The much-awaited update to the standard contractual clauses ("SCCs") came last month with the European Commission publishing a draft implementing decision on new SCCs. By way of a quick reminder, international SCCs are one of the mechanisms which organisations can use under GDPR to transfer personal data to a third country (i.e. countries outside the UK and the European Economic Area that do not have an adequacy decision from the European Commission). Given the relatively low burden of implementation, this is a tool frequently used by organisations of all sectors.
The new international SCCs were updated to better reflect the use of new and complex processing operations involving multiple parties, complex processing chains and evolving relationships. The implementing decision, once officially adopted, will repeal all current international SCCs and provide organisations with a one year grace period to implement the new SCCs.
The new model Article 28(3) SCCs serve as the EDPB's example version of how organisations can fulfil the requirement to have contracts with processors that include clauses which capture Article 28(3).
We discuss the key takeaways for organisations in this article.
Data Transfer Coverage
The new SCCs adopt a modular approach enabling data exporters and importers to choose the set of terms that is relevant to their specific transfer. The new SCCs now cover four different potential data transfer scenarios: (i) controller-to-controller; (ii) controller-to-processor; (iii) processor-to-processor; and (iv) processor-to-controller.
By way of clarification, "processor-to-controller" transfer refers to a scenario where a non-EEA controller (which will include a UK controller after the Brexit transition period) appoints an EEA processor to process non-EEA or EEA data, which the EEA processor then transfers back to the non-EEA controller.&
The new SCCs contain what is referred to as a "docking clause" which allows a third party to subsequently accede to the SCCs. This is, at least as a concept, a helpful mechanism as it should limit the number of separate contracts that organisations enter into.
Breach Reporting Requirement on Non-EEA Controllers
The new SCCs impose an express obligation on non-EEA controller importers to notify EEA authorities about their data breaches. This would apply irrespective of whether the GDPR applies to the non-EEA controller or importer.
It is clear that new SCCs took into account the decision of the Court of Justice of the European Union ('CJEU') in Schrems II earlier this year and the requirements it posed on transfer of data to a third country - see our latest guidance on this. For example, the parties warrant that they have no reason to believe that the laws in the third country prevent the data importer from fulfilling its obligations under the SCCs. Furthermore, data importers give a warranty in relation to making best efforts to provide the data exporter with relevant information in the assessment of the third country's laws and must promptly notify the data exporter if circumstances change which mean that the data importer cannot fulfil its obligations.
Flow Down of Audit Rights for Controllers
In a processor-to-processor scenario, the controller's audit rights flow down the processing chain. In other words, any sub-processor can be audited by the controller and not by the processor instructing it. In practice, there may not be much appetite by either sub-processors to be audited or by the ultimate controllers to extend the audit down the processing chain (unless audits related to the actual services being provided followed the same pattern).
One Year Transition Period
Organisations will have a one year transition period from the decision which finally adopts the SCCs to implement the new international SCCs. So controllers and processors should start to prepare for this re-papering, time-consuming exercise now by mapping all data flows from the UK (both to the EEA and third countries) to determine which of the four versions of the SCC they will need to implement once the final SCC are adopted. Beware that if an existing contract changes during the transition period, then the new SCC must be used from that point. For those controllers in the UK, we will have to wait for the outcome of the Brexit discussions as the SCCs are highly unlikely to be adopted before the UK leaves the EU, so it will be the ICO's decision whether or not UK controllers need to do that exercise.
Article 28 Clauses
In addition to the draft international SCCs, the European Commission also published, in draft form, processor clauses between a controller and a processor for the purposes of Article 28 GDPR. As a reminder, where a controller appoints a processor, the parties must have in place a set of clauses specifically provided by Article 28(3) GDPR. The use of these SCC is purely voluntary and if organisations already have an existing set of processor clauses which comply with Article 28 then they may continue to use that set.
Actions you can take now
Overall, the new SCCs are a much-needed update to existing SCCs which were created under the previous data protection regime (indeed they still contain reference to the former EU Data Protection Directive) and recognition of the increasingly complex international flows of data. However, with the end of the Brexit transition period looming, it is not yet clear as to how the new SCCs will apply in the UK. The ICO stated that they are currently reviewing the new SCCs. The regulator's message to organisations for now is to take stock of the international transfers that are made and update such activities as guidance and advice become available. Our recommendation is to map all your data transfers from the UK to Europe or third countries, and from Europe to third countries and identify where SCCs are currently in place so that once the new SCCs are made available, and post Brexit, the required changes can be made promptly.