The new Standard Contractual Clauses – A deeper dive
On 7 June 2021, the European Commission finally published the long-awaited new standard data protection clauses or "standard contractual clauses" (SCCs), which will replace the now obsolete clauses from 2001/2004 and 2010 respectively. The new SCCs do not only implement (some of) the requirements of the CJEU's Schrems II decision, but also adapt the clauses to the specifications of the GDPR. Since the new SCCs completely replace the old clauses, there are already several measures that companies can take in preparation for the switch:
1. Background
According to Chapter V of the GDPR, the transfer of personal data from the European Economic Area (EEA) to countries outside the EEA is only permissible if an adequate level of data protection is ensured at the data recipient. In order to ensure such an adequate level of protection, the GDPR provides, inter alia, for the possibility of using standard data protection clauses adopted pursuant to Article 46(2)(c) GDPR. On 7 June 2021, the European Commission published a new set of SCCs which replaces the previous clauses from 2001/2004 and 2010, which were issued under the former Data Protection Directive.
The new SCCs for cross-border transfers of personal data are the European Commission's response to the CJEU's Schrems II decision (CJEU, judgment of 16. July 2020 - C-311/18, CRi 2020, 109, discussed by David Bender, "Safe Harbor After 'Schrems II'", CRi 2020, 161) as well as to the "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" published by the European Data Protection Board (EDPB).
2. Modular Design & Scope of Application
The new SCCs differ significantly from the old ones, beginning with their:
Scope of Application: While the old clauses could only be concluded between data exporters within the EU and data importers outside the EU, the new SCCs can now also be concluded with data exporters who are established outside the EU but to whom the GDPR applies pursuant to Art. 3 (2) GDPR (e.g. due to the “destination principle”, because they offer goods or services to data subjects in the EU, or monitor their behavior). Data importers on the other hand are only covered if they are established in a third country and the GDPR does not apply to them. This seems problematic as it leaves no room for justifying data transfers to non-EU countries based on SCCs if the GDPR applies to data importers despite their establishment outside the EU.
Modular Design: In contrast to the old clauses, there are no longer different "sets" for the various cases of application, but only one "modular" document which must be adapted to the specific case. The new SCCs must generally be used without any amendments in order to have full effect. However, "breaking up" the modular structure and subdividing it into individual modules is just as possible as integrating it into a more comprehensive contract or adding additional guarantees, see Clause 2 lit. (a) SCCs.
Available Modules: The parties can choose between four modules:
- Controller-Controller (Module 1, "C2C"),
- Controller-Processor (Module 2, "C2P"),
- Processor-Processor (Module 3, "P2P") and
- Processor-Controller (Module 4, "P2C").
2.1 Modules 1 ("C2C"), 2 ("C2P") and 3 ("P2P")
Modules 1 and 2 correspond in principle to the constellations depicted in the old clauses, but adapt the SCCs to the specifications of the GDPR and define the obligations of the parties involved in greater detail. In addition, Module 2 - unlike the old clauses - meets the requirements of a processing agreement pursuant to Article 28 (3) of the GDPR, which eliminates the need to conclude a separate data processing agreement in addition to the standard contractual clauses.
The long-awaited Module 3 serves not only as a third-country transfer instrument, but also as a (sub)processing contract. It contains a separate regulation for international data transfers between processors. This is intended to simplify cases of complex processing chains where an EEA-based (main) processor uses sub-processors in third countries. This constellation was not covered by the old clauses. Thus, in this case the supervisory authorities required a direct agreement of the standard contractual clauses between the controller in the EEA and the third-country sub-processors, which was difficult to handle in practice.
In Modules 1, 2 and 3, the data importer submits itself to the jurisdiction of the competent supervisory authority, Clause 13 lit. (b), and agrees to submit to audits by the supervisory authority and to comply with measures taken by the respective authority, including remedial and compensatory measures.
2.2 Module 4 ("P2C")
Module 4 contains clauses specifically for situations where a processor subject to the GDPR transfers data to a third country controller not subject to the GDPR. However, in contrast to the modules 2 and 3, module 4 complies with Art. 28 GDPR only in parts. This renders an additional data processing agreement between the third country controller and the processor necessary.
The new SCCs are to apply exclusively to data importers who are not themselves subject to the GDPR, so that third-country controllers will meet the requirements of Module 4 only “as a favor” to their EU data processors; only for the latter there is actually a reason to work towards concluding the clauses: The commissioning of a European processor by a third country controller would not only result in compliance obligations of the European processor, but also of the third country controller not affected by the GDPR, so that recourse to a non-European processor might be preferable from the perspective of the third country controller.
3. Other Innovations
Data Subject's Damage Claim: The new SCCs provide for the possibility for data subjects to claim compensation for damages resulting from a party breaching the third-party beneficiary rights under the SCCs pursuant to Clause 12 lit. (b).
Precendence & Liability: Clause 5 now expressly stipulates that the SCCs take precedence over any deviating agreements in other contracts. Clause 12 - also new - provides for unlimited liability of both parties and an indemnification obligation. The interplay between the priority provision and the liability clause will make it difficult for the parties to deviate from data transfer-related liability.
Choice of Law & Jurisdiction: Unlike under the old clauses, the choice of law and place of jurisdiction are no longer determined by the data exporter's place of business: There can be a (relatively) free choice among the EU Member States; in the case of Module 4, even third-country jurisdictions can be considered.
Docking: The new - optional - docking clause, Clause 7, allows third parties to join existing SCCs without having to conclude separate contracts. This is welcomed from a practical point of view.
Documentation: Further, the new SCCs provide for extensive documentation obligations regarding the compliance with the clauses’ obligations, in particular for the data importer.
4. Implementation of the Schrems II Ruling
With Clauses 14 and 15 of the new SCCs, the European Commission takes into account the CJEU judgment in the Schrems II case (CJEU, judgment of 16. July 2020 - C-311/18, CRi 2020, 109). These clauses should be read having in mind the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
Clauses 14 and 15 apply in principle to all modules, with the limitation that they only apply under Module 4 when the EU processor combines data received from the third country controller with data collected by the EU processor.
Contractual Obligations: The clauses provide for an obligation to conduct a transfer impact assessment, Clause 14, and contractual obligations to handle government requests for data access, Clause 15.
4.1 Transfer Impact Assessment
Clause 14 provides for an obligation to conduct a transfer impact assessment. This clause basically focuses on laws and practices in the respective third country of destination, but seems to allow for a risk-based approach in that, according to Clause 14 lit. (b), the following aspects, inter alia, are taken into account when assessing the level of data protection:
- the specific circumstances of the transfer, such as the length of the processing chain, the number of actors involved and the transmission channels used, intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the personal data transferred, the economic sector in which the transfer occurs, the storage location of the data transferred,
- any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under theSCCs, including measures applied during transmission and to the processing of the personal data in the country of destination.
The standard for the protective measures to be taken under the new SCCs also appears to be lower than that applied by the data protection supervisory authorities. The authorities have so far been rather critical of purely contractual and organizational measures - and in particular of a risk-based approach to the adoption of additional safeguards.
Documentation: The assessment made shall be documented and released to the competent supervisory authority upon request, Clause 14 lit. d.
4.2 Contractual Guarantees for Requests from Authorities
The new Clause 15 provides for detailed rules in the event that a public authority requests that the data importer hand over transferred data:
Notification Obligations: The importer is subject to notification obligations vis-à-vis the data exporter and data subjects regarding binding authority requests for disclosure of personal data, Clause 15.1 lit. (b). These obligations also apply in the event that the data importer becomes aware of any other access to data by an authority. If such notification to the data exporter is prohibited, the data importer shall seek to have the prohibition lifted, Clause 15.1 lit. (b). Further obligations under Clause 15.1 also include, to the extent that it is permitted, the regular preparation of "transparency reports" on the authority data access requests received, Clause 15.1 lit. (c).
Assessment Duty: It is incumbent upon the data importer to investigate the legality of the official request for surrender. In the event of an unlawful request, the data importer must take legal actions to avoid the surrender of the transferred data, Clause 15.2 lit (a). Here, too, the data importer is subject to comprehensive documentation obligations with regard to its legal assessment which needs to be provided to the competent data protection supervisory authority at its request, Clause 15.2 lit. (b). Furthermore, the importer may only disclose to the requesting authority the minimum amount of data required "based on a reasonable interpretation of the request", Clause 15.2 lit. (c).
5. Implementation in Practice
The new SCCs enter into force on 27 June 2021. Starting from this date, the old clauses can still be agreed for a period of further three months, until 26 September 2021.
From 27 September 2021 on, only the new SCCs can be concluded!
During a transition period of further 15 months, data transfers can continue to take place on the basis of the old clauses; as of 27 December 2022 onwards, all data transfers must be switched to the new SCCs.
Companies should, therefore, already take the following precautions:
- Assessment: Data exporters in the EU should obtain clarity about their existing data flows to third countries. Overviews of the extent to which these have been or should be secured via SCCs can be helpful here.
- Adaptation: Furthermore, the modular structure of the SCCs will need to be “broken down”. In particular, data exporters, but also data importers who transfer data to third countries in a standardized manner or on a large scale, should adapt the SCCs to their needs, select the specific modules they require, and deal with the clauses that require filling out.
- Transfer Impact Assessment: For companies that transfer or receive data from the EU in a standardized way or on a larger scale, it is recommended to develop a standardized process for transfer impact assessments.
- Transition: Consideration should also be given to the timely conversion of the old clauses to the new SCCs and an adequate process should be set up in that regard.
- Documentation: Finally, documentation and regular re-evaluation of the measures taken should be considered.