By Ellen Xu
The European Commission (the “Commission”) adopted two sets of Standard Contractual Clauses (SCCs) on June 4, 2021: one set for controllers and processors, and another set for international transfers. These new SCCs have been long anticipated, especially following the Schrems II decision, in which the CJEU found the EU-US Privacy Shield was invalid, and obligated businesses to conduct transfer impact assessments and implement additional safeguards if necessary, in addition to relying upon SCCs for international data transfers.
A Quick Recap
When transferring data from within the European Union (EU) to a jurisdiction outside the EU, such transfers may only take place if:
1) The receiving jurisdiction is officially recognized by the Commission as adequately privacy protective (i.e. the receiving jurisdiction has privacy laws in place that would provide similar protections to data as the GDPR would); or
2) Both controllers and processors put in place appropriate safeguards to protect the data, and on the condition that enforceable rights and effective remedies for individuals are available.
Standard Contractual Clauses adopted by the Commission are one type of safeguard that can be employed to permit international data transfers to take place.
Specifically for transfers from the EU to the US, one of the other methods by which international data transfers were permitted to take place was under the EU-US Privacy Shield framework. This framework was invalidated in July 2020 in the Schrems II, in which the Court of Justice of the EU upheld the validity of SCCs but stated that there must be protections in place in the receiving jurisdiction, specifically with regard to access by public authorities and judicial redress.
The New SCCs – An Overview:
The two sets of SCCs recently adopted by the Commission are more significant than previously adopted SCCs because they are the first SCCs adopted since the arrival of both the General Data Protection Regulation (GDPR) and the Schrems II decision. The Commission adopted a risk-based approach that tries to balance between the need to comply with the decision in Schrems II, while still allowing international data transfers to continue to take place, even to the US.
What’s Different?
The new SCCs apply to all data exporters that are subject to GDPR, regardless of whether they are established in the EU, whereas prior SCCs were not available to non-EU data exporters that were still subject to the GDPR.[1]
To cover all types of data transfers, the new SCCs comprises of a modular set of clauses under clause 8 of the Annex that would apply to the data transfer, depending on the role of the two parties:[2]
Module 1: Controller-to-controller (C2C) transfers
Module 2: Controller-to-processor (C2P) transfers
Module 3: Processor-to-processor (P2P) transfers
Module 4: Processor-to-controller (P2C) transfers
Previously adopted SCCs did not cater to either P2P or P2C data transfers. The modular structure allows the data exporter to easily customize their agreements by choosing the module that applies to their type of data transfer relationship and use only the clauses specific to that module.
The new SCCs also allow for multiple data exporting parties to contract,[3] and for new parties to be added to them over time beyond the initial signatories, in the “docking clause”.[4]
To allow organizations a chance to read and make any changes necessary for compliance with the new SCCs before adopting them in practice, there is a transition period of three months, during which prior SCCs can continue to be used for “new” data transfers.[5]
Schrems II
The Commission adopted a risk-based approach as their response to the Schrems II decision. The data exporter must warrant that it has used “reasonable efforts” to determine that the data importer in the receiving jurisdiction is able to satisfy its obligations under the SCCs,[6] and that it has “no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements”.[7]
In giving this warranty, the parties must “take due account” in particular of:
1) “the special circumstances of the transfer”,
2) “the laws and practices of the third country of destination”, and
3) “any relevant contractual, technical or organi[z]ational safeguards put in place to supplement the safeguards under [the SCCs]”.[8]
This assessment must be documented and made available to competent data protection authorities on request. However, the assessment “may include relevant and documented practical experience with prior instances of request for disclosure from public authorities, or the absence of such requests.”[9]
Key Takeaways
The new SCCs appear to be more comprehensive, accounting for all types of data transfers. While it does not reduce the burden placed on businesses to undertake transfer impact assessments that are often costly and time consuming to conduct, it does offer better guidance and clarity as to how to complete such assessments, and what the expectations for such assessments.
[1] EC, Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevant), [2021] OJ, L 199/31 at 32. [SCCs for International Transfers]. [2] Ibid at 39. [3] Ibid at 32. [4] Ibid at 38. [5] Ibid at 35. [6] Ibid at 39. [7] Ibid at 52. [8] Ibid at 52-53. [9] Ibid at 53.
Kommentare