Last July you will recall that in the Schrems II Case (“Schrems”) the Court of Justice of the European Union (“CJEU”) invalidated the European Union/United States (“EU/US”) Privacy Shield framework, while also reiterating that companies could rely on the standard contractual clauses (“SCC”s). However, the CJEU also made clear that transfers of personal data from the European Economic Area (“EEA”) to non-adequate countries were not always permissible, requiring supplemental measures and in some cases transfer impact assessments.
In order to address the Schrems II holding and to improve ill-adapted SCCs that pre-dated the General Data Protection Regulation (“GDPR”) amid an exponential increase in cross-border transfers, the European Commission adopted two new sets of SCCs June 4, 2021: Third Country Transfer SCCs and Controller-Processor SCCs. As detailed below, these new SCCs must be used commencing September 27, 2021, for all new data transfers. Companies have until December 27, 2022 to amend contracts for data transfers that previously were made under the old SCCs.
Focusing on the Third Country Transfer SCCs, the new SCCs aim to address some of the issues around implementing the old SCCs for cross-border transfers through often complex supply chains. They also include a number of new obligations for organizations. Among those, the new SCCs formalize obligations to (a) provide specific (as opposed to generic) technical and organizational measures; (b) conduct transfer impact assessments; (c) review supplementary measures that may be required to safeguard the personal data; (d) provide data subjects with an easily accessible contact authorized to handle complaints related to compliance with the SCCs; and (e) notify the data exporter (and data subjects) of requests from public authorities or governments personal data transferred to the data importer. In addition, record-keeping is clearly defined as a priority. The new SCCs also take a modular approach, which is better suited to the complexity of transfers involving multiple parties with different relationships. The new SCCs introduce four modules that can be adapted to the relationship between the parties, addressing controller-controller, controller-processor, processor-processor, and processor-controller relationships in one document. Finally, they include a “docking clause”, which allows new parties to be added as signatories even after SCCs have been executed (though all existing parties must agree to the docking).
Despite some ambiguity in Recital 7 as to the scope of application of the new SCCs, for which we expect some clarification, the new SCCs become effective June 27, 2021. As noted above, commencing September 27, 2021, all new data transfers must rely on and use the new SCCs. From September 27, 2021, the European Commission is allowing for an additional 15-month grace period, during which the old SCCs may continue to be used for existing data transfers (that were ongoing prior to September 26, 2021). Organizations relying on the old SCCs for their existing data transfers will have until December 27, 2022, to implement the new SCCs by amending contracts appropriately. Note, however, that data importers should expect data exporters to require supplemental measures in advance of the December 27, 2022 date, and should be prepared to provide those. In addition after September 27, 2021, if an agreement involving a transfer of personal data is amended such that the scope of processing is modified or expanded the new SCCs must be implemented.
Accordingly, we recommend the following:
- If organizations have not already done so, now is the time to start mapping their data transfers and existing related third-party agreements. This should be prioritized.
- Organizations should conduct Transfer Impact Assessments (“TIA”s), which must be documented and will need to be provided to regulators if requested.
- Organizations must be prepared to list the technical and organizational measures in the new SCCs – Annex II, to the SCCs including examples of such measures. This information should be prepared, updated as needed, and easily accessible.
- Organizations that have not done so must implement deletion policies and processes. The new SCCs require retention periods be listed in Annex I to the SCCs.
- If the new SCCs are used for cross-border data transfers from an organization subject to GDPR to a data processor or sub-processor, it will no longer be necessary to enter into a separate data processing agreement to address the organization’s GDPR obligations under Article 28, because the requirements of Article 28 are included in the new SCCs. Organizations may choose to have separate commercial terms (i.e., limitations of liability, costs, etc.), but those must not contradict the SCCs or modify data subject rights. We expect this to simplify negotiations of Data Processing Addendums and Agreements (“DPA”s) and for many companies to opt to use the SCCs rather than custom data processing addendums for the GDPR. Of course, companies will still need data processing addendums for their other processing activities, such as under California Consumer Protection Act (“CCPA”).
- Each party to the new SCCs must be able to demonstrate it complies with the SCCs and must keep a record of its data processing activities. EU regulators (and other contractual parties to the SCCs) may request such documentation and/or audit a data importer’s compliance. This includes internal records related to public authority requests for data disclosure. To comply with these record-keeping obligations, ensure all documentation is up-to-date and easy to provide if requested.
- Organizations should review the European Data Protection Board (“EDPB”’s) final recommendations on supplementary measures, (available at: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf ), which provide a roadmap for transfers to third countries. In particular, the recommendations address the different types of supplementary measures, which may be contractual, technical, or organizational (more to follow on the recommendations).
Note that the new SCCs are not valid for transfers from the United Kingdom. Data exporters in the United Kingdom can continue to use existing SCCs that were valid as of December 31, 2020 (meaning the old SCCs). In the near term, the result will be longer global data protection addendums that include both the new SCCs and the old SCCs, in addition to any terms addressing other laws such as the CCPA. The UK’s Information Commissioner’s Office (“ICO”) is publishing new UK SCCs (called an International Data Transfer Agreement) for cross-border data transfers and additional guidance, likely late 2021 or early 2022.