Long-awaited SCCs for EU Data Transfers Adopted by European Commission with 18-month Transition Period
The EU has a cross-border data transfer framework gift for you! On June 4, 2021, the European Commission (“EC”) adopted two sets of standard contractual clauses (“SCCs”) that businesses may use as a tool to comply with European cross-border data transfer requirements for transferring data outside of the European Economic Area (“EEA”), and as a controller-processor data processing agreement (“DPA”).
The EC’s decision implementing the new SCCs will enter into force twenty days after publication in the Official Journal of the European Union. Parties currently using the prior version of the SCCs will have until September 27, 2021, to start using the new SCCs for all new data transfers and will have until December 27, 2022, to replace the prior SCCs currently in effect. It is important to note that if the underlying agreement between the parties is re-negotiated or the scope of the data being processed is changed during the transition period, then the new SCCs must be utilized.
1. For Cross-Border Data Transfers:
Steps to take now
(a) Identify all in-force contracts that rely on – or should rely on! – SCCs as a cross-border data transfer mechanism.
(b) Determine which new SCCs / modules are most appropriate for each in-force contract.
(c) Develop a plan for amending those contracts to replace old SCCs with new SCCs with appropriate modules over the course of the next 18 months.
(d) Verify insurance coverage to ensure that any new potential liability relating to claims between controllers and processors is adequately covered.
Steps to take in late summer 2021 and beyond
(e) Once the European Data Protection Board (“EDPB”) finalizes its guidance on data protection safeguards, which is expected this summer, implement internal data protection safeguards to align with SCC requirements (see Enhanced Data Protection Safeguards and Enhanced Sub-Processor Requirements summaries below).
(f) Amend standard contracting practices to ensure that all new contracts that require SCCs are entered into with new SCCs with appropriate modules.
2. For Controller-Processor DPAs:
Steps to take now
(a) Determine whether the form DPA meets your organization’s business requirements, given other business operational needs beyond GDPR requirements; if possible, transition to the new SCC form DPA.
(b) Develop a plan to amend currently in-force DPAs with the new SCC form DPA.
(c) Amend standard contracting practices to ensure that all new contracts that require DPAs are entered into with the new DPA, if applicable.
Summary of new SCCs
1. SCCs for Cross-Border Data Transfers
The new model clauses apply to data transfers to third countries outside of the EEA. Under Article 46(1) of European Union’s General Data Protection Regulation (“GDPR”), in the absence of an adequacy decision, a controller or processor acting as the data exporter may transfer personal data to a third country only if the data exporter has ensured appropriate safeguards. Under Article 46(2)(c) of the GDPR, appropriate safeguards include model clauses. However, on July 16, 2020, in the Schrems II decision, the Court of Justice of the European Union cast substantial doubt about whether the prior model clauses remain effective, especially regarding transfers to the United States. Schrems II requires parties relying on the model clauses to implement additional appropriate safeguards ensuring that transferred personal data is adequately protected when personal data is transferred to countries outside of the EEA.
The new SCCs address issues raised by Schrems II and have been deemed by the EC to provide appropriate safeguards, subject to the parties’ identification of sufficient technical and organizational measures for protecting personal data. The following are a few significant changes from the previous version of the SCCs:
- Modular Approach: The new SCCs adopt a modular approach and contain different requirements depending on whether personal data is transferred from controller to controller (Module 1), controller to processor (Module 2), processor to processor (Module 3), or processor to controller (Module 4). As such, the new SCCs align more closely with business needs, including by facilitating transfers from processors to controllers.
- Enhanced Data Protection Safeguards: The new SCCs contain enhanced data protection safeguards, including for controller to controller transfers, by requiring the data importer to inform data subjects of 1) the categories of personal data processed, 2) the right to obtain copies of the model clauses, and 3) if applicable, certain onward transfer requirements noted below (Clause 8, Module 1, Section 8.2). In addition, there are enhanced documentation and compliance obligations, including audit rights, requirements to disclose specific or aggregate information about government access to personal data, a warranty that the parties have no reason to believe that government access to personal data prevents the data importer from fulfilling its obligations under the clauses (see, e.g., Clause 8, Sections 8.9 in Modules 1 – 3 and Section 8.3 in Module 4).
- Enhanced Sub-Processor Requirements: The data importer must provide the data exporter with information necessary to exercise its right to object to sub-processors (Clause 9, Modules 2(b) and 3(b)). In certain circumstances, the new model clauses also require the parties to document additional details about sub-processors, such as by listing a contact person for each.
- Onward Transfers: For onward transfers from controller to controller, upon request of a data subject, the data importer must provide: 1) information on recipients or categories of recipients to which personal data will be transferred, 2) the purpose of such onward transfer, 3) the grounds for such onward transfer, and 4) information on the right to lodge a complaint with a supervisory authority (Clause 10, Module 1(b)(i)).
- Claims for Liability Between Controllers and Processors: For processor to controller and processor to processor transfers, if parties are held jointly and severally liable for a breach of the model clauses, the parties are entitled to assert a claim against the other party for compensation corresponding to its/their responsibility for the damage (Clause 12, Modules 3(d) and 4(d)).
- Transfer Details: The new SCCs require parties to list more details about the transfers, such as by naming the supervisory authorities responsible for overseeing the data exporter, technical and organizational measures designed to address Schrems II concerns, and sub-processor details.
The EC’s implementing decision clarifies that data exporters and data importers may continue to execute the prior model clauses until September 27, 2021, and all previously concluded model clauses will remain valid until December 27, 2022 (Article 4). The EC’s implementing decision also states that these model clauses should fulfill requirements for controller-processor DPAs.
Parties must take account of the specific circumstances of the transfer, such as applicable laws permitting governmental access to the transferred personal data, when considering what safeguards to put in place under the new SCCs. The EC, in contrast with draft guidance from the EDPB, encourages parties to consider the practical application of such laws (including the history of government requests for access to personal data in the applicable industry and with respect to the specific data importer and exporter). Finalized EDPB guidance is expected later this summer, and parties should wait to finalize safeguards identified in the model clauses, as practical, to ensure that such safeguards meet the EDPB’s expectations.
2. SCCs for Data Controllers and Processors
The second set of SCCs are a standard-form DPA. The EC’s implementing decision on these SCCs makes clear that they fulfill the requirements for DPAs under Articles 28(3) and 28(4) of GDPR.
As background, Article 28(3) of the GDPR requires the processor to enter into a contract that governs the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data being processed, the categories of data subjects, and the obligations and rights of the controller.
In practice, this set of SCCs provides businesses with guidance on what to include in DPAs and, if properly implemented, a compliance safe harbor. The rate of adoption for this standard-form DPA may remain low, however, as many companies have crafted DPAs tailored to the company’s operations and with a global scope.
Generally, the new SCCs offer a welcome update to the prior clauses, which were often ill-suited to business realities and modern data transfers. For now, the privacy community will anxiously await the finalized EDPB guidance to see if they follow the EC’s risk-based approach to governmental access to personal data.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.