The final Implementing Decision on the new EU standard contractual clauses for the transfer of personal data to third countries (‘New SCCs’) was published as of June 4th 2021. Below follows our guide on what changes you need to be aware of and suggested pragmatic actions SME businesses should consider.
Standard contractual clauses (SCCs) are one of the key mechanisms to transfer personal data from EU/ EEA based companies to third countries. If your business passes data outside of the EU that is considered personal under the General Data Protection Regulation (GDPR), then you need to make sure you are using one of these contracts. The European Commission recently adopted two sets of standard contractual clauses: (i) one for use between controllers and processors within the EU and (ii) one for the transfer of personal data to third countries outside the EU.
The newly published SCCs reflect new requirements under the GDPR and address the realities faced by modern businesses, as well as the impact of complying with the Schrems II judgment of the Court of Justice.
(Judgement that the US Privacy Shield did not provide equivalent personal data protection to that of the EU, see: https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf for details).
As pointed out by the European Commission, the New SCCs will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers. It also provides companies with an easy-to-implement template. Companies know that when they use this template they meet data protection requirements.
(See the Annex at the end of the announcement for the template: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj )
Background and structure of New SCCs
On November 12th 2020, the European Commission published a draft Implementing Decision (‘Draft SCCs’) consisting of decisions with reasoning and the actual clauses. Now the final version has been published it will be in force from June 27th 2021 (as of 20 days after its publication).
The goals of the changes are to adopt the terms to the GDPR because previous ones were drafted under the previous Data Protection Directive hence change was necessary. More importantly, it addresses some known deficiencies in current SCCs such as catering for data transfers by EU processors to sub-processors, which has been a big gap in the past, and from EU processors back to their instructing controllers. And obviously, the transfer system also tried to reflect Schrems II in the requirements of the European Court of Justice.
Key innovations of the new standard contractual clauses
Firstly, some updates in line with the GDPR. Some GDPR-like obligations of the importer (organisation receiving personal data to process) under the New SCCs, including :
(i) the increased and transparency obligations (in particular in controller to controller); and the clear and plain language (according to Article 12 GDPR);
(ii) some data subject rights are included (such as access, erasure and rights to object to processing for direct marketing, etc.).
However, there is no complete shift of GDPR on importers, which means the burdensome provisions relating to records of the processing activity and data protection impact assessments are not included.
Onward transfers are addressed and it seems stricter in this context, e.g. C2C module requires the third-party recipient of transfer from importer to accede SCCs. In general terms, there is a control on all the supply chain covering the situation where there is a known EU entity to which the GDPR applies. This means that you have greater control of how an importer (non-eu data processor) should protect your data if they use sub-contractors or sub-processors to provide their service).
The second peculiarity is the ‘one single entry-point’ covering a broad range of transfer scenarios, instead of separate sets of clauses. It means that there will be a single set of standard projection clauses with some modules, some choices that need to be taken, which has the consequence that their implementation is not just a copy-paste exercise. There are now substantial obligations on the exporter (the organisation sending the data, usually a data controller) in order to check the ability by the data importer to ensure compliance with the clauses. Since there is not a specific reference in the implementation to any sort of checklist, it is up to the data exporter to decide how to check the compliance of the data importer.
Furthermore, they're also drafted to cover multiple scenarios and parties, which can join the terms. It provides more flexibility for complex processing chains, through a ‘modular approach’ and offers the possibility for more than two parties to join and use the same clauses.
The best extension is a scope to particular “processor to sub-processor” (P2SP) and “processor to controller” (P2C) terms. This change addresses a new type of data transfer from P2P and from P2C, where the scenarios are not addressed by the previous version of the SCCs. The modular approach has one set of terms for all four scenarios which are now covered (C2C, P2C, P2SP and P2C). It covers multiple scenarios, there will be not only different model contents by which to deal with general or specific terms for certain transfer variation but also modular as it distinguishes terms between the four scenarios.
The terms of the New SCCs are also trying to address the Schrems II related obligations by the CJEU. In particular, there is practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps, companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary.
Timing and its impacts on businesses
The new SCCs will become effective 20 days after the publication i.e. June 27th 2021. By which the previous version of the SCCs can still be used for three months after the new SCCs will be in force. From that time, a transition period of 15 months is provided for controllers and processors that are currently using previous sets of standard contractual clauses, i.e., until December 27th 2022.
It seems like a long period of time but as it is not a trivial copy-paste exercise. The SCCs are embedded in data processing agreements and often also in complex commercial contracts, so businesses will have to assess which of the provisions of the existing data processing agreements are not covered by the standard contractual clauses. Businesses then will have to re-negotiate these contracts between the parties likewise.
The new standard contractual clauses provide for a mandatory data transfer impact assessment to be carried out by the contract parties. Both parties have to warrant that they have no doubts that the data importer’s country’s requirements comply with European standards. However, as stated above, the burden of ensuring that the importer is able to comply falls to the exporter (you). Barriers to compliance could range from the importer not being able to afford to make the changes, through to country specific laws, and ability to ensure that the importer's supply chain can also comply. Therefore businesses will have to run assessments to mitigate any liability caused by such inability to comply.
Since there is a control on all the supply chain or on the own wire transfers, even B2B companies are impacted if the ultimate entity at which they provide the service will process personal data because the SCCs will also apply in the relationship between processors and sub-processors. Therefore, there will be a reshuffling of all the relationships between the parties in the chains, many of which the controller will have no existing relationship with, hence 15 months is short to resolve the issues. Our advice would be to get started as soon as possible and assess your risk and the practical solutions to solve any issues.
Our 3 step guide of actions business should take with the new EU SCC's
Here are our recommended 3 steps to get you started:
Step 1 Evaluate
Evaluate your data, business process and suppliers and identify focus areas like low hanging fruit to simplify, high business impact / risk so you know the complexity of the work.
Identify where you have international data transfers for small or non-essential / non-critical services and look to consolidate them or consume those services from inside the EU. This will simplify your task and reduce your liability.
For essential / critical services, where you may be committed by contract, technical capability or financial implications, review your data mapping records to determine in which cases or processes the new standard contractual clauses need to be applied.
Prepare an evaluation template and use it to evaluate each case or service where new SCC measures will apply, grade each evaluation in terms of level of risk, business impact and complexity so that you can work through the biggest issues first. You should keep these records to prove that the evaluation process was done, with dates and parties as part of your ROPA (GDPR records of processing).
Step 2 Focus and resources
Once you have your focus, engage with a virtual team, you will probably need support from your legal team, commercial procurement, supplier and partner managers, make sure they are aware of what needs to happen. With their support assess the contracts in place, check whether SCC’s are compatible, look for areas where new provisions (like supply chain compliance) apply and start your evaluations, include your data importers and data processors in your work as early as is possible.
Step 3 Supplementary measures and Remedies
If you, as a data exporter, are using the SCCs you must warrant that you have “used reasonable efforts” to determine whether data importers can, “through the implementation of appropriate technical and organisational measures,” fulfil their obligations under the SCCs. Protections to help secure personal data must be in place during and following transfer. This means that not only do you have to evaluate your suppliers ability to comply, you must ensure that the safeguards are in place and under your control, and, you must also have the capability to “remedy” a situation where importer does not comply with the SCC’s or your privacy contract terms.
While “Remedy” can mean resorting to legal instruments, this for many is considered complex and could take years. Hence many organisations are looking at technical measures to be able to suspend or revoke processing immediately upon breach of terms. Hence supplementary measures such as data encryption to secure the data, prevent data breaches and control the flow are measures you should consider.
At Privacy1, we have solutions that provide smart data protection. You do not need to encrypt your whole data estate, just the personal data itself. The controls are privacy aware, so you can manage how your data can be used by processing purpose, data subject consent, and of course in this case by data importer/processor. See more at https://www.privacyone.co/zero-trust-data-protection
Source: European Commission, ‘European Commission adopts new tools for safe exchanges of personal data’, available at https://lnkd.in/dHbpAhX, June 4th 2021.