Last week the European Commission issued its long-awaited, updated ‘Standard Contractual Clauses’ (SCCs), which represents the most frequently used mechanism to transfer personal data from the EU (and the UK) abroad, including to the US. The previous version is more than 10 years old and required significant updating in light of the GDPR. There is considerable interest in these new SCCs because they also incorporate changes to address the ruling of the Court of Justice of the European Union in July 2020 in the Schrems II case, that organizations cannot rely on SCCs alone but must also carry out a case by case risk assessment when exporting personal data outside the EU.
Following the Schrems II decision, organizations are required to assess whether, in light of government access and surveillance laws in the destination country, the recipient of personal data is able to comply with its obligations under the SCCs, and whether in the circumstances the SCCs ensure that the transferred personal data is adequately protected. Typically, additional contractual provisions (together with technical and other safeguards) were required in addition to the old SCCs.
What is New?
The new SCCs:
- Include more robust protections designed to ensure that personal data transferred is not accessed or disclosed to foreign governments and intelligence services. While the old version of the SCCs contained some provisions relating to government access in the destination country, those provisions do not, alone, offer sufficient protections in many circumstances in light of the Schrems II decision.
- Provide a greater degree of flexibility, and address many of the data transfer scenarios that the old SCCs did not address. For example, the new SCCs make specific provision for organizations that are not located in the UK/EU but are nevertheless subject to the GDPR and allow those organizations to comply with the GDPR’s data transfer restrictions.
- Better reflect the needs of business and the complexity of international data transfers, which are still cumbersome for companies to use.
- Adopt a modular approach, allowing organizations to tailor the agreement to reflect the specific circumstances of the data transfers they carry out.
- Require companies to document their data transfers in more detail than before, adding to the complexity and cost of implementing cross-border data transfer mechanisms.
What Must Companies Do?
The new SCCs provide an 18-month transition period, during which old SCCs that have already been entered into will continue to constitute a valid data transfer mechanism under the GDPR. This means that all organizations that currently use SCCs to transfer personal data abroad will need to replace their exiting clauses by December 2022. This will be a significant practical task for organizations, many of which have hundreds of SCCs to conduct business internationally. It will also be expensive, particularly as, after the Schrems II case, a transfer risk assessment will also be required for each set of clauses. Organizations may continue to enter into agreements including the old SCCs for the next three months, and those agreements also will remain valid until December 2022.
Will the SCCs be Available in the UK?
Following Brexit, these new SCCs will not automatically be available for UK companies that transfer personal data abroad. It is expected that the UK will adopt a similar set of clauses, details of which are expected in the coming weeks.
What is the Likely Reaction to the SCCs?
The new SCCs will likely be welcomed by business because they offer greater certainty following the Schrems II decision. Still, there will be a concern that the mechanism is cumbersome and will be costly to implement when businesses seek to recover from the economic impact of the global pandemic.
It remains to be seen whether EU data protection regulators consider them to be sufficient by themselves to provide an appropriate level of protection for European personal data that is transferred abroad.
The new SCCs require importers of EU personal data to warrant that they can comply with the provisions of the SCCs. In doing so, they must consider the extent to which they are practically exposed to government surveillance and access laws. The European Data Protection Board has previously indicated that subjective factors, such as the importer’s practical exposure to access and surveillance laws, are not a relevant factor that should be considered in determining whether the SCCs provide an adequate level of protection. The extent to which the EDPB will consider the new SCCs to provide a sufficient level of protection remains to be seen or whether regulators will require additional contractual, organizational, technical or other safeguards to be implemented.