04 September 2020
Standard contractual clauses (SCCs) are a key way to ensure the lawful and secure transfer of personal data from within the European Economic Area (EEA) to "third countries" (non-EEA countries).
With the downfall of the Privacy Shield framework in July 2020, SCCs represent the most appropriate safeguard for most personal data transfers from the EEA to the United States.
In this article, we'll be explaining what SCCs are, why you might need them, and how to use them. We'll also be discussing some of the additional safeguards that you might need to implement following recent legal developments.
SCCs are a legal mechanism set out in the EU General Data Protection Regulation (GDPR). SCCs can help businesses in EEA countries transfer personal data to other companies in third countries.
The GDPR seeks to protect the personal data of data subjects (individual people) residing in the EEA. SCCs are a means of helping people in the EEA maintain their rights and control over their personal data even once it leaves the EEA.
Suppose a business collects a data subject's personal data and transfers it to another company in a country where the GDPR does not apply. In that case, the data subject risks losing the GDPR's protections over that data, including their ability to exercise their data subject rights.
With SCCs, the two businesses make the transfer subject to a legally-binding agreement containing clauses guaranteeing that the third-country recipient will protect the personal data.
There are three sets of SCCs. Here's an example of one of the SCCs from set 1 of the SCCs, Annex A, adopted in 2001:
This clause requires a third-country data controller receiving personal data to take security measures to protect the personal data. EEA data controllers are already required to do this under EU law.
SCCs, or one of the alternative safeguards listed below, are required for "restricted transfers."
Here's a checklist to help you determine whether you're making a restricted transfer:
If the answer to all three questions is "yes," then you are making a restricted transfer and must apply one of the GDPR's safeguards, such as SCCs.
SCCs are one of several mechanisms set out across Chapter 5 of the GDPR that allow EEA-based businesses to transfer personal data to businesses in third countries. The other safeguards are:
Adequacy decision: The recipient business is situated in a country whose data protection standards have been deemed "adequate" by the European Commission. At the time of writing, these countries are:
Derogations: The transfer of personal data is a "one-off" event, and one of the GDPR's Article 49 exceptions applies, including:
"Standard contractual clauses" will be an important mechanism for more business since the downfall of the EU-U.S.Privacy Shield framework. Many people see SCCs as the best solution for companies who were previously part of Privacy Shield.
The U.S. does not have an "adequacy decision." However, the Privacy Shield framework allowed EEA and U.S. businesses to freely transfer EEA data subjects' personal data.
The Privacy Shield scheme required participants to make specific commitments to protect EEA residents' personal data. The commitments made under the framework were supposed to deliver an "equivalent" level of protection as that provided by EU law.
Privacy Shield was recently considered in an important EU court case known as "Schrems II." The Court of Justice of the European Union (CJEU) decided that Privacy Shield does not represent a valid means of protecting EEA data subjects' personal data.
The main reason for the CJEU's decision was that the U.S. has blanket surveillance laws that allow its Government to access personal data. The Privacy Shield framework did not protect against this interference, and EU citizens had no legal protection against it.
The Schrems II case immediately invalidated the Privacy Shield framework, and businesses using this scheme must now find another safeguard to facilitate transfers of personal data from the EEA to the U.S., such as SCCs.
The Schrems II case was, centrally, a challenge to the validity of SCCs. The CJEU concluded that SCCs remain a valid safeguard when making restricted transfers of personal data.
But while the CJEU did not invalidate SCCs, the Schrems II decision does reiterate that SCCs may not be a suitable safeguard in all circumstances, as has always been the case.
Following Schrems II, the European Data Protection Board (EDPB) requires EEA data controllers to assess the safeguards they have in place for transferring personal data to third countries.
You must assess the appropriateness of using SCCs on a case-by-case basis. We'll consider how you can do this below.
If you plan to make a restricted transfer, you'll need to create a contract between the two parties receiving and sending the data and insert the SCCs into the contract.
Either party involved in a restricted transfer can create a data transfer contract, but both parties must agree to it.
You cannot change the SCCs in any way. Whichever of the three sets you use must be fully present and unaltered in the contract covering the transfer.
You can add additional clauses, and indeed you may need to do so (as we'll see below), but these must not conflict with the SCCs.
The European Commission provides three sets of SCCs. Two sets are for transfers between two data controllers. One set is for transfers between a data controller and a data processor.
Click here more information on data controllers and data processors under the GDPR.
If the data importer is a data processor, you'll need to use the SCCs for controller-processor transfers. The controller-processor SCCs were updated in 2018. The old set (from 2010) is no longer valid and you must not use it.
If you're engaging a data processor, whether or not they are based outside of the EEA, you'll need to create a Data Processing Agreement. If your data processor is based outside of the EEA, you can incorporate the SCCs into your Data Processing Agreement.
The differences between these two sets of controller-controller SCCs are quite technical, and include:
Set 1 (2001):
Set 2 (2004):
Neither of these two sets of SCCs is "better," and neither provides a stronger level of data protection. We suggest that both parties read each set carefully and decide which is right in the context of your transfer.
While the Schrems II decision did not invalidate SCCs, or change them in any way, it did reiterate that data controllers must assess whether SCCs provide adequate protection for their restricted transfers.
Such an assessment must be made regardless of which third country the data importer resides in. However, you should take particular care if you plan to make a restricted transfer to the United States.
SCCs are only valid insofar as they can ensure personal data is protected to a standard commensurate with the GDPR and the EU Charter of Fundamental Rights.
Some state surveillance is acceptable in this context. For example, where security services must apply for a warrant before demanding personal data from a business. Unfortunately, some U.S. surveillance laws do not meet this standard.
Therefore, these surveillance laws could be a problem if you plan to use SCCs to transfer personal data to certain U.S. companies. You'll need to consider whether you can apply additional safeguards to your restricted transfers to protect against state interference.
We're going to look at two interpretations of the Schrems II judgment that give some advice on how to do this.
The European Centre for Digital Rights (headed by the person who brought the Schrems II case, Max Schrems himself), has produced some guidance on what businesses should do if they wish to continue using SCCs to transfer EEA-originating personal data to the United States.
The guidance suggests that EEA businesses write to the U.S. companies with which they share personal data to ask if they fall under the two problematic surveillance laws that led to the invalidation of the Privacy Shield framework (FISA 702 and EO 12333).
The guidance also suggests writing to U.S. companies to ask what measures they take to prevent communications being wire-tapped by the NSA. It argues that the U.S. Government can break even very strong encryption.
Ultimately, the European Centre for Digital Rights argues that EEA companies will simply have to stop working with certain U.S. companies if they cannot lawfully guarantee to protect personal data.
Bear in mind that this is a strict interpretation of the Schrems II judgement, produced by the actual plaintiff in the case (whose primary complaint was with SCCs, not Privacy Shield).
Some observers believe that the CJEU did not properly understand the U.S. surveillance laws' scope, which only allows the U.S. Government to obtain personal data from narrowly-defined "electronic communications providers."
Privacy Professionals, Marc Zwillinger, Mason Weisz, and Kandi Parsons argue that most U.S. companies will be able to deny U.S. Government orders made under FISA 702 and EO 12333.
They suggest that exporters apply strong encryption to personal data, and insert additional contractual clauses that compel the importer not to divulge the data to the U.S. Government.
This interpretation is much more liberal than the alternative, above, but would allow virtually all restricted transfers to the U.S. to continue with a few additional safeguards applied.
The EDPB indicates in its guidance that EEA data exporters must work with their third-country importers to assess the privacy risks involved in their restricted transfers. We've provided two sets of guidance on carrying out this assessment above.
What happens if you conduct this assessment and conclude that you cannot adequately safeguard the privacy risks? Here's an excerpt from the guidance:
"If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA."
The EDPB appears to be saying that you may continue with a restricted transfer whether or not you have deemed it to be sufficiently secure, so long as you notify your Data Protection Authority.
SCCs may be appropriate if you are either:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.