and if it’s the importer, work out how best to do this.

  • Data importers will need to have processes in place to ensure that the data is accurate and up to date, and only kept for as long as necessary.

  • Importers will have to get used to accountability, and documenting everything, in particular, any steps taken in response to requests from public authorities, so as to be able to demonstrate compliance to exporters, data subjects and supervisory authorities alike, will be important.

  • Processor importers in respect of which the risk profile for the data they handle from exporters is similar each time, may wish to consider putting together standard documentation which could help with completion and documentation of transfer impact assessments, and with completion of the Appendix to the EU SCCs.


Whilst the EU SCCs are a welcome update on the existing SCCs, in particular in the way they reflect the various transfer scenarios, it is the transfer impact assessment (together with the need to document it) required by Schrems II, the EDPB, and now enshrined in Clause 14 of the EU SCCs, which will continue to create the largest burden for many organisations. The ICO has confirmed that Schrems II, including that need for a transfer impact assessment, is now part of English law, but that it will provide as much help and guidance as possible for businesses to navigate it when it comes to data transfers under UK GDPR. We await with interest how it will address this, and whether it is able to help in any way to shift or reduce the burden away from businesses in having to assess the laws and practices of destination countries.

EU to UK data transfers

EU to UK data transfers can still take place without the need for an additional safeguarding mechanism to be put in place, by virtue of the current data bridge agreed as part of the EU-UK Trade and Co-operation Agreement. However, that data bridge expires at the end of June. A draft adequacy decision was released by the EU earlier this year, however concerns have been expressed regarding some aspects of the decision, particularly in relation to the UK's surveillance laws. If a formal adequacy decision is not granted before the data bridge expires, then data transfers will have to be conducted using an appropriate safeguarding mechanism, such as SCCs, or, where the circumstances lend themselves, in reliance on a derogation.

Please note that since publication of this briefing, there have been two further developments of relevance relating to the EU's decision on granting adequacy to the UK, and the EDPB's publication of its final guidance on supplementary measures for international data transfers.

FOR FURTHER INFORMATION, PLEASE CONTACT

Read Nneka Cummins's Profile
Read Vivien Halstead 's Profile
Read Dan Reavill's Profile
Back to top