European Commission’s standard contractual clauses: extensive new requirements coming for US businesses receiving EU personal data subject to GDPR
On June 4, 2021, the European Commission released the final Implementing Decision on standard contractual clauses (New SCCs) for the transfer of personal data from the EU to “third countries” such as the US. The New SCCs will repeal and replace the existing SCCs (dating from 2001, 2004 and 2010) and address the entry into force of the General Data Protection Regulation (GDPR) and the July 16, 2020 decision of the European Court of Justice (CJEU) in Schrems II, which invalidated the EU-US Privacy Shield.
The New SCCs broadly follow the draft implementing decision on standard contractual clauses (Draft SCCs) issued by the European Commission on November 12, 2020, but there are some material differences. Indeed, the Draft SCCs’ significant and extensive new requirements for data importers that act as controllers (for example, obligations to give notice to data subjects and to notify personal data breaches to EU authorities) remain, but have been aligned more closely with the GDPR requirements.
While the New SCCs are not immediately in force, compliance with them will be required for new transfer agreements entered into from late September 2021. SCCs currently in effect must be replaced with the New SCCs by late December 2022.
We highlight the following key features:
- The New SCCs include new and significant obligations for data importers, particularly importers acting as controllers, reflecting GDPR requirements.
- The New SCCs include clauses for processor-to-processor and processor-to-controller transfers, which are types of transfers that the existing SCCs don’t expressly cover, as they are limited to controller-to-controller and controller-to-processor transfers.
- The New SCCs effectively consolidate all four sets of clauses into one document, allowing controllers and processors to select the relevant clauses that apply on a modular basis (although in practice it will be advisable to create one set of clauses for each type of transfer, ie, controller to controller, controller to processor, processor to processor and processor to controller).
- Importantly for US businesses, the New SCCs also contemplate use by non-EU established data exporters to the extent the processing is subject to the GDPR pursuant to the extraterritorial reach of GDPR Article 3(2).
- Reflecting widespread practice in the market, the new SCCs facilitate multi-party use, and include an optional “docking” clause, allowing additional controllers and processors to accede to the clauses throughout their term.
- The New SCCs include Article 28 GDPR processor terms, addressing a gap in the existing SCCs, which were drafted long before the GDPR requirements for minimum processor terms came into force.
- The New SCCs contemplate the ability in some circumstances to select the governing law and choice of jurisdiction of any EU member state. This will be helpful when the SCCs cover multiple originating country transfers.
- Last but not least, the New SCCs address the concerns raised by the CJEU in Schrems II, including requirements to apply additional transparency and notification controls covering government access requests, and to carry out and document an assessment of the laws of the third country to confirm that the local law in the importing country does not prevent the importer’s compliance with the terms in the SCCs, having regard to the circumstances of the transfer and any additional safeguards adopted.
The New SCCs were released on June 4 but will only enter into force 20 days after official publication in the Official Journal of the European Union (the effective date). This is expected to take place within the coming days.
- Three months after the effective date – circa late September 2021 – the existing SCCs will cease to be valid for future use (the repeal date).
- During this transition period, controllers and processors can enter into either the new or the legacy SCCs.
- Fifteen months after the repeal date – circa late December 2022 – use of the existing SCCs must stop altogether.
- The New SCCs include new and significant obligations for data importers, particularly importers acting as controllers. Adopting and complying with the New SCCs may require considerable effort for these importers, particularly those that are not otherwise directly subject to GDPR. For organizations that are not currently complying with GDPR, but will need to enter into the New SCCs, time is short to put into place what in essence will be a scaled-down version of a GDPR compliance program.
- Businesses that are or will be carrying out processing of personal data that will be subject to the New SCCs will need to assess data flows and transfer arrangements and be ready to enter into the New SCCs. For new transfers, this may need to be completed within the three-month period from the effective date.
- For existing SCCs, there’s effectively an 18-month period from the effective date to adopt the New SCCs. Controllers and processors should determine which data transfers will continue beyond the transition period and require entering into the New SCCs.
- In light of the Schrems II decision and EDPB (draft) Recommendations, the New SCCs will require the parties to warrant that they have no reason to believe that the laws and practices in the destination country prevent the importer from fulfilling its obligations under the New SCCs. The New SCCs also require the parties to assess transfer risks, including those specific to the destination country. However, EU authorities are already enforcing compliance with the Schrems II decision, so if they have not already, parties to the existing SCC will rapidly need to conduct and document risk-based assessments of the laws in the destination countries. These assessments will need to be revised, if there are any changes to the relevant legal framework, and made available for review by supervisory authorities on request. If the assessment fails to confirm equivalent levels of protection, or a change in law no longer guarantees that level of protection, the data exporter has an obligation to suspend the transfer and the right to terminate the contract.
- Although the New SCCs contain a number of provisions to deal with the Schrems II decision, businesses will need to consider whether any additional safeguards are required to protect personal data in the destination country, in accordance with the CJEU judgment. The New SCCs should be used taking account of the EDPB Recommendations, the final version of which is yet to be published; therefore, there may be situations where additional supplemental measures will need to be implemented in order to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EU.
- Because the New SCCs contain GDPR Article 28 compliant terms, there may be an impact on data processing addenda or agreements (DPAs) already in effect in conjunction with the SCCs. Because the New SCCs cannot be modified and because they will take precedence over other contract provisions, this may lead to changes in standard DPAs to remove conflicting provisions. This could usher in a move towards greater standardization of DPAs, based on the processing terms contained in the New SCCs. Further impacting this will be the new standard clauses published by the European Commission to address the contractual requirements under GDPR Article 28. These Article 28 Clauses were also published on June 4, 2021, and while the terms will not be mandatory, expect a gradual move towards standardization.
- The new SCCs will not apply for transfers of personal data from the UK to a third country. Data exports from the UK should continue to be based on the existing SCCs until the UK publishes its own SCCs. Consultation on those is expected to take place this summer. Businesses operating in both the EU and UK are taking note that different SCCs will apply for each.
- Transfers from the EU to the UK continue to be covered by the EU-UK Trade and Cooperation Agreement, which provides a six-month “bridging period” to allow transfers to continue to the UK without the need for any additional measures (such as the New SCCs). The European Commission still needs to confirm whether it will finalize approval of the draft decision to grant UK adequacy.
Given the potential extent of the obligations created by the New SCCs, and the limited transition periods, businesses will need to act quickly to analyze their current compliance with the New SCCs, the nature of their data transfers, and the correlating contractual obligations, in order to adopt or update their GDPR compliance program, develop a strategy for updating templates to include the New SCCs, and ultimately conclude New SCCs for current and ongoing transfers.
The DLA Piper Data Protection, Privacy and Security team is planning live and on-demand webinars and creating supporting tools, guidance notes and templates to provide practical help to clients in addressing these changes in the coming weeks, building on our data transfer assessment methodology. More information will be available in the coming days. To learn more about the implications of this development, please contact our Data Privacy team via PrivacyGroup@dlapiper.com.