Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
On June 4, 2021, the European Commission released the new EU standard contractual clauses (SCCs) to ensure the lawful transfer of personal data to countries outside the European Economic Area (aka third countries).
The old SCCs pre-dated the EU General Data Protection Regulation (GDPR) and, as such, do not reflect its stringent data transfer requirements, so change was necessary.
To address the realities faced by businesses, the new SCCs factor in GDPR compliance, as well as take into account the Schrems II ruling from the European Court of Justice (CJEU), which invalidated the EU-US Privacy Shield.
This article will walk you through what SCCs are, why they are needed, and how to implement them. We'll also briefly compare the new SCCs with the old ones to give you a practical idea of their differences.
One of our many testimonials:
Before we go into the details of the new SCCs, it's important to get some context about how they came to be.
SCCs were first introduced under the 1995 Data Protection Directive (aka the GDPR's predecessor) as a way to ensure the lawful transfer of data from the EEA to third countries.
SCCs were especially important for businesses located in third countries without an adequacy decision (i.e., countries not approved by the European Commission to have a suitable level of data protection).
U.S. businesses fell under this category but relied on the EU-US Privacy Shield for international data transfers until the Privacy Shield became invalidated in the Schrems II case on July 16, 2020.
Since then, SCCs have represented the most common and appropriate safeguard used by U.S. businesses to facilitate international data transfers.
While SCCs weren't invalidated in the Schrems II ruling, it became apparent that the old SCCs may no longer be the foolproof data transfer mechanism they once were.
In light of this, the European Data Protection Board (EDPB) requires data exporters to perform a case-by-case analysis to examine if SCCs provide sufficient protection for certain data transfers.
Moreover, in cases where sufficient protection cannot be guaranteed, data exporters are required to implement additional technical and organizational measures (TOMs).
To sum up, the developments surrounding the Schrems II ruling, coupled with the age of the old SCCs, contributed to the need for updated SCCs.
Now, let's take a look at what exactly SCCs are and when you may need to implement them.
Standard Contractual Clauses are a model data transfer mechanism primarily designed to help controllers and processors legally facilitate data transfers to third countries.
In its questions and answers guide, the European Commission describes SCCs as a set of:
"Standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance, commercial partners."
To put this in context, let's say a business collects an EU resident's data and transfers it to an entity outside the GDPR's jurisdiction.
In this case, the EU resident may lose the GDPR's protections over such data, which leaves the business in violation of the GDPR's provisions.
However, incorporating SCCs into a legally binding contract between both parties can help the business avoid liability by obligating the receiving party to implement data protection safeguards similar to those in the GDPR.
In other words, SCCs can help EU personal data retain GDPR-like protection even after leaving the EEA.
To strengthen data protection and comply with the GDPR's provisions, the European Commission released the "New SCCs" to replace the old ones and help better facilitate international data transfers.
The model clauses issued by the European Commission are of two distinct sets:
Keep in mind that only the first set of SCCs will replace the old SCCs, while the second set can serve as a template for future data processing agreements.
Importantly, the new SCCs address the deficiencies in its previous version and reflect the GDPR's data transfer requirements as well as some Schrems II related developments. They also provide more legal predictability to EU businesses and offer more flexibility for complex data processing chains.
The new SCCs feature several modifications and quality enhancements from the old SCCs since they are aligned with the GDPR requirements and the Schrems II ruling.
Understanding these differences can help smoothen your business's transition process, from the old SCCs to the new. Below are some notable differences.
The old SCCs were two entirely separate agreements addressing two data transfer scenarios (i.e., cross-border data transfer from controller to processor and data transfer from controller to controller).
In contrast, the new SCCs feature a more flexible and encompassing structure containing four modules for four cross-border transfer scenarios, all codified into a single document (as seen later in this article).
Unlike the old SCCs, the new SCCs place more focus and impose significant obligations on data importers, especially importers who act as controllers.
Importers who don't fall under the GDPR's scope will essentially have to implement a slightly less-demanding GDPR compliance program. Their responsibilities include documentation, additional representations and warranties, sensitive data security, and data breach obligations, to mention a few.
Understandably, the old SCCs do not include safeguards against government access to personal data since they were created before the Schrems II ruling (where the issue was addressed).
The new SCCs, however, consider the ruling and include provisions to implement additional transparency and notification controls, which address government access requests.
The new SCCs also require both parties to conduct and document a Transfer Impact Assessment.
This includes evaluating the circumstances of the data transfer as well as the third country's laws and practices to ensure that they do not prevent the data importer from complying with the provisions of the SCCs.
As a data exporter, you are required to implement SCCs or an alternative safeguard when you make "restricted transfers."
Alternative safeguards include an adequacy decision, binding corporate rules, and derogations. For a more in-depth look at the GDPR's data transfer safeguards, check out our article: Transferring Personal Data Out of the EU.
Data transfers are considered to be restricted when the following applies:
To better grasp whether you need to implement SCCs, consider these simple scenarios.
Following its official release on June 4, 2021, the new SCCs took effect on June 27, 2021. At this time, businesses could still implement the old SCCs for an additional three months until the official repeal date on September 27, 2021.
The European Commission, however, provides a grace period for businesses that have implemented the old SCCs before the repeal date.
Essentially, such businesses can continue to rely on the old SCCs for an additional 15 months until December 27, 2022. Note that this provision only applies if there are no changes to the processing operations under the contract and if appropriate safeguards (such as risk assessments) continue to be implemented.
In any case, the European Commission displays some flexibility here by giving controllers and processors some time to examine their data transfer activities and implement the new SCCs accordingly.
When it comes to structure, the first set of SCCs employ a "modular" approach that covers data transfers from an entity in the EEA to an entity in a third country. Each module addresses a different data transfer scenario between controllers and processors, allowing businesses to choose which applies to their situation.
Note that controllers are individuals or entities who determine the purpose or methods of processing personal data, while processors are individuals or entities who process data on behalf of a controller.
For a better understanding of controllers and processors, check out our article: GDPR Data Controller vs. Data Processor.
The modules under the first set of SCCs are as follows:
Unlike its previous version, the first set of SCCs do not provide a separate agreement for each module but includes them all in a single document with subsections. In essence, businesses should identify and single out which module fits the contractual relationship in their legally binding agreement with the other party.
Moreover, the old SCCs require businesses to enter into separate data processing agreements to satisfy the requirements in Article 28 of the GDPR, but thanks to the second set of SCCs this is no longer required.
It's also important to note that you must not alter any of the clauses in your SCCs. Additional clauses may be included to suit specific requirements, but they must not contradict the SCCs.
Under the new SCCs, the docking clause allows the existing parties in a contractual relationship to add new parties to the data transfer agreement throughout the lifecycle of the agreement.
Though optional, this feature is particularly useful in complex situations where multiple parties have to be included in the data transfer agreement down the line.
Modules by reference
Interestingly, businesses can insert the new SCCs by reference into their existing contracts as long as they specify the modules that fit the relevant relationships (e.g., processor to controller).
In other words, you can simply include a clause in your contract that states that both parties agree to incorporate and comply with the new SCCs. This way, you don't have to include the full text of the new SCCs in your agreement.
However, make sure that the governing law clause, docking clause (if applicable), and annexes are properly filled out and completed.
Strengthen Data Subject Rights
The rights of data subjects are explicitly specified in the new SCCs. In short, data subjects have the right to obtain a meaningful summary or a copy of the data transfer agreement.
Furthermore, you must notify data subjects about any high-risk data breach as well as any request by relevant authorities to access their data unless prohibited from doing so.
In light of the developments surrounding the repeal of the old SCCs and the transition to the new SCCs, we recommend that you take the following measures to ensure a lawful implementation of the new clauses:
SCCs are one of several mechanisms set out across Chapter 5 of the GDPR that allow EEA-based businesses to transfer personal data to businesses in third countries. The other safeguards are as follows.
Adequacy decision: The recipient business is situated in a country whose data protection standards have been deemed "adequate" by the European Commission. At the time of writing, these countries are:
Derogations: The transfer of personal data is a "one-off" event, and one of the GDPR's Article 49 exceptions applies, including but not limited to:
Following the downfall of the EU-US Privacy Shield, the U.S. government and the European Commission have begun taking measures to develop a new transatlantic data framework, the details of which can be found in this fact sheet.
Although this can serve as an alternative transfer mechanism to the new SCCs for U.S. businesses, it's important to note that if you properly implement the new SCCs (along with EDPB recommendations), you don't need to adopt any alternative transfer mechanism.
In any case, we recommend that you remain proactive in your cross-border data transfer compliance efforts by:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022