The European Commission published the long awaited final standard contractual clauses for transfers of personal information from the EU to third countries (SCCs) on Friday June 4, 2021.
This final version follows the draft version that the Commission issued in December 2020. Companies that currently rely on the old versions of the SCCs are granted a period of 18 months (as of June 27, 2021) to implement the new SCCs.
Why do you need SCCs?
Transfers of personal information from the EU to countries outside the EU are regulated by the General Data Protection Regulation (GDPR), which requires that any personal information transferred outside the EU is awarded an “adequate level of protection.” For some countries, the European Commission has adopted an “adequacy finding” by which it declares that the laws of a specific country provide that adequate level of protection. Absent such an adequacy finding, companies that transfer personal information to a third country are required to implement other instruments to legitimize the transfer of personal information, such as Binding Corporate Rules (for internal company transfers) or SCCs.
Prior to the adoption of the new SCCs, there were three different sets of SCCs, which were adopted back in 2001, 2004, and 2010, respectively. Following the adoption of GDPR in 2018 and, most recently, the Schrems II decision, the European Commission worked on updating the SCCs. It has now published its updated SCCs, which contain a number of notable changes when compared to the old versions.
What Are the Changes?
- Modular Approach. The old SCCs provided a transfer mechanism for controller-to-processor and controller-to-controller transfers. The new SCCs combine general clauses with a modular approach to cater to various transfer scenarios. The general clauses apply to all scenarios. In addition, controllers and processors may select the module applicable to their situation, allowing them to tailor their obligations to their corresponding role and responsibilities. The new SCCs feature the following modules:
- Module 1: Transfers from an EU controller to a controller abroad (previously covered by the controller-to-controller SCCs)
- Module 2: Transfers from an EU controller to a processor abroad (previously covered by the controller-to-processor SCCs)
- Module 3: Transfers from an EU processor to a non-EU (sub-)processor (this is a new transfer scenario which the SCCs now cover)
- Module 4: Transfers from an EU processor to a non-EU controller on whose behalf it processes personal information (this is also a new transfer scenario).
Of particular note is the scenario under Module 4, which covers non-EU controllers (for example, a company in the United States) using an EU processor (i.e., the EU service provider). While the EU service provider is subject to GDPR (and therefore also the GDPR transfer restrictions), the non-EU controller is not. The SCCs for this scenario mainly seek to impose obligations on the EU service provider, acknowledging that the service provider is already subject to GDPR. The SCCs in principle impose no obligations on the non-EU controller (who is not subject to GDPR), other than the obligation to not give instructions to the processor that would interfere with its ability to comply with GDPR and to adequately protect the personal information against personal data breaches.
- Accession Feature. The new SCCs contain an optional “docking clause,” which makes it possible for additional controllers and processors to accede to the SCCs as data exporters or importers post-conclusion of the agreement. The ability to accede to the SCCs post-conclusion can be of particular relevance in cases of onward transfers and the desire to add such onward recipients to the SCCs. With the exception of non-EU controllers, data importers are required to implement appropriate transfer mechanisms (such as the SCCs) for onward transfers to countries outside the EU, including to the same country as the data importer itself.
- No Additional Article 28 Agreement. Where the new SCCs are used for transfers to non-EU processors, the respective modules already contain the required provisions and data processing terms of Article 28 GDPR. In other words, concluding SCCs with non-EU processors will also satisfy the requirement for an Article 28 agreement, and a separate Article 28 agreement will therefore not be required.
- Government Requests. Data importers (i.e., controllers and processors) are required to notify the data exporter and, where possible, the affected individuals, of requests from public authorities to disclose personal information. The previous controller-to -processor SCCs already contained a similar obligation, albeit limited to requests by law enforcement authorities. The new SCCs extend the scope of this notification obligation to cover requests by all public authorities. The notification obligation also applies if the data importer becomes aware of any direct access to personal information by a public authority. In addition, the data importer is required to review the request for legality based on the receiving country’s law and obligations and principles of international law. If the review shows there are reasonable grounds to consider that the request is unlawful, the data importer must challenge the request and pursue possibilities of appeal, where relevant. The draft SCCs already required the data importer to assess the legality of the request based on the receiving country’s law. What is new in the final version is that the data importer must also take into account the obligations and principles of international law. Where the data importer cannot inform the data exporter of the request, the importer should still provide the greatest amount of information possible to the data exporter, which includes providing aggregate information about requests at regular intervals. The data importer should provide a minimal amount of information to the public authority.
- Breach Notifications. The previous SCCs already contained an obligation for non-EU processors to notify EU controllers of any accidental or unauthorized access. This requirement is also included in the new SCCs. However, the new SCCs provide that non-EU controllers, under the controller-to controller portion of the SCCs, should send notification of any personal data breach concerning personal information processed under the SCCs to:
1) The EU controller from which it received the personal information,
2) The competent supervisory authority, and
3) The affected individuals, if necessary in cooperation with the data exporter.
The draft version of the SCCs required the notifications to be made where the breach is likely to result in a “significant adverse effect.” In the final version, the Commission aligned the language more closely with Articles 33 and 34 of GDPR. The non-EU data importer is required to notify the competent supervisory authority, as well as the data exporter, if the breach is likely to result in a risk to the rights and freedoms of individuals. In case of the likelihood of a high risk, the importer must also notify the affected individuals. The obligation for one controller to notify another controller of a data breach is completely new (for example, GDPR does not contain this obligation even for EU controllers). What is also new is that the SCCs now require the non-EU controller to notify the competent supervisory authority and individuals. Such obligations are provided for by Articles 33 and 34 GDPR, but thus only apply where the controller is directly subject to GDPR.
- Adequacy of Destination Country’s Laws. Similar to the previous SCCs, the new SCCs contain a warranty of each signatory that they have no reason to believe that the laws in the data importer’s country prevent the data importer from fulfilling its obligations under the SCCs, taking into account: (i) the specific circumstances of the transfer; (ii) the laws and practices of the third country; and (iii) the relevant contractual, technical, or organizational supplementary safeguards put in place (including measures applied during transmission). Unlike the previous SCCs, the new SCCs make explicit references to the presence of additional safeguards where they would be required (which have been inserted pursuant to the recent Schrems II decision). The SCCs impose a duty on the exporter to use efforts to determine that the importer, through the implementation of technical and organizational measures, is able to comply with the SCCs, and a duty on the importer to provide the exporter with relevant information. In line with the Schrems II decision, parties must document the assessment that they make pursuant to these requirements, and provide a copy to the competent supervisory authority upon request.