European Commission Issues New Standard Contractual Clauses for Transfers of EU Data
On June 4, 2021, the European Commission (the executive branch of the European Union (“EU”) that is responsible for proposing new EU laws and monitoring their implementation) issued long-awaited new versions of the Standard Contractual Clauses (“SCCs”) for businesses to utilize in arranging cross-border data transfers between the United States and countries in Europe.
SCCs are uniform terms into which companies can enter in order to guarantee sufficient safeguards of data during international transfers. They are meant to provide safeguards for data transfers to particular countries outside the European Economic Area (“EEA”) or EU that have not received an adequacy decision from the European Commission regarding those countries’ protection and treatment of personal data, which includes the U.S.
In issuing the new SCCs, which begin to phase into effect in June 2021, the European Commission is attempting to better address the requirements of the European Union General Data Protection Regulation (“GDPR”), as well as contemplate additional data transfer arrangements into which businesses enter.
Additional Transfer Scenarios and Applications
The SCCs address four data transfer scenarios: controller-to-controller (Module 1), controller-to-processor (Module 2), processor-to-processor (Module 3), and processor-to-controller (Module 4). The new SCCs address processor-initiated transfers for the first time, allowing these data exporting parties to ensure they are legally compliant in their transfers. Parties may choose the module that applies to their arrangement and incorporate only those relevant clauses into a particular agreement. New general clauses that apply to all transfer arrangements are also provided. These general clauses include the obligation for the parties to ensure that data protection laws in the receiving country will not prevent the data importer from fulfilling its obligations under the SCCs, as well as obligations for the data importer regarding government data access requests.
More than two parties are able to enter into the new SCCs, and a “docking clause” mechanism is included to allow additional parties to be added to the agreement over time as either a data importer or data exporter, without the need to enter into a new agreement. This greatly simplifies the implementation of the SCCs within large scale transfers involving multiple importer-exporter relationships, and makes clear that separate SCCs do not need to be signed for each individual data transfer contemplated by the agreement.
While the previous SCCs only contemplated a data exporter that was established in the EU, the new SCCs expressly recognize that the data exporter may be a non-EU entity, provided the processing is related to the data of subjects within the EU as addressed by Article 3 of GDPR.
No Separate Data Processing Agreement
One significant change resulting from the new SCCs relates to the need to implement a data processing agreement between controllers and processors, or between processors and sub-processors. Under the old SCCs, an additional data processing agreement was required for these arrangements in order to comply with Article 28 of the GDPR, as the old SCCs were developed before GDPR was implemented and as such did not account for GDPR’s specific processing standards. Modules Two and Three of the new SCCs explicitly include the requirements for a data processing agreement as outlined in Article 28 of the GDPR. This means that for controller-to-processor or processor-to-processor transfers that adopt the new SCCs, a distinct data processing agreement is no longer needed.
Additional Obligations on the Data Exporter
The new SCCs also incorporate elements of the European Court of Justice’s 2020 Schrems II decision that both confirmed the validity of the SCCs for the transfer of personal data outside the EU or EEA and invalidated the former EU-US Privacy Shield framework. The party exporting data under the agreement is required to complete a Transfer Impact Assessment, a comprehensive and flexible risk assessment that requires the data exporter to assess transfer criteria such as the contents of the data being transferred, the laws of the importing country, and the existence of any independent supervisory authority. The exporting party must also make the Assessment available upon the supervisory authority’s request.
Additional Data Subject Rights
Data subjects are now able to enforce many provisions of the new SCCs against the data exporter and the data importer. Data subjects invoking their rights may lodge a complaint with the relevant supervisory authority specified in the new SCCs or refer the dispute to relevant courts in the EU. To enable this enforcement, the data importer is now required to submit itself to the jurisdiction of the authority and abide by any binding decision under applicable EU or Member State Law.
Liability for Breach
The new SCCs explicitly state that each party shall be liable to the other for the damages caused by the breaching party. It is not yet clear whether parties will be able to amend this provision to shift or limit liability between themselves. The SCCs have always permitted parties to add new clauses, provided that such clauses do not directly or indirectly contradict the SCCs or reduce the protections for data subjects. Limitation of liability that would reduce the liability of a party as against a data subject would clearly not be permitted by the SCCs, but liability shifting between the parties will likely be heavily negotiated in the absence of clarifying guidance on this issue.
Transfers Involving the UK
After the United Kingdom’s (“UK”) departure from the EU at the end of 2020, parties to data transfer agreements were left uncertain as to what requirements would apply to data transfers involving the UK. Transfer from the EEA to the UK can continue without restrictions until July 1, 2021 as permitted by the post-Brexit Trade and Cooperation Agreement between the EU and UK. After July 1, SCCs will be required for data transfers from the EEA to the UK, unless an adequacy decision is granted by the European Commission. UK-specific SCC guidance is currently in development and expected to be released later this year.
The new SCCs come into effect on June 27, 2021, but a transition period allows organizations to continue using the old SCCs for data transfers under a new agreement until September 27, 2021. The old SCCs may be utilized for data transfers under an existing agreement for up to 18 months, allowing parties additional time to modify their existing data processing arrangements.
Although the new SCCs will not come into full effect until December 27, 2022, it is not too early to begin updating your agreements to comply with these new requirements. Please contact a member of the Koley Jessen Data Privacy and Security practice group for assistance in revising your agreements so that they are in line with the obligations of the new SCCs.