European commission adopts the new standard contractual clauses
On 4 June 2021, the EU Commission has published the long-awaited updated versions of the standard contractual clauses (SCCs) for personal data transfers both within the EEA and outside of the EEA. This transfer tool was seen as the most practical one for the majority of data transfers until the Schrems II ruling made its use burdensome. The previous SCCs were also outdated and did not correspond to the new reality established by the GDPR.
New data transfer relations covered
Unlike the previous sets of SCCs that covered different types of data transfers, the new SCCs have a modular structure allowing to choose the appropriate set of provisions for the particular scenario within one agreement. These modules cover the following transfers:
- controller (EU) to controller (outside the EU)
- controller (EU) to processor (outside of the EU)
- processor (EU) to controller (outside of the EU) (new) and
- processor (EU) to processor (outside of the EU) (new)
The SCCs can also be used for multilateral data transfer relations and allow new parties to the transfer to accede to the already executed agreements.
You don’t understand GDPR wording? The new SCCs may be of help
Compared to the GDPR, the new SCCs provide for the data exporter and data importer obligations in a more plain and straightforward language. This makes it easier for the contractual parties to understand and follow their obligations.
Risk assessments of importing country remain mandatory
The SCCs were designed to address the Schrems II ruling by way of providing the contractual parties with the right to control if and how the non-EU public authorities may access personal data transferred from the EU. Basically, the transfer impact assessments (TIA) performed by the parties after the Schrems II ruling have now been fixed in the SCCs as well.
The updated assessment (additional to the specific circumstances of the transfer and the technical or organisational safeguards as compared to the previous SCCs) shall include the assessment of the laws and practices of the importing country. That includes those requiring the disclosure of data to public authorities or authorising access by such authorities, and the applicable limitations and safeguards. Such assessment should also consider the previous experience of the data importer in dealing with data access requests, case law and reports by independent oversight bodies.
Received request for access from local authorities – inform the data exporter
Data importers would be obliged to inform the data exporters about legally binding requests from competent authorities of the data importing country to access personal data. Data importers would also be expected to make their best to waive any potentially applicable prohibition to inform the data exporter about such request.
You are a data subject? Send your requests directly to the data importer
The updated SCCs provide data subjects with new rights to directly file requests to the data importer. The scope of obligations of data importers to respond to such data subject requests vary based on different scenarios.
For the controller-processor and processor-processor scenarios the updated SCCs impose liability for violations of data subject rights on the EEA data exporter. This means that non-EEA processors and sub-processors cannot be held liable for their violations by the EU supervisory authorities. However, this, of course, does not mean that the data importer will or cannot be held liable in such cases. Data exporters are likely to include respective liability clauses into the agreements with the non-EU importer, including damage compensation for any liable behaviour causing damage to the EU-exporter.
When enforced and applicable
The EU Commission decision approving the new SCCs will come into effect 20 days after the updated SCCs are published in the Official Journal of the European Union. The transition period will be 18 months after the official publication of the SCCs. The obligation to re-execute the SCCs would apply also to those relations where the data transfer is already completed but the data is still being processed by the data importer.
Organisations that actively used the old version of the SCCs for cross-border data transfers should start preparing themselves for the new reality regardless of the prolonged transition period. The steps to take may include:
- map all cross-border data transfers, including the ones where the data transfer is already completed but the data processing by the data importer is still ongoing
- identify data transfers based on SCCs
- continuously perform obligatory TIAs of transfers to third countries
- re-execute the existing agreements and replace relevant clauses with the new SCCs
On a separate note, it should be kept in mind that the newly adopted SCCs will not cover the transfer of data from to outside the UK. The UK data protection authority (ICO) is currently preparing its own contractual clauses for public consultations independently from the EU regulations.