On June 4, the European Commission (EC) adopted two sets of standard contractual clauses (SCCs) for use between controllers and processers in the European Economic Area (EEA) and for the transfer of data between EEA and non-EEA countries. The new SCCs reflect requirements under the EU General Data Protection Regulation (GDPR) and the European Court of Justice’s (ECJ) July 2020 Schrems II decision[1] invalidating the EU-US Privacy Shield framework, with the goal of ensuring data protection and legal predictability for European businesses.
Under the GDPR, personal data can only be transferred outside of the EEA if the receiving country provides data protections that are “essentially equivalent” to those within the EEA.[2] In July 2020, the ECJ in Schrems II ruled that the US-EU Privacy Shield did not provide adequate protection to EU citizens from American government surveillance. The ruling created uncertainty regarding whether companies seeking to transfer data from the EU to the U.S. could rely on the existing SCCs or, instead, would need to use alternative transfer mechanisms such as binding corporate rules. The EC had not yet updated the SCCs following the adoption of the GDPR, and the Schrems II decision only increased the urgency for adopting a new set of SCCs.
The new SCCs include the following key revisions:
The new SCCs include general clauses that apply to all data transfers, including clauses covering redress mechanisms available to data subjects, liability between parties for breaching the SCCs, a choice of EU Member State law to govern the SCCs, termination clauses, and a choice of forum and jurisdiction for SCC disputes. Parties are also required to complete three annexes describing the personal data transfers, naming the parties to the SCCs and their competent supervisory authorities, describing technical and organizational measures ensuring data security, and listing any sub-processors used by the processor.
In addition to these general clauses, the EC’s modular approach addresses more transfer scenarios than did previous SCCs, including (1) controller-to-controller transfers, (2) controller-to-processor transfers, (3) processor-to-processor transfers, and (4) processor-to-controller transfers. The inclusion of additional modules allows contracting parties to tailor agreements to their circumstances. Notable provisions in these modules include a requirement for data importers in controller-to-controller transfers to inform the data subject of the categories of personal data processed, the right to obtain a copy of the SCCs, and any onward transfers. Additionally, controllers, with the assistance of processors, are obligated to report a personal data breach to the competent supervisory authority without undue delay after becoming aware of it. In the context of controller-to-processor and processor-to-processor transfers, the new SCCs include form provisions for the appointment of sub-processors. These modules also address the liability of parties under the SCCs.
In response to the Schrems II decision, the SCCs require parties to assess (1) the specific circumstances of the transfer, such as the nature of the data, the purpose of processing and transmission channels; (2) the laws and practices of the recipient country; and (3) any supplementary safeguards. The new SCCs also prohibit onward transfers to additional recipients in third countries unless the third party agrees to be bound by the new SCCs, which may be accomplished through a docking clause that was not available in previous SCCs. There are some exemptions for onward transfers under specific circumstances, depending on the module, and to certain countries that the EC has determined to have adequate protections, including Japan and Switzerland.
The new SCCs, which become effective June 27, 2021, will not invalidate contracts under the old SCCs for 18 months after the publication of the implementing decision. However, old versions of the SCCs will be repealed three months after that publication, beyond which the old SCCs may no longer be used for new data transfers. In the meantime, companies will need to review the new SCCs, apply the appropriate module to their data transfers, and determine how they and their data sharing partners will comply with these new obligations.
[1] C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II).
[2] EEA countries Iceland, Liechtenstein and Norway, which are not EU member states, adopted the GDPR in 2018. Its requirements apply equally to the personal data of EEA persons and transfers of such data out of the EEA.