On June 4, 2021, the European Commission adopted a new set of standard contractual clauses (SCCs) governing exchanges of personal data between data controllers and data processors and transfers of personal data from the EU to the U.S. or other countries that are not deemed to ensure adequate protection for personal data. The revised SCCs reflect new requirements for the protection of personal data under the EU General Data Protection Regulation (GDPR) and take account of the July 2020 judgment of the Court of Justice of the European Union (CJEU) in Schrems II that declared the EU-U.S. Privacy Shield framework for data transfers invalid and stipulated stricter requirements for transfers of personal data based on SCCs.
The new SCCs are designed to reflect the growing complexities of cross-border data processing and digital supply chains by offering a more flexible, if more stringent, approach that adds additional scenarios under which personal data is transferred. The new SCCs enter into force on September 28, 2021 for new contracts. There is an 18-month transition period for existing contracts based on previous sets of SCCs. The old SCCs should be replaced by the new version by December 28, 2022.
Key provisions of the new SCCs include:
Types of data transfers
The new SCCs provide different “modules” to address transfers of personal data in four scenarios. As with previous sets of SCCs, the new SCCs cover controller to controller transfers (Module One) and controller to processor transfers (Module Two). For the first time, the European Commission has also addressed processor to controller transfers (Module Three) and processor to processor transfers (Module Four).
Compliance with Schrems II
The CJEU’s decision in Schrems II upheld the validity of SCCs, but the court ruled that organizations must warrant that third countries to which data is exported provide adequate protection for personal data transfers under EU law. Organizations that cannot comply with this requirement must either introduce additional safeguards or cancel transfers.
The new SCCs appear to address this issue by allowing organizations to take a risk-based approach that assesses the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, and whether public authorities are likely to access the personal data being transferred. The clauses include notification obligations to the data exporter, and, where possible, the data subject, of a legally binding request from a public authority for personal data. Because the Schrems II decision focused on disclosure of personal data of EU residents to the U.S. government, these clauses may be particularly significant for companies facing demands from a variety of U.S. agencies for such data.
Where a transfer involves “sensitive” personal data as defined under EU law (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences) the data importer must apply special restrictions or adopt safeguards appropriate to the specific risk involved, such as restricting who can access personal data, adopting added security measures (such as pseudonymization), or other measures.
Onward transfers to additional recipients in third countries are allowed only if:
- The onward transfer is to a country with adequate safeguards in place for the protection of personal data or the third party otherwise ensures appropriate safeguards; or
- The onward transfer is necessary for the establishment, exercise, or defense of legal claims in administrative, regulatory, or judicial proceedings or is necessary to protect the vital interests of the data subject or of another natural person.
More than two parties can now sign onto to a single contract pertaining to data transfers at any time during its term.
Data importers are required to document their processing activities and inform data exporters if they become unable to comply with the SCCs. Data exporters must document that they used reasonable efforts to ensure that data importers are able to comply with the new contractual clauses.
Global businesses as well as policymakers have a strong interest in making certain that personal data can be freely transferred and that the data is appropriately protected. The European Commission’s decision should help ensure that SCCs remain a tool for businesses to meet their GDPR obligations in today’s complex world.