New Standard Contractual Clauses adopted by the European Commission
Since July 2020, when the court of justice of the European Union (CJEU) delivered its judgment in the Schrems II case, the standard contractual clauses (SCCs) have been a hotly debated topic amongst privacy practitioners. The current SCCs have not been updated since before the General Data Protection Regulation (GDPR) entered into force, in May 2018. Considering the evolving digital economy and the new requirements on third country transfers, the European Commission adopted two new sets of SCCs on June 4th, 2021: one for international transfers and one between controllers and processors. Compared to their predecessors, the new SCCs are significantly more detailed and shine some light on the Commission's view of the legal framework supporting third country transfers of personal data.
You may still rely on your old data transfer contracts, but the old SCCs will expire in roughly 18 months, after which any transfers based thereupon will be considered unlawful. As the new SCCs are more detailed than their predecessors, it is recommended you start reviewing your transfers and what these new clauses mean for your business. Below you will find some key points to address when assessing your situation regarding third country transfers.
The previous versions of the SCCs have now been gathered into one cohesive and modular document, addressing a wider breath of transfer scenarios: controller – controller; controller – processor; processor – processor; and processor – sub-processor. There is also a docking clause, allowing you to accede third parties to your SCCs at any time, as needed. As such, the Commission has made adaptability a focus of its modernization, allowing data transfers to use the clauses more easily in their situation.
One key point of the updated SCCs are the revisions due to the Schrems II judgement, concerning public authorities' access to data stored by importers. Your data transferers must ensure an equivalent level of protection in the receiving country. This includes ensuring that public authorities only can access the data in a way that respects the fundamental rights and freedoms of the data subjects. As a party to the SCCs, you warrant that there are no local laws and practices in the country of the data importer undermining the effective protection of the clauses – including any requirements to disclose data or allow access to public authorities. This warranty shall be given based on a documented data transfer impact assessment, including any relevant safeguards, technical or otherwise, put in place to supplement the SCCs. When conducting such an assessment, in contrast to the (yet to be finalized), recommendations from the European Data Protection Board (EDPB), certain passages indicate that the Commission opens for a risk-based approach, but this is not evidently clear and other passages point at the principles from the Schrems II judgement. While such a risk-based approach may more easily facilitate data transfers, it is contrary to EDPB's current recommendations. In either case, if you rely on the SCCs for your transfer, you must document your transfer assessment and be ready to make such documentation available to the competent data protection authority.
In addition, the new clauses now give data subjects enforceable rights immediately in relation to the data importer. These rights mirror the data subjects' rights in the GDPR. Therefore, any entity receiving data from a data exporter should put procedures into place facilitating the correct response to any such request.
Finally, under the new SCCs, you are liable to the other party for any damages caused by a breach of the clauses – including punitive damages, which were previously exempted. As such, it is important to review your processing and transfers to ensure that neither you nor your data receivers are in breach of any of the new clauses, when you must put them into place.
In summary, the Commission has partially succeeded in its goal of updating the SCCs to facilitate the many different structures used in the complex data network of today. However, some questions remain to be answered, but it is clear that many actors must review and update their transfers in light of the new clauses. Given the ongoing changes in the privacy landscape, it is vital for industry actors to stay updated and continuously review their practices.