Out-Law / Your Daily Need-To-Know

EU standard contract clauses bolstered for international data flows

Out-Law News | 04 Jun 2021 | 1:52 pm | 4 min. read

The European Commission has published updated standard contractual clauses (SCCs) to support the transfer of personal data outside of the EU by businesses and other organisations.

The SCCs can be inserted into commercial contracts. They govern the handling and safeguarding of personal data by those importing personal data from the EU in countries outside the European Economic Area (EEA) and are designed to help EU exporters of the data to comply with the strict conditions that apply to non-EEA data transfers under EU data protection law.

The revised EU-SCCs replace those first adopted by the European Commission in 2004 and 2010 and reflect the changes to data protection law implemented by the General Data Protection Regulation (GDPR) in 2018. In addition, the new SCCs seek to address concerns raised by the Court of Justice of the EU in the so-called “Schrems II” judgment.

“The EU-SCCs are, by far, the most important instrument for international transfers of personal data from the EEA to third countries,” said Andre Walter, an Amsterdam-based data protection law specialist at Pinsent Masons, the law firm behind Out-Law. “The same applies for the UK-SCCs, that are expected to be released by the UK’s Information Commissioner’s Office (ICO) for public consultation during the second half of June.”

“With the European Data Protection Board also expected to finalise its post-Schrems II guidance on international transfers this month, the steps that organisations need to take to share data cross-border should become much clearer,” Walter said.

Walter Andre

Andre Walter

Head of Data Law Solutions, Netherlands

With just months to transition to the new clauses businesses should start planning now for the change

Organisations planning to rely on SCCs for international transfers of personal data from the EEA are likely to be required to adopt the new SCCs from the end of September onwards – the Commission’s decision adopting the new SCCs will have legal force 20 days after its publication in the Official Journal of the EU, and there is a three month period from that date before it becomes effective. For existing data transfers based on the old SCCs, organisations will have a further 15-month grace period to transition from the existing SCCs to the new SCCs, provided the related master service agreements remain unchanged.

“The grace period means no immediate actions are required in respect of existing SCCs in operation, but with just months to transition to the new clauses businesses should start planning now for the change,” Walter said.

Walter said that one of the biggest changes with the new EU-SCCs is that they can be applied to data transfers in a wider number of business relationships, which he said “reflects the organisational realities of cross border flows relevant to global services and the digital economy”.

The old SCCs only governed transfers from controllers to other controllers and controllers to processors. The new EU-SCCs can be used to legitimise transfers between independent data controllers; controllers and other controllers; processors and other processors or sub-processors, and; processors back to controllers too.

Walter said: “In other words, the new structure of the clauses facilitates transfers between multiple data importer and exporter parties in one single agreement, as envisaged under Article 46 of the GDPR. This includes data processors acting as data exporters – which hadn’t been supported by the previous SCCs and has been problematic ever since the GDPR imposed restrictions directly on processors for the first time.”

Additional SCCs have been published by the Commission to underpin data sharing between controllers and processors, as envisaged under Articles 28 and 29 of the GDPR,” Walter said.

Another major change is the introduction of a ‘docking clause’ that will allow new parties to accede to an existing transfer agreement and bind them to the terms of the SCCs, either as a data exporter or as a data importer.

Kirsop Jonathan_Apr 2020

Jonathan Kirsop

Partner

The UK ICO though is expected to release its own version of the SCCs for transfers from the UK imminently

Walter said that new EU-SCCs have been designed in a way to address issues highlighted in the CJEU’s ‘Schrems II’ ruling, as well as the related draft guidance the European Data Protection Board has produced on additional safeguards that may be required.

“In line with the Schrems II ruling, the draft new SCCs require organisations to assess local laws in countries where data is being exported to determine if level of protection is essentially equivalent to that guaranteed within the EU,” Walter said. “In this context, the revamped SCCs contain additional requirements on assessing third-county laws, transparency on disclosure requests of public authorities in those countries and notification of the exporter and/or supervisory authorities on possible non-compliances with the obligations under the SCCs, as well as enhanced associated documentation requirements.”

“Unlike the draft EDPB guidance, which is expected to be finalised this month, the SCCs do, however, permit organisations transferring data to third countries to assess the risks of the transfer in light of  the specific circumstances of the transfer, including the nature of the data transferred, the type of recipient, the purpose of the processing. Even any reliable information on the application of the third-country law or documented practical experience of the data importer or exporter indicating the existence or absence of prior instances of disclosure requests from public authorities can be included in the risk assessment. It will be interesting to see whether or not the EDPB softens its guidance to allow for such a risk-based approach in assessing the lawfulness of transfers,” Walter said.

London-based data protection law expert Jonathan Kirsop of Pinsent Masons explained how the new EU-SCCs will impact UK-based businesses.

Kirsop said: “For UK businesses, it should be noted that the new SCCs are – of course – directly effective in respect of data transfers from the EEA only. The UK ICO though is expected to release its own version of the SCCs for transfers from the UK imminently. While there may be some local nuance, these are widely expected to follow the principles and scope of this new set of EU-SCCs.  Further consideration will be needed where organisations transfer data from both the EU and UK to third countries, and wider guidance from the regulators welcome on whether one set of SCCs based on the EU version would represent an effective instrument ensuring protection under both the UK and EU GDPR. At this stage, UK businesses would not be required to execute SCCs as importers but this is contingent on the Commission’s draft adequacy decision being ratified by the end of this month.”

Walter said that the publication of the new EU-SCCs should spur businesses to map their data sharing and transfer activities, assess the risks of the transfers in light of the specific circumstances of the transfers and take measures accordingly, and stay informed on further EU and UK developments.

Pinsent Masons is hosting an online event on 24 June on the new SCCs and what they mean for data transfer between the EEA, UK and third countries. There is free registration for the event.