Still in the grip of the GDPR – New Standard Contractual Clauses Aim to Enhance the Security of International Data Transfers
I. Data Transfer Outside the EU – a Brief Overview
Transferring data outside the European Union (i.e. to third countries) has always been a delicate issue for all organizations. In case personal data leaves the EU in any way (even if this only means that data is being stored on servers located in a third country), it is not enough to simply adhere to the "general" rules of the GDPR, but compliance must also be ensured with the requirements set forth in Chapter V of the regulation.
Based on these requirements, transferring data to third countries is only allowed if the level of protection of personal data ensured in the EU is sustained even after the transfer.
As a general rule, in the absence of a general adequacy decision issued by the European Commission covering the country of destination, the controller (or processor) must ensure that such transfers are subject to appropriate safeguards. Chapter V of the GDPR provides a number of possibilities to achieve this, such as using binding corporate rules (so-called "BCRs") in case of intracompany data transfers, relying on the EU-US Privacy Shield for transfers to the United States (prior to July 16, 2020 – see below), or employing Standard Contractual Clauses (SCCs) entered into by and between the data exporter and the data importer.
The use of BCRs is a rather costly and time-consuming solution and is only possible in case of intracompany data sharing – i.e. they cannot be used by entirely independent parties. Using SCCs, on the other hand, offer(ed) a much cheaper, faster, and universally applicable solution for data controllers. The parties would simply fill in the relevant parts of the "model contracts" included in the Annex of the Commission Decision of 2001 (on data sharing between controllers) or the Decision of 2010 (on controller to processor relations), accept them as binding and thereby ensured compliance with the Data Protection Directive and later the GDPR. However, the SCCs became obsolete in light of the GDPR since they did not offer sufficient flexibility to companies in many aspects and the level of actual protection they provided also proved to be questionable.
II. Schrems II – the European Court of Justice Intervenes
The so-called Schrems II judgment of the Court of Justice of the European Union (ECJ), published on July 16, 2020 complicated the situation even further, as it annulled the EU-US Privacy Shield Agreement [specifically it invalidated the Commission Implementing Decree (EU) 2016/1250 of July 12, 2016 declaring the adequacy thereof]. Furthermore, the EJC also declared that data controllers must themselves proactively assess whether the means they use, i.e. for example the standard contractual clauses applied within the scope of their contractual framework, is in fact actually sufficient to ensure the level of protection guaranteed by the EU.
The Schrems II judgment has thus resulted in a “vacuum” regarding international data transfers, as the ruling simultaneously barred data controllers from the possibility to rely on the EU-US Privacy Shield and made it questionable whether compliance with the GDPR can be maintained by simply applying standard contractual clauses.
III. The Way Forward – Adoption of New Standard Contractual Clauses
Commission Decision 2021/914 aims to – at least partially – resolve the above uncertainty. The Decision sets out new standard contractual clauses which address the issues raised by the Schrems II judgment. Such new clauses shall replace the previous decisions which by now have proven to be rather outdated and could no longer reflect the complexity of data processing operations.
The document includes model provisions for four "data processing scenarios":
- controller to controller transfers;
- controller to processor transfers;
- processor to (sub)processor transfers; and
- data sharing between processors and controllers.
The decision entered into force on June 27, 2021, however the following two dates will bear more significance for companies:
September 27, 2021: from this date, the SCCs set out in the 2001 and 2010 Commission Decisions will no longer be applicable, meaning that parties can no longer apply these terms in their contractual relationship (i.e. between June 27, 2021 and September 27, 2021, the old SCCs will still be available, but the new ones can also be used).
December 27, 2022: this is the date until which data transfers made under the previous SCCs are still considered compliant, i.e. companies must amend their contracts involving the transfer of personal data by this date at the latest – provided that the data processing operations remain unchanged up until this point.
The 2022 date can therefore be regarded as a “grace period” for businesses to adapt their contractual structures to the new rules. This however is not limited to simply amending contracts and concluding new ones, but – in light of the new SCCs and the Schrems II judgment – it shall in many cases also entail a detailed assessment of how the obligations of the recipient of personal data imposed on the latter by the rules and regulations of the given third country affect compliance with the SCCs.
IV. Novelties of the New Standard Contractual Clauses – Guarantee of Actual Compliance
The new SCCs, with their modular structure, aim to provide adequate provisions for all data processing scenarios, and set out in detail the rights and obligations of the contractual parties, as well as the applicable rules on liability.
As a precondition for the conclusion of the contract, the data exporter must verify (by way of examining the legal system and the practices of the authorities in the country of destination, as well as other factors) that the recipient of the personal data will actually be able to comply with its contractual obligations, i.e. provide an appropriate level of protection. As a consequence, the practice of treating the standard contractual clauses as “just some formal paperwork” can no longer be followed. It may very well be the case, that an extensive country-by-country impact assessment will have to precede any contracting and transfer process.
Clause 15 of the decision can be regarded as a direct response to the extensive access rights of US intelligence services and other authorities, which constitute a serious concern from a European point of view and played a prominent role in the Schrems II judgment.
Under these contractual clauses, if a request is made by a third country authority for access to personal data that falls under the scope of the GDPR, the data importer is obliged to:
- notify the data exporter of this without delay;
- review the legality of the authority's request and if necessary, exhaust all available legal remedies; and
- provide only the minimum information required for compliance.
If it is established that the data importer cannot comply with the contract, data transfer must be suspended and, in severe cases, the contract can be terminated.
V. Conclusion – the Price of Increased Protection
To summarize: the new contractual clauses adopted by the European Commission are a welcome change regarding the protection of the privacy of Europeans. However, for some companies the new regime also means that a considerable effort will have to be made to review their data processing activities and adapt them to the modified legal background.
While the Decision provides a seemingly generous 18-month preparatory period for market participants, we definitely do not recommend waiting until the last minute, as in the light of the above, ensuring compliance will require a deeper level of assessment and planning, and cannot be limited to the simple amendment of the relevant contracts.