The European Commission, by its decision 2021/914/EU of 4 June 2021, has adopted new standard contractual clauses ("SCCs") for the purposes of article 46 of the European Union's General Data Protection Regulation (the "EU GDPR").
We take a look at the new clauses and how they apply to international transfers under the GDPR in this article.
What are the new SCCs?
Organisations that are subject to the EU GDPR cannot transfer personal data to organisations located in countries or territories outside the European Economic Area (the "EEA") that do not ensure, at least for the relevant sector, an adequate level of protection within the meaning of article 45 of the EU GDPR (i.e., for which there is no adequacy decision from the European Commission), unless they implement "appropriate safeguards" within the meaning of article 46 of the EU GDPR (unless a derogation applies). The SCCs adopted by the European Commission are the most widely used "appropriate safeguards" today.
The SCCs are considered "appropriate safeguards" (making up for local laws viewed as inadequate by the European Commission) because (i) they saddle non-EEA organisations with contractual data protection obligations and (ii) contain a third party benefit clause whereby data subjects can sue in Europe these non-EEA organisations in breach of contract when they fail to abide with such contractual data protection obligations.
When will they replace the previous SCCs?
The previous SCCs, which resulted from the European Commission's decisions 2001/497/EC and 2004/915/EC (for controller-controller relationships) and decision 2010/87/EU (for controller-processor relationships), will be formally repealed on 27 September 2021. It will not be possible to include them in any data transfer agreement executed as from 27 September 2021.
Data transfer agreements containing the previous SCCs executed before 27 September 2021 will continue to provide appropriate safeguards until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards. They will have to be amended and replaced with the new SCCs by 27 December 2022.
Between whom can the new SCCs be used?
The new SCCs work for different types of relationships:
- a EEA controller - non-EEA controller relationship (which was formerly addressed by the SCCs set out in decision 2001/497/EC as modified by decision 2004/915/EC);
- a EEA controller - non-EEA processor relationship (which was formerly addressed by the SCCs set out in decision 2010/87/EU);
- a processor - non-EEA sub-processor relationship (which was not formerly addressed by the SCCs set out in decision 2010/87/EU, which could be signed by the processor only if it had a power of attorney from the controller);
- a EEA processor - non-EEA controller relationship (which was not previously addressed by the former SCCs).
What's new in these SCCs?
The new SCCs saddle non-EEA controllers and processors with more obligations, notably in terms of information to be provided to data subjects, reporting of personal data breaches and onward transfers outside the EEA. They require the data importer to assess and declare that the laws and practices in the third country of destination, including any requirements to disclose personal data or measures authorising access by public authorities, do not prevent the data importer from fulfilling its obligations under the SCCs. They also contain a "docking clause" whereby additional parties may accede thereto.
Are they also relevant under the UK GDPR?
The new SCCs do not work for the purposes of article 46 of the "UK GDPR" (i.e., the EU GDPR as retained in the laws of the United Kingdom further to the European Union (Withdrawal) Act 2018). The previous SCCs must continue to be used by entities subject to the UK GDPR. The ICO (the UK's data protection supervisory authority) confirmed in the Data Protection Practitioners' Conference 2021 that it is working on new SCCs that will be specific to the UK.
What should organisations do next?
Organisations subject to the EU GDPR and/or the UK GDPR should therefore consider (i) updating their data protection addendum template with the new SCCs in view of using it in any new contract as from no later than 27 September 2021 and (ii) executing variation agreements including the new SCCs in respect of any existing data transfer agreement no later than 27 December 2022. This requires first identifying and mapping international transfers and arrangements in place, and starting conversations with contracting parties (including affiliates, service providers, partners…) with whom a data transfer agreement is already entered into or is about to be entered into.
If you have any questions about the new standard contractual clauses, contact Danhoé Reddy-Girard or Jocelyn Paulley.