The European Commission’s New Standard Contractual Clauses: Transferring Personal Data from the EU (A Long Overdue “Take Two”)

September 16, 2021

On June 4, 2021, the European Commission adopted a new, highly anticipated set of standard contractual clauses to facilitate the transfer of personal data out of the European Economic Area (“EEA”)[1] in accordance with the European Union’s General Data Protection Regulation (“GDPR”).[2] These new clauses are a welcome development, but with only a few months to implement programs to ensure compliance with new requirements, and 18 months to update all agreements that rely on the current standard contractual clauses, companies that import and/or export data of EEA subjects must act quickly.

Background

Under the GDPR, personal data may be transferred out of the EEA[3] to a recipient located in a third country (i.e. a country outside of the EEA) only if (1) the European Commission has issued a formal adequacy decision confirming that the laws of such third country ensure an adequate level of protection for the transferred personal data;[4] (2) the parties to the transfer have provided appropriate safeguards for the data transfer;[5] or (3) the transfer is subject to a “derogation for specific situations.”[6]

To date, the European Commission has issued adequacy decisions for a handful of countries, and unfortunately, the United States is not one of them.[7] The European Data Protection Board (“EDPB”) has consistently stated that the derogations are “exemptions” and should be “interpreted restrictively so that the exceptions do not become the rule.”[8] As a result, U.S. companies seeking to receive personal data from the EEA have primarily relied on the implementation of adequate safeguards to ensure personal data is imported in accordance with the GDPR.

Prior to July 2020, the two primary methods utilized by U.S. companies to ensure adequate safeguards were (1) the European Commission’s Standard Contractual Clauses (the “SCC”), which were implemented under the GDPR’s predecessor, the European Union Directive 95/46/EC; and (2) the EU-US Privacy Shield (the “Privacy Shield”).[9]

On July 16, 2020, in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”),[10] the Court of Justice of the European Union (“CJEU”) found that the Privacy Shield did not provide adequate protection to EU citizens and held that the Privacy Shield was an invalid mechanism for satisfying the GDPR’s adequate protection requirements for transferring personal data.[11] In Schrems II, the CJEU upheld the use of SCCs for transfers of personal data to non-EEA countries, but ruled that a case-by-case analysis should be performed to determine whether, based on the data protection laws in the third country, the SCCs should be supplemented with additional safeguards in order to ensure the adequate protection of the data being transferred.[12]

In follow-up to the Schrems II decision, the EDPB issued its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” for public consultation.[13] The EDPB Recommendations were intended to “help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of assessing third countries and identifying appropriate supplementary measures where needed” by providing “a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.” [14]

In light of the limited applicability of derogations,[15] Schrems II, and the EDPB Recommendations, the European Commission recognized the pressing need to update the SCCs and published a draft set of revised SCCs for the transfer of personal data to third countries on Nov. 12, 2020.[16]

The New SCCs

On June 4, 2021, the European Commission issued a new set of standard contractual clauses designed to provide adequate safeguards for the transfer of personal data to a non-EEA country in the absence of an adequacy decision from the European Commission for such country (“New SCCs”).[17] The New SCCs are based on the old ones and thus are intended to be used “as-is.”[18] However, the New SCCs are more comprehensive than the previous SCCs and are designed to provide the parties some degree of flexibility in order to address complex data transfer scenarios.

Key Elements of the New SCCs

The New SCCs include various updates to bring them into alignment with the GDPR (e.g., purpose limitation, storage limitation and subject’s right to erasure of data).
The New SCCs are designed to permit the inclusion of more than two parties and contain an optional “docking clause” which allows third parties to be added to existing SCCs arrangements without having to execute separate contracts.[19]
Unlike the SCCs, the New SCCs can be used for transferring personal data even when the data controller or exporter is not based in the EEA.[20]
The New SCCs allow the parties to tailor the SCCs to their specific circumstances through the use of four different, self-contained “modules”: (1) controller to controller transfers, (2) controller to processor transfers, (3) processor to processor transfers, and (4) processor to controller transfers (the SCCs only provide for the transfer of personal data from either a controller to a controller or from a controller to a data processor and did so through two separate documents).
The processor modules of the New SCCs (i.e. controller to processor and processor to processor), contain all the required data processing elements of GDPR Article 28. Therefore, unlike the old SCCs, there is no need for an additional data processing agreement.
The New SCCs allow data subjects to claim compensation for damages resulting from any party who breaches the data subject’s third-party beneficiary rights. This includes the ability of the subject to make a claim directly against the data importer without first having to seek redress from the data exporter.[21] When more than one party is responsible for the data breach, each is jointly and severally liable to the data subject.[22]
The New SCCs include a “hierarchy” provision pursuant to which the terms of the New SCC take precedence over any conflicting provision in other contracts.[23]
Under the New SCCs, a party’s liability to the other party for damages is no longer limited to the other party’s actual damages.[24]
Choice of law and place of jurisdiction are no longer determined by the data exporter’s place of business. In the case of processor to controller transfers, even non-EEA jurisdictions can be considered.[25]
All parties to the New SCCs must (1) warrant that “they have no reason to believe” that the laws and practices in the third country prevent the data importer from fulfilling its obligations under the New SCCs, and (2) “declare” that the foregoing warranty is based on an assessment, documented by the parties, that considered the following factors: (a) the specific circumstances of the transfer (e.g. the type of personal data being transferred, the purpose of processing/transfer, and transfer process; (b) the laws and practices of the recipient country; and (c) any additional safeguards put in place to protect the personal data (e.g. encryption). [26]
The data importer must (1) notify the data exporter and, where possible, the data subject (with the help of the exporter when necessary) if it receives a legally binding request for disclosure of the data from a public authority; and (2) review the legality of any such request and challenge the request if it has reasonable grounds to consider that request unlawful.[27]
The New SCCs also prohibit most onward transfers to additional recipients in non-EEA countries unless the third party agrees to be bound by the New SCCs (which agreement may be accomplished through the docking clause noted above).[28]
The data subject has the right to be informed about data processing operations, to have a means to contact foreign controllers and to receive a copy of the New SCCs.
The new SCCs include form provisions for the appointment of sub-processors.

Timeline for Implementation

The ability to use the New SCCs began on June 27, 2021; however, the original SCCs may be executed and used to transfer data until Sept. 26, 2021. Starting Sept. 27, 2021, parties may only execute the New SCCs.

During a transition period from Sept. 27, 2021 to Dec. 27, 2022, parties may continue to rely on SCCs that were executed before the Sept. 27, 2021 deadline; however, the parties will still need to undertake the additional evaluation for adequacy as set forth in Schrems II and EDPB’s Recommendations and implement any necessary supplemental measures.

After Dec. 27, 2022, all data transfers relying on the SCCs, including those entered into between June 27, 2021 and Sept. 27, 2021, must be converted to the New SCCs.

Not Applicable to Data Transfers from the UK

Due to the United Kingdom’s departure from the EU in January 2020, the New SCCs do not apply to transfers under the UK’s data protection law (“UK-GDPR”).[29]

On May 5, 2021, the UK Information Commissioner’s Office (“ICO”) announced that it is in the process of drafting its own set of standard contractual clauses (“New UK SCCs”) to be used when transferring personal data outside of the UK and that it expects to release a draft version of the New UK SCCs for public consideration in the summer of 2021.[30] In drafting the New UK SCCs, ICO Deputy Commissioner Steve Wood noted that the ICF is “considering the value to the UK for us to recognize transfer tools from other countries” and that such tools which include the New SCCs.[31]

Until the New UK SCCs are implemented, parties seeking to transfer personal data outside of the UK may either continue to use the original EU SCCs, making changes so the terms make sense in a UK context[32], or use UK versions of the original EU SCCs created by the ICO (each a “Modified SCC”).[33] However, as the ICO has confirmed that the Schrems II decision will continue to apply to both of the foregoing approaches, the parties must also make an assessment as to whether, under the circumstances of the data transfer, the Modified SCCs provide protection which is “essentially equivalent” to the protections of the UK-GDPR.[34] If the protections are not adequate, the parties must put additional protection measures in place.[35]

Next Steps for U.S. Companies that Engage in Transferring Personal Data out of the EEA

U.S. companies that receive personal data of EEA subjects should not rely on their European counterparties to ensure their data transfer agreements timely comply with the New SCCs requirements. Instead such U.S. companies should promptly:

Review the New SCCs and implement processes or procedures necessary to comply with new requirements.
Identify all existing agreements involving transfer of personal data out of the EEA that utilize the old SCCs and determine if data transfer under the agreements will continue past Dec. 26, 2022. If personal data will still be transferred out of the EEA after Dec. 26, 2022, the company should determine an appropriate time to update to the New SCCs, such as when agreements come up for renewal, a new statement of work is being executed under a master agreement or other amendments are being made.
Identify agreements involving transfers of personal data out of the EEA that will be executed on or before Sept. 26, 2021 and determine whether to use the current SCCs (and convert to the New SCCs by Dec. 27, 2022) or the New SCCs. Factors to consider include present ability to procedurally implement New SCCs; status of contract negotiations/timing of project; timeframe for data transfer; and inconvenience of subsequent amendment if current SCCs are used.
Proactively engage its EEA counterparties in discussions regarding use and/or conversion to New SCCs.

Conclusion

Given the push in the U.S., both on the state and federal levels, to implement stronger personal data protection laws, perhaps the U.S. will soon obtain a favorable EU adequacy determination or the Privacy Shield will be modified and reinstated. Until then, U.S. companies involved in transfer of personal data out of the EEA will need to act quickly to operationalize the New SCCs.

[1] On June 4, 2021, the European Commission also adopted a set of standard contractual clauses to be used to establish data processing terms between controllers and processors. As the new standard clauses for international transfer also contain data processing terms, these clauses will apply primarily to entities in the EEA and are not discussed in this article. See Commission Implementing Decision (EU) 2021/915, 2021 O.J. (L199/18), https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[3] The GDPR was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels on July 6, 2018 and now applies to all EU countries and as well as Iceland, Liechtenstein and Norway. See EFTA, General Data Protection Regulation incorporated into the EEA Agreement, (July 6, 2018), https://www.efta.int/EEA/news/General-Data-Protection-Regulation-incorporated-EEA-Agreement-509291

[4] See GDPR, Art. 45.

[5] See GDPR, Art. 46.

[6] See GDPR Art. 49. Such situations include when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” or when “the transfer is necessary for important reasons of public interest.” Id.

[7] The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection. See European Commission, Adequacy decisions – How the EU determines if a non-EU country has an adequate level of data protection, (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)

[8]European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, page 4 (May 25, 2018), https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf

[9] The Privacy Shield was designed by the U.S. Department of Commerce and the European Commission to provide US companies with a mechanism to comply with the GDPR’s adequacy requirements when transferring personal data from the EU to the US. To join the Privacy Shield, a U.S. company would self-certify its compliance and publicly commit to the Privacy Shields requirements, and, thereafter, the voluntary requirements became enforceable against such company under US law. See https://www.privacyshield.gov/Program-Overview.

[10] See C-311/18, ECLI:EU:C:2020:559, ¶¶ 199-201 (July 16, 2020) https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en

[11] At the time of its invalidation, the Privacy Shield had over 5000 members. See Focal Point Insights, Privacy Shield Is Gone: Now What? (July 28, 2020) Even though participation in the Privacy Shield is no longer sufficient to comply with the GDPR’s requirements, Privacy Shield members must still comply with their obligations under the Privacy Shield framework. See https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update.

[12] See Schrems II, ¶¶130, 133.

[13] Draft EDPB Recommendations were published on November 10, 2020 for public consideration and commentary. See EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (10 November 2021) https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf. The final EDBP Recommendations were adopted and published on June 18, 2021. See EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0 (18 June 2021) https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.

[14] Id. at 3.

[15] At a conference on January 28, 2021, Prof. Dr. von Danwitz, the judge-rapporteur for Schrems II, commented that the CJEU’s decided not to include a grace period for the invalidation of the Privacy Shield because parties could rely on the SCCs and the derogations of Article 49. He further stated that “In my opinion, the opportunities granted by Article 49 have not been fully explored yet. I believe they are not so narrow that they restrict any kind of transfer, especially when we’re talking about transfers within one corporation or group of companies.” Rob van Eijk and Gabriela Zanfir-Fortuna, Derogations May Not Be So Narrow and Restrictive After All? Future of Privacy Forum, https://fpf.org/blog/schrems-ii-article-49-gdpr-derogations-may-not-be-so-narrow-and-restrictive-after-all/. However, the personal opinions of Prof. Dr. von Danwitz are contrary to the EDPB’s longstanding position on the limited use of the derogations, including the EDPB Recommendations.

[16] See European Commission, draft Implementing Decision at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Data-protection-standard-contractual-clauses-for-transferring-personal-data-to-non-EU-countries-implementing-act-_en.

[17] See Commission Implementing Decision (EU) 2021/914, 2021 O.J. (L199/31), https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

[18] Organizations can populate the fillable sections and may supplement the New SCCs with additional terms, or add them to a larger contract, so long as the other terms don’t “directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.” Id. at Clause 2(b).

[19] Id. at Clauses 2, 7.

[20] Id. at Clause 2.

[21] Id. at Clause 12.

[22] Id.

[23] Id. at Clause 5.

[24] Id. at Clause 12.

[25] Id. at Clause 17, 18.

[26] Id. at Clause 14. The consideration outlined in Clause 14 reflect the holding of Schrems II as well as the EDPB Recommendations.

[27] Id. at Clause 15.

[28] Id. at Clause 8.

[29] See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/

[30] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/five-things-we-learned-from-dppc-2021/#sccs