European Commission Adopts Final Version of New Data Transfer Agreement (SCCs)
The European Commission has adopted (at long last) an updated version of the Standard Contractual Clauses (SCCs), bringing this popular data transfer mechanism in line with the GDPR – and, we hope, the Schrems II decision. The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”), so the new SCCs are very big news for organizations that transfer or receive personal data from the EEA (that is, the European Union plus Norway, Iceland and Liechtenstein).
When do we need to start using the new SCCs?
The Commission decision adopting the new SCCs will go into effect 20 days after the decision is published in the Official Journal of the European Union (which is published daily on weekdays). Organizations that want to use the SCCs as the legal basis for new data transfers will need to begin using the new form of the SCCs from the date that is three months after their effective date (so assuming the decision is published on June 7, 2021, new transfers would need to be done under the new SCCs starting on September 26, 2021. For transfers that are already subject to the “old” SCCs, in most cases, organizations will have grace period of approximately 18 months from now to transition from the old SCCs to the new SCCs. Importantly, it appears from the Commission’s decision that even if a transfer made under the old SCCs is complete, the new SCCs will need to be executed if the data are still being used by the data importer. Furthermore, the Schrems II requirements for a risk assessment with respect to national security laws and the adoption of supplemental protective measures to mitigate any risks apply now.
Why are the SCCs important?
Most US companies that receive European personal data are aware that the GDPR prohibits the transfer of personal data from the EEA to “third countries” that don’t have the benefit of a Commission “adequacy decision” (currently only 12 countries have one) unless
one of the Commission-approved data transfer mechanisms (such as the SCCs) is in place, or
an express GDPR Art. 49 exception applies – but these exceptions are heavily circumscribed by stringent guidance issued by the European Data Protection Board and are of very limited use.
Given that we are still waiting for the new, additional data transfer mechanisms anticipated by the GDPR, such as Commission-approved privacy certifications and codes of conduct, the SCCs play a fundamental role in making personal data transfers from Europe legal. In many data transfer situations, the SCCs are the only viable option.
What’s new (and improved)?
The new SCCs represent a vast improvement over the current SCCs, which were last updated in 2004 (for controller-to-controller transfers) and 2010 (for controller-to-processor transfers). The new SCCs are modular in nature, covering the following data transfer situations:
Controller to Controller
Controller to Processor
Processor to Controller (NEW!)
Processor to Processor (NEW!)
By providing for processor-to-controller and processor-to-processor transfers, the Commission has plugged one of the most significant gaps in the EU’s approved data transfer mechanism. Among other industries, the pharmaceutical industry will welcome the new flexibility: US (and other third country) clinical trial sponsors that are not established in Europe will soon be able to use the SCCs to cover routine transfers of EU clinical study data from their European CROs (which are processors). In addition, it is now clear that controllers who are subject to the GDPR but are not established in the EU can sign the SCCs as data exporters.
There are additional improvements over the old SCCs:
The new SCCs modules that involve processors also cover the requirements of GDPR Article 28, which specifies a list of items that must be addressed in a written contract whenever a controller uses a processor to do anything with personal data. That will significantly streamline controller-processor contracting.
The new SCCs spell out the controller’s and processor’s obligations clearly. (Unfortunately, the final SCCs stepped back in some key places from the plain-English approach in the draft SCCs, and instead have reverted to some clunkier wording that is identical to the GDPR – but at least, we do have consistency in the language.) Compared to the current SCCs, US companies that have limited familiarity with the GDPR – for example, companies that receive EU personal data yet do not themselves fall under the GDPR’s territorial jurisdiction – will find it easier to understand their concrete obligations under the new SCCs. The clarity of the new SCCs is a significant improvement compared to the vague contractual wave of the hand at the GDPR that is a feature of many agreements involving EU personal data.
The new SCCs have been carefully drafted to help the parties address the concerns raised by the EU Court of Justice in its July 2020 Schrems II decision. That decision cast doubt on the lawfulness of transferring personal data from the EU to the US – and incidentally also raised the bar for many other countries. (Click here for a summary of that case.) The due diligence and disclosures required by the new SCC provisions initially may seem disproportionate to companies that believe their personal data transfers face no risk - or an essentially hypothetical and extremely low risk - of access by their country’s intelligence agencies. However, the recently published draft guidance of the European Data Protection Board (summary available here; full guidance document here) makes it clear that US companies (and others) are required to perform a painstaking assessment of that risk and adopt mitigating measures. That said, the Commission has included a footnote that introduces a very welcome pragmatic angle to the assessment (more on that immediately below).
How do the new SCCs help organizations get to grips with the Schrems II decision?
The new SCCS turn the Schrems II decision’s diligence and supplemental measures requirements into a contractual requirement. The exporter and importer must cooperate in the assessment and document their assessment. The document must be available to EU supervisory authorities (i.e., an interested national or regional data protection authority) on request. However, the assessment does not need to be attached to the SCCs as the European Data Protection Board had recommended to the Commission.
In a nutshell, the exporter and importer need to warrant that “they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses” (Clause 14(a)). In making this warranty, the exporter and importer must take into account, among other things, “the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards” (Clause 14(b)(ii)). The SCCs include a long footnote explaining that this analysis should not be limited to the letter of the law in the destination country. Instead, practical experience can and should be taken into account.
This critical footnote in the SCCs adds a much needed counterweight to the European Data Protection Board’s statement in its November 2010 guidance on the Schrems II decision that the assessment must not “rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” The SCCs’ footnote helpfully clarifies that “practical experience” counts a relevant, objective element rather than a subjective element that must be disregarded:
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. (Fn 12)
Overall, the new SCCs bring greater clarity and certainty to the rules governing EU-to-third-country data transfers. They stick tightly to the GDPR, while also spelling out specific obligations in a way that is (for the most part) both precise and achievable. While the new SCCs will require much more thought and background work on the part of data exporters and importers, they should result in more robust organizational and technical protections for the data in question, and for the individuals whose data are transferred.