New Standard Contractual Clauses – what do you need to know?

On 4 June 2021 the European Commission published the new Standard Contractual Clauses for international transfers (new SCCs). The old (existing) SCCs pre-dated the General Data Protection Regulation (EU) 2016/679 (GDPR) and so it was necessary to update the SCCs to bring them into line with GDPR concepts and requirements, as well as to try to take into account Schrems ii related developments. The aim of the new SCCs is to “ensure that the level of protection of natural persons guaranteed by Regulation (EU) 2016/679 [aka the GDPR] is not undermined where personal data is transferred to third countries, including cases of onward transfers.”

The new SCCs are modular, designed to offer more flexibility and reflect the reality of the digital economy, where in practice many parties may be involved in complex processing chains. The four modules available now cover:

• Controller to controller
• Controller to processor
• Processor to processor, and
• Processor to controller

There is also the docking clause (clause 7), which allows additional parties to sign up to the new SCCs with the agreement of the parties and to do so by completing the Appendix - with details of the transfer, technical and organisational measures implemented and a list of sub-processors where relevant - and signing Annex 1.A.

The Schrems ii provisions, namely clauses 14 and 15, are a welcome addition to the new SCCs and provide further detail as to what is expected and how you can evidence compliance when transferring data to third countries who do not hold EU adequacy. 

Lots has been written already about the new modular structure of the new SCCs as well as about the new content (for instance the additional transparency obligations). In this article we explore some of the more strategic planning considerations that the new SCCs raise. At our event on the new SCCs on 30 June (see below for more information) we will run through how the clauses work as well as discussing the next steps for businesses.

What are the timeframes?

The new SCCs were published in the Official Journal on 7 June 2021, which means they come into force, and are usable, on 27 June 2021.

Three months after that, i.e. 27 September 2021, the old (existing) SCCs are repealed.

If, however, old (existing) SCCs have been put in place at any point prior to the September date you can still rely on those old SCCs for a further 15 months, i.e. until 27 December 2022, provided that there are no changes to the “processing operations that are the subject matter of the contract” and “reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”.

This is some welcome flexibility from the European Commission and gives some time for controllers and processors to work out what is what and what approach to take.

Of course, there is no right and no wrong answer to the approach to take, it will depend largely on what data you are transferring, what is the purpose of the transfer, when and where you are transferring the data and how you do so, and looking at this in conjunction with your contracts, projects and plans for the coming 18 months. You also need to factor in where you have got to in the last 11 months re your Schrems ii remediation – it may be that you have just executed 30 different Transfer Risk Assessments backed up by old SCCs and related supplementary measures. You might not be in the mood therefore to look at the new SCCs for a while. We do also wait with baited breath for the European Data Protection Board (EDPB) to finalise their Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data after the EDPB’s Plenary session on 18 June 2021.

It may be however that other parties spoil even your best laid plans by putting in motion signing up to the new SCCs before you had planned (e.g. we do expect some of the big Cloud, SaaS and PaaS players to be updating their contracts sooner rather than later).

Can we use these new SCCs for extra UK and extra Swiss transfers?

It will take some thought to determine the best strategy, particularly as we are yet to hear what the UK and Switzerland plan to do. We may find ourselves in a position after 27 September 2021 of still having the old SCCs for extra UK and extra Swiss transfers and the new SCCs for extra EEA ones! That is not a place any of us hope to be and thankfully the ICO stated at the Data Protection Practitioners’ Conference on 5 May 2021, that they will be consulting on the UK SCCs in “Summer 2021”, and there is also the expected announcement from the Department for Digital, Culture, Media and Sport, again in “Summer 2021”, on the recognition of transfer tools from other countries, where the example given was the EU SCCs.

As for Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) has adopted the EU SCCs as a valid transfer mechanism in the past, and given that the Swiss adequacy status is under review - along with all other countries that were granted EU adequacy under the pre-GDPR regime (albeit currently postponed in light of the Schrems ii decision) - many feel that the FDPIC will not rock the boat as they will want to demonstrate their equivalent protections. Therefore, it is likely the new SCCs will be approved for use for data flowing from Switzerland to countries outside the EEA or third countries with no adequacy decision.

The quirk of Recital 7

One quirk that has been getting a lot of attention is Recital 7 which appears to say that if the data importer is outside of the EEA but subject to the GDPR (by virtue of Article 3(1) and or Article 3(2) GDPR) then the new SCCs cannot be used. What can this possibly mean? Is this saying as both parties are subject to the GDPR then there is no international transfer? It would be a brave person who runs with this analysis, as to follow it through to its natural conclusion anyone who is subject to the GDPR would not require any transfer mechanism – and that just doesn’t sound right at all! It will be interesting to watch how practice develops in this area; although similar guidance from the ICO relating to their definition of “restricted transfers” did not result in an avalanche of brave first adopters saying there was no need for international transfer protections in situations x y and z. We suspect the same may be the case here.

What should I do now?

The key message here is pause, take stock of where you are and what your plans are before taking action. Here are some things you might like to consider, but it is by no means an exhaustive list.

1. Familiarise yourself with the new SCCs and understand where any risk lies for your business. You also need to think through some of the practical considerations, policies and processes you have or will need to enable data subjects to effectively exercise their rights (clause 10), e.g. how will you comply with the new transparency requirements (clause 8)? Will you make use of the docking clause (clause 7)? If so, what is the process you will use to do so? Anyone acceding to the new SCCs needs to complete the Appendix and sign Annex I.A, where and how will you store this information in order to do so?

2. If you haven’t already done so, identify your contracts that rely on the old SCCs so you can make an informed decision on what the next steps are. Ask yourself are there any plans to change the processing in the next 18 months? If not, do you need to update the old SCCs? Do you have a business wide policy on whether to adopt now or at a later date? Do you need to involve your Risk and Compliance Team in any decision-making process? Do you have a mechanism in your contracts that will allow you to easily switch over to the new SCCs? If not, how do you plan to approach this? Be sure to prioritise the decisions in relation to your contracts where the greatest risk lies or those that are due to be concluded in the 3 months from 27 June 2021, i.e. by 27 September 2021. Consider whether you’d prefer the old SCCs or new SCCs and how that might impact your negotiating position. Is being in a hurry to conclude the contract to beat the deadline for the change in SCCs more or less favourable to you, or does it not matter?

3. Annex I.B deals with the description of the data transfer and Annex II with the technical and organisational measures, which must be specific and not generic. Often in practice these sections are left to the last minute - or are overlooked in favour of agreeing the substantive provisions of the contract - but to do so would increase your risk if things do go wrong, therefore it is worth considering this properly.

4. If you are outside of the EEA it might be prudent to undertake an analysis of local laws in order to make it easier to comply with clauses 14 and 15 of the new SCCs (where the Schrems ii provisions reside). Such an approach makes it easier for an EEA data exporter to sign on the dotted line, safe in the knowledge that the Schrems ii issues have been addressed and resolved. It is worth familiarising yourself with footnote 12 in clause 14 as it provides additional guidance on the factors that could be considered as part of the compliance assessment, e.g. prior instances of requests for disclosure from public authorities, or indeed the absence of such requests, covering a long enough time-frame to make them representative. It will be interesting to see how this fits with the final EDPB recommendation as the draft version seemed to imply this information would not be taken into account. Hopefully we’ll have more clarity on this in the coming weeks when the final version is published.

5. Keep a watching brief on regulatory developments in the UK and Switzerland and also be mindful of the EU adequacy decision for the UK which will need to be decided one way or the other before the bridging provision falls away on 30 June 2021.

6. It is clear, even from this list, you will need to factor in time, budget and resource to make the necessary changes at the point in time that is right for your business. 

As we all get to grips with what the new SCCs mean for our businesses and the different approaches that we might take, we are holding an In-House Data Club on 30 June at 4.00pm to virtually get together and share ideas and approaches. We would be delighted if you can join us. You can sign up here. If you have any particular questions you’d like answered please feel free to email us at events@lewissilkin.com and we’ll do our best to answer as many of them as possible during the webinar.

In the meantime, if we can be of any assistance please contact Alexander Milner-Smith in the first instance.