New Standard Contractual Clauses Under the GDPR
On June 4, 2021, the European Commission issued two new sets of Standard Contractual Clauses (“SCCs”): (i) one for the processing of personal information between data controllers and data processors who are subject to the General Data Protection Regulation (“GDPR”), and (ii) one for the transfer of personal information outside of the European Union (“EU”).
The GDPR lays out specific, compulsory clauses that are required to be in contracts between data controllers and data processors, where such data processors process EU personal information on behalf of such data controllers. These compulsory clauses, as well as other recommended clauses, have been assembled by the European Commission for the convenience of the parties into one document: these Set One SCCs. These Set One SCCs are primarily designed to be used for intra-EU transfers, or other transfers to data processors where the Set Two SCCs are not required.
To maintain the validity of these SCCs, it is important to note that they cannot be modified, however, they can be expanded upon, or included as part of a broader contract, as long as such additions do not contradict or detract from these SCCs as written. Notwithstanding the foregoing, these SCCs are not now the only available means for processing personal information between data controllers and data processors under the GDPR. As before, the parties are still free to create their own agreement for such processing, so long as the compulsory clauses outlined in the GDPR are included.
Am I a data controller? A data controller is the entity that chooses the purposes and means of processing. Data controllers are the owners of the data.
Am I a data processor? A data processor can only process data under the instructions of, and on behalf of a data controller. Data processors are typically service providers.
The EU has some of the strictest data privacy and protection laws in the world. Privacy—including the protection of personal information (e.g., name, email, address)—in Europe is considered a fundamental human right. This is not true for many other countries outside of the EU, including the US. Thus, when personal information leaves the EU for one of these other countries, the GDPR requires that certain protections be in place in order to ensure a level of data protection essentially equivalent to that guaranteed within the EU. These foregoing protections are limited to a set of approved mechanisms prescribed by the EU Commission.
Until recently, the two most commonly used mechanisms in the US were the old SCCs and the EU-US Privacy Shield Framework (the “Framework”). In July 2020, however, the Court of Justice of the European Union (“CJEU”) issued its decision in Data Protection Commission v. Facebook Ireland, Schrems (“Schrems II”) invalidating the Framework. The CJEU declared that the Framework could not provide protection essentially equivalent to that guaranteed within the EU, due to US surveillance laws which permit excessive collection of EU personal information without regard to the principles of proportionality, necessity, and redress. Since then, Framework-certified companies have had to turn to other approved mechanisms, and parties relying on the old SCCs have had to reevaluate their compliance with such SCCs in light of the Schrems II decision.
To assist companies during this transition, and in response to both Schrems II (2020) and the GDPR (2016), the EU Commission decided to create new SCCs and repeal the old SCCs, effective September 27, 2021. For those companies who entered into the old SCCs before September 27, 2021, such old SCCs will continue to remain valid until December 27, 2022.
Key Differences between the Set Two Old SCCs and New SCCs
The old SCCs were drafted in response to Directive 95/46/EC (1995), the main EU privacy law until 2016 when it was replaced by the GDPR. Thus, the new SCCs mirror many of the requirements and principles of the GDPR, including extraterritoriality.
Also, the old SCCs came in two separate documents, one for the cross-border transfer of personal information from controller to controller, and one for the cross-border transfer of personal information from controller to processor. The new SCCs, however, come in one document but are divided into four Modules to account for four (instead of only two) cross-border transfer scenarios. Module One addresses the cross-border transfer of personal information from controller to controller, Module Two addresses the cross-border transfer of personal information from controller to processor, Module Three addresses the cross-border transfer of personal information from processor to sub-processor, and Module Four addresses the cross-border transfer of personal information from processor to controller. Despite this new one-document, modular structure, we recommend piecing out the Modules to avoid any confusion as to the roles of the parties in a transaction.
While many of the responsibilities and data processing principles under the new SCCs remain the same, some of the key differences from the old SCCs include, but are not limited to:
more responsibilities and shifting burdens to data importers (e.g., additional representations and warranties, onward transfer obligations, notification and recordkeeping requirements, as well as new sensitive data and accuracy obligations, and expanded security and data breach requirements);
for data importers who are data processors, Modules Two and Three also incorporate the compulsory clauses of the GDPR mentioned above in Set One;
more direct liability to both individuals and authorities in Europe for data importers;
options and even some requirements for multi-party use;
more choices for governing law and venue during a dispute; and
more explicit requirements on both parties with respect to the new Schrems II analysis regarding the potential for overly intrusive foreign government access programs.
It will be important for all data importers to carefully review their new responsibilities under the new SCCs, particularly if your company is not already GDPR-compliant.
Identify any old SCCs to which you may be a signatory, identify the roles of the parties therein (i.e., controller or processor), and begin to notify the applicable third parties of the need to execute the appropriate Module of the new SCCs.
If you were a Framework-certified company, identify from where you receive EU personal information as a data importer, identify your role with respect to such EU personal information (i.e., controller or processor), and begin to execute with the applicable third parties the appropriate Module of the new SCCs.
Furthermore, while the new SCCs respond in part to the Schrems II decision, for some data importers, the new SCCs alone may not be sufficient, and additional measures outlined by the European Data Protection Board may be necessary to supplement any SCC obligations.
For data importers who are data processors, because Modules Two and Three also incorporate the compulsory clauses of the GDPR, they will likely, alone be primarily used for transfers outside of the EU to data processors (whereas before, the old SCCs were typically attached to a separate Data Processing Agreement (“DPA”) which incorporated the GDPR compulsory clauses). Modules Two and Three may reduce or even eliminate the need for a separate DPA, however, it is important to note that like the Set One SCCs, to remain valid, the Set Two SCCs cannot be modified, and any terms of any current DPA you have in place will be overridden by the SCCs in the event of a conflict. If your company is a data processor outside of the EU, we recommend reviewing and comparing any DPAs you may currently have in place with applicable third parties to understand your obligations moving forward—particularly since these new SCCs may become the new market standard. You may also want to expand upon the new SCCs to meet the particular needs of your business, which is possible, so long as such additions do not contradict or detract from the SCCs as written.
For personal information transfers from the United Kingdom, the new SCCs are not required. The United Kingdom intends to release its own set of standard contractual clauses by the end of 2021.