The European Commission issues Schrems II-proof Standard Contractual Clauses to allow global dataflows

As anticipated in one of our previous posts, the “revamped” SCCs contain specific provisions meant to cover potential requests by third countries’ governments or authorities to access personal data transferred, taking into account the bar set by the CJEU in its Schrems II judgment (for background on the CJEU’s decision, see our post here).

The documentation published by the European Commission comprises both an Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, and the Annex to the Implementing Decision that contains the new SCCs.

What’s new?

The new modular approach proposed by the new SCCs is a welcome innovation. Compared with its more “rigid” predecessors limited to two independent sets of clauses (one for Controller-to-Controller transfers and the other for Controller-to-Processor transfers), this new mechanism aims to provide greater flexibility by covering various real-world transfer scenarios:

• Module 1: Controller-to-Controller transfers
• Module 2: Controller-to-Processor transfers
• Module 3: Processor-to-Processor transfers
• Module 4: Processor-to-Controller transfers

Importantly, the European Commission addresses the CJEU’s decision in Schrems II by adding a number of provisions that strengthen the ability of the contractual parties to control the extent to which government agencies outside the EU may access personal data.

Even though the new SCCs have been designed to address the requirements of Schrems II, the contracting parties are still required to thoroughly assess and take due account of all the relevant elements surrounding the transfer: its particular circumstances, the legislation and practices in the third country of destination, as well as any supplemental safeguards (including technical and organizational measures) that may be required to ensure a level of protection for the data that is essentially equivalent to the one afforded in the European Union.

What changed?

In comparison to the draft text for the SCCs published in November 2020, the final version of the now adopted SCCs contains several clarifications to further substantiate the obligations of data exporters and importers. Here are some key issues to note:

• The new provisions on the data exporter and data importer obligations with regard to the assessment of local laws in the recipient country (Clause 14), as well as with regard to data access by authorities in the recipient country (Clause 15), remain to a large extent unchanged compared to the draft version. However, compared to the existing SCCs, the provisions under the new SCCs create far more detailed obligations which substantially increase the level of due diligence involved in assessing the potential impact of local laws on the data.
• With regard to onward transfers by data importers to other recipients, it is clarified that such transfers are allowed for the exercise or defense of legal claims related to specific administrative, judicial or regulatory proceedings, and to protect the vital interests of the data subject or another natural person (see Clause 8.7 (Module 1), Clause 8.8 (Modules 2 + 3)). Data importers, either directly or through the exporter, retain the ability to inform recipients about the categories of recipients (as appropriate with a view to providing meaningful information) in the event of onward transfers (as compared to the draft version of the SCCs which required to always disclose the identity of the recipients).
• The clauses on sub-processing in the Controller-to-Processor (Module 2) and Processor-to-Processor (Module 3) scenarios were also slightly redacted in comparison to the Commission’s initial draft (see Clause 9). For example, with regard to the data exporter’s right to obtain upon request a copy of the sub-processor contracts from the data importer, it is now clarified that the data importer may redact the text of the agreements to the extent necessary to protect business secrets or other confidential information prior to sharing a copy (see Clause 9 (c)). This is an improvement compared to Clause 5 (g) of the old SCCs which only allowed for a redaction of commercial information and an obligation to provide copies without prior request.
• Some provisions are more closely aligned to the wording of the GDPR, such the obligation to implement appropriate technical and organizational safeguards, which is now more closely aligned to Art. 32 GDPR (see Clauses 8.5 (Module 1), 8.6 (Modules 2 + 3), and 8.2 (Module 4)).
• The new SCCs also require data exporters and importers to provide comprehensive information on the data transfers governed by the SCCs in the Annexes. In addition, the parties need to describe the implemented technical and organizational security measures, which shall include measures taken to assist with responses to data subject requests (see Clause 10 (b) (Modules 2 + 3)).
• On a positive and helpful note, the Commission has injected some flexibility in connection with the Schrems II considerations, as recital 20 of the Implementing Decision states that as regards the impact of local laws on compliance with the SCCs, different elements may be considered as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector, and, under strict conditions, the documented practical experience of the data exporter and/or data importer.

In common with all other versions of the SCCs, the new SCCs stipulate fairly onerous obligations for data exporters and importers which are, of course, non-negotiable. Therefore, entering into agreements including any of the SCCs modules should not be regarded as a “paper exercise” as the practical implementation of the obligations will require substantial efforts from all parties involved.

What now?

The European Commission grants a total transitional period of 18 months from the date of entry into force of the Implementing Decision for the new SCCs to replace all previous contracts. Therefore, both data exporters and importers should now start reviewing all their existing contractual arrangements based on the old SCCs (including, e.g., contracts with service providers or intra-group agreements) and determine what changes are necessary to replace them with the new version. This should happen alongside a broader exercise assessing:

• The categories of data transfers by reference to the nature of the data, the roles of the parties (e.g., controllers and processors) and the location of the data importers;
• The impact of local data access laws on the different types of data transfers; and
• The level of protection currently provided by the new SCCs in that particular context.

Having undertaken this assessment, organizations must then determine if reliance on the SCCs alone will suffice or whether it is necessary to supplement the provisions of the SCCs with additional measures to bring the level of protection in line with EU standards.

In conclusion, the new SCCs will go a long way towards addressing the requirement to legitimize transfers of personal data out of the EU, but it remains the responsibility of those involved in carrying out those transfers to ensure that whatever mechanisms are relied on, they provide adequate safeguards to meet GDPR standards as interpreted by the CJEU.

Authored by: Eduardo Ustaran, Laur Badin, and Henrik Hanssen.