Legal and Data Privacy Writer at TermsFeed.
On this page
- 1. Background of Standard Contractual Clauses (SCCs)
- 2. What are Standard Contractual Clauses (SCCs)?
- 3. What are the New Standard Contractual Clauses?
- 4. Standard Contractual Clauses: New vs Old
- 4.1. Updated Structure
- 4.2. Data Importer Obligations
- 4.3. Government Access and Third Country Laws
- 5. When Do I Need to Implement Standard Contractual Clauses (SCCs)?
- 6. How to Use Standard Contractual Clauses (SCCs)
- 6.1. Structure of the New Standard Contractual Clauses
- 6.2. Other Notable Features in the New Standard Contractual Clauses
- 7. Recommended Steps For Businesses to Take For Standard Contractual Clauses (SCCs)
- 7.1. What are the Alternatives to Standard Contractual Clauses?
- 8. Summary
On June 4, 2021, the European Commission released updated EU standard contractual clauses (SCCs) to ensure the lawful transfer of personal data to countries outside the European Economic Area (aka third countries).
The old SCCs pre-dated the EU General Data Protection Regulation (GDPR) and, as such, do not reflect its stringent data transfer requirements, so change was necessary.
To address the realities faced by businesses, the new SCCs factor in GDPR compliance, as well as take into account the Schrems II ruling from the European Court of Justice (CJEU), which invalidated the EU-U.S. Privacy Shield.
This article will walk you through what SCCs are, why they are needed, and how to implement them. We'll also briefly compare the new SCCs with the old ones to give you a practical idea of their differences.
One of our many testimonials:
Background of Standard Contractual Clauses (SCCs)
SCCs were first introduced under the 1995 Data Protection Directive (aka the GDPR's predecessor) as a way to ensure the lawful transfer of data from the EEA to third countries. SCCs were especially important for businesses located in third countries without an adequacy decision (i.e., countries not approved by the European Commission to have a suitable level of data protection).
U.S. businesses fell under this category but relied on the EU-U.S. Privacy Shield for international data transfers until the Privacy Shield became invalidated in the Schrems II case on July 16, 2020.
Since then, SCCs have represented the most common and appropriate safeguard used by U.S. businesses to facilitate international data transfers.
Note that in July of 2023, the EU-U.S. Data Privacy Framework was adopted as a new compliant method of data transfer.
While SCCs weren't invalidated in the Schrems II ruling, it became apparent that the old SCCs may no longer be the foolproof data transfer mechanism they once were.
In light of this, the European Data Protection Board (EDPB) requires data exporters to perform a case-by-case analysis to examine if SCCs provide sufficient protection for certain data transfers.
Moreover, in cases where sufficient protection cannot be guaranteed, data exporters are required to implement additional technical and organizational measures (TOMs).
To sum up, the developments surrounding the Schrems II ruling, coupled with the age of the old SCCs, contributed to the need for updated SCCs.
Now, let's take a look at what exactly SCCs are and when you may need to implement them.
What are Standard Contractual Clauses (SCCs)?
Standard Contractual Clauses are a model data transfer mechanism primarily designed to help controllers and processors legally facilitate data transfers to third countries.
In its questions and answers guide, the European Commission describes SCCs as a set of:
"Standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance, commercial partners."
To put this in context, let's say a business collects an EU resident's data and transfers it to an entity outside the GDPR's jurisdiction.
In this case, the EU resident may lose the GDPR's protections over such data, which leaves the business in violation of the GDPR's provisions.
However, incorporating SCCs into a legally binding contract between both parties can help the business avoid liability by obligating the receiving party to implement data protection safeguards similar to those in the GDPR.
In other words, SCCs can help EU personal data retain GDPR-like protection even after leaving the EEA.
What are the New Standard Contractual Clauses?
To strengthen data protection and comply with the GDPR's provisions, the European Commission released the "New SCCs" to replace the old ones and help better facilitate international data transfers.
The model clauses issued by the European Commission are of two distinct sets:
- The first set regulates data transfers outside the European Economic Area (EEA)
- The second set regulates the contractual relationship between controllers and processors
Keep in mind that only the first set of SCCs will replace the old SCCs, while the second set can serve as a template for future data processing agreements.
Importantly, the new SCCs address the deficiencies in its previous version and reflect the GDPR's data transfer requirements as well as some Schrems II related developments. They also provide more legal predictability to EU businesses and offer more flexibility for complex data processing chains.
Standard Contractual Clauses: New vs Old
The new SCCs feature several modifications and quality enhancements from the old SCCs since they are aligned with the GDPR requirements and the Schrems II ruling.
Understanding these differences can help smoothen your business's transition process, from the old SCCs to the new. Below are some notable differences.
The old SCCs were two entirely separate agreements addressing two data transfer scenarios (i.e., cross-border data transfer from controller to processor and data transfer from controller to controller).
In contrast, the new SCCs feature a more flexible and encompassing structure containing four modules for four cross-border transfer scenarios, all codified into a single document (as seen later in this article).
Data Importer Obligations
Unlike the old SCCs, the new SCCs place more focus and impose significant obligations on data importers, especially importers who act as controllers.
Importers who don't fall under the GDPR's scope will essentially have to implement a slightly less-demanding GDPR compliance program. Their responsibilities include documentation, additional representations and warranties, sensitive data security, and data breach obligations, to mention a few.
Government Access and Third Country Laws
Understandably, the old SCCs do not include safeguards against government access to personal data since they were created before the Schrems II ruling (where the issue was addressed). The new SCCs, however, consider the ruling and include provisions to implement additional transparency and notification controls, which address government access requests.
The new SCCs also require both parties to conduct and document a Transfer Impact Assessment.
This includes evaluating the circumstances of the data transfer as well as the third country's laws and practices to ensure that they do not prevent the data importer from complying with the provisions of the SCCs.
When Do I Need to Implement Standard Contractual Clauses (SCCs)?
As a data exporter, you are required to implement SCCs or an alternative safeguard when you make "restricted transfers."
Data transfers are considered to be restricted when the following applies:
- The personal data you intend to transfer is protected by the GDPR,
- The recipient is located in a third country without an adequacy decision, and
- The recipient is a separate individual or entity outside your organization, including a subsidiary
Alternative safeguards include an adequacy decision, binding corporate rules, and derogations. For a more in-depth look at the GDPR's data transfer safeguards, check out our article: Transferring Personal Data Out of the EU.
To better grasp whether you need to implement SCCs, consider these simple scenarios.
- A U.S.-based conglomerate that receives employee data from its subsidiaries in the European Union will likely need to implement SCCs
- An Australia-based company that partners with an EU company and collects EU consumer data will likely need to implement SCCs
How to Use Standard Contractual Clauses (SCCs)
Structure of the New Standard Contractual Clauses
When it comes to structure, the first set of SCCs employ a "modular" approach that covers data transfers from an entity in the EEA to an entity in a third country. Each module addresses a different data transfer scenario between controllers and processors, allowing businesses to choose which applies to their situation.
Note that controllers are individuals or entities who determine the purpose or methods of processing personal data, while processors are individuals or entities who process data on behalf of a controller.
For a better understanding of controllers and processors, check out our article: GDPR Data Controller vs. Data Processor.
The modules under the first set of SCCs are as follows:
- Data transfer from controller to controller (C2C)
- Data transfer from controller to processor (C2P)
- Data transfer from processor to processor (P2P)
- Data transfer from processor to controller (P2C)
Unlike its previous version, the first set of SCCs do not provide a separate agreement for each module but includes them all in a single document with subsections. In essence, businesses should identify and single out which module fits the contractual relationship in their legally binding agreement with the other party.
Moreover, the old SCCs require businesses to enter into separate data processing agreements to satisfy the requirements in Article 28 of the GDPR, but thanks to the second set of SCCs this is no longer required.
It's also important to note that you must not alter any of the clauses in your SCCs. Additional clauses may be included to suit specific requirements, but they must not contradict the SCCs.
Other Notable Features in the New Standard Contractual Clauses
Under the new SCCs, the docking clause allows the existing parties in a contractual relationship to add new parties to the data transfer agreement throughout the lifecycle of the agreement.
Though optional, this feature is particularly useful in complex situations where multiple parties have to be included in the data transfer agreement down the line.
Modules by Reference
Interestingly, businesses can insert the new SCCs by reference into their existing contracts as long as they specify the modules that fit the relevant relationships (e.g., processor to controller).
In other words, you can simply include a clause in your contract that states that both parties agree to incorporate and comply with the new SCCs. This way, you don't have to include the full text of the new SCCs in your agreement.
However, make sure that the governing law clause, docking clause (if applicable), and annexes are properly filled out and completed.
Strengthen Data Subject Rights
The rights of data subjects are explicitly specified in the new SCCs. In short, data subjects have the right to obtain a meaningful summary or a copy of the data transfer agreement.
Furthermore, you must notify data subjects about any high-risk data breach as well as any request by relevant authorities to access their data unless prohibited from doing so.
Recommended Steps For Businesses to Take For Standard Contractual Clauses (SCCs)
In light of the developments surrounding the repeal of the old SCCs and the transition to the new SCCs, we recommend that you take the following measures to ensure a lawful implementation of the new clauses:
- Evaluate your data transfers and related third-party agreements, which include data transfers from the EEA, making sure to prioritize the most crucial ones. Note that by December 27, 2022, only the new SCCs must be implemented in your existing contracts.
- Map all your data transfers to third counties to better understand your data flows and the roles played by each party. This should not only include any physical data transfers but also transfers from incidental activities such as analytics, support, backups, etc.
- Conduct Transfer Impact Assessments (TIAs), making sure to adhere to the recommendations released by the European Data Protection Board (EDPB).
- Identify the relevant parties for each data transfer, including controllers, processors, sub-processors, as well as the data importer and exporter.
- Make sure your data processing agreements are aligned with the provisions of the new SCCs.
- Remember to use the appropriate modules for each transfer and remove modules that do not apply to your processing activities. Also ensure that, where appropriate, SCCs and their annexes are filled out and signed.
- Conduct a case-by-case analysis of the risks involved in each data transfer and implement additional technical and organizational measures as may be needed to supplement SCCs in certain instances. When doing this, make sure to follow the recommendations released by the EDPB.
- Review policies and processes for responding to requests from law enforcement and other government agencies regarding access to personal data.
- Finally, stay updated on data transfer trends and industry guidelines as this area of law isn't well settled.
What are the Alternatives to Standard Contractual Clauses?
SCCs are one of several mechanisms set out across Chapter 5 of the GDPR that allow EEA-based businesses to transfer personal data to businesses in third countries. The other safeguards are as follows.
Adequacy decision: The recipient business is situated in a country whose data protection standards have been deemed "adequate" by the European Commission. At the time of writing, these countries are:
- Canada (for commercial organizations operating under PIPEDA)
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea
- United Kingdom
- Binding Corporate Rules (BCRs): The sender and the recipient business belong to the same multinational corporate group, with rules (approved by a Data Protection Authority) for safeguarding personal data.
Derogations: The transfer of personal data is a "one-off" event, and one of the GDPR's Article 49 exceptions applies, including but not limited to:
- Consent: The data subject has given their explicit consent, specific to this one-off transfer. They are fully informed about the transfer, including the identity of the recipient's, the recipient's country of residence, and the risks involved.
- Contract: It is necessary to make the transfer to fulfill contractual obligations owed to the data subject or other beneficiaries such as the data subject's family members.
- Legitimate interests: As an absolute last resort, the transfer may take place if it is in the legitimate interests of the sender and none of the other safeguards apply. This derogation is subject to a Legitimate Interests Assessment, and the notification of a Data Protection Authority.
Following the downfall of the EU-U.S. Privacy Shield, the U.S. government and the European Commission took measures to develop the new data framework.
Although this can serve as an alternative transfer mechanism to the new SCCs for U.S. businesses, it's important to note that if you properly implement the new SCCs (along with EDPB recommendations), you don't need to adopt any alternative transfer mechanism.
In any case, we recommend that you remain proactive in your cross-border data transfer compliance efforts by:
- Taking every reasonable step listed above to ensure proper data transfers and compliant data processing agreements when using SCCs, and
- Following the EU-U.S. Data Privacy Framework requirements