The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course.
Companies will only be able to enter into new agreements containing the old SCCs until 26 September 2021, and all contracts using the old SCCs concluded before then will need the new SCCs incorporated by 27 December 2022. Companies therefore need to decide when, and how, they will roll out the new SCCs.
When they do, companies may want to play close attention to the European Data Protection Board’s (“EDPB”) final guidance on supplementary measures that can be combined with the SCCs (and other transfer mechanisms) to ensure “essential equivalence” where laws in the receiving jurisdiction might impinge on the protections the SCCs give.
What do you need to do?
As a quick reminder, the developments in large part flow from last year’s Schrems II decision by the Court of Justice of the European Union. Schrems II invalidated Privacy Shield. As we wrote at the time (see our blog posts here and here), the rationale of Schrems II threatened to also undermine other existing transfer mechanisms such as the SCCs. The world has therefore been waiting for updates to the SCCs to address those challenges.
Post-Schrems II, a one-size-fits-all approach to cross-border transfers poses significant enforcement risk and – looking ahead – may be a catalyst for private litigation. To help minimize those risks, companies should consider the following steps now that the new SCCs have been issued.
- Secure adequate resources. Many organizations, but particularly data processors providing services across borders (who are likely to be party to a large number of agreements using the old SCCs), will need to devote significant additional resources to be able to review and revise pre-existing agreements incorporating the SCCs. Administering and maintaining the SCCs will also be more burdensome on an ongoing basis, given increased focus on data processing supply chain accountability and the need to keep data transfer impact assessments (“DTIAs”) up-to-date.
- Map cross-border data transfers. The EDPB recommends that companies map all cross-border data transfers as a starting point. Many companies will have already done this, at least in part, for their records of data processing. Those mapping exercises may need to be updated, though, to address certain key issues:
First, to ensure all cross-border transfers are captured. The EDPB guidance stresses that remote access to data from outside the EU is a cross-border transfer even if the data remains hosted in the EU. Companies should therefore confirm that remote access transfers are captured accurately.
Second, to capture onward data transfers to (or within) third countries by data importers. The new SCCs explicitly state that companies must take into account onward transfers when conducting the mandatory DTIA. Having an accurate understanding of where data goes after a company has transferred it to the data importer is therefore key. This would be relevant, for example, to a U.S. parent company which receives EU personal data from a European subsidiary using the SCCs and needs to make an onward transfer to a third party vendor in the U.S..
Third, to ensure that existing controller/processor/joint-controller designations remain accurate. The previous lack of processor-processor SCCs may have led some companies to designate themselves (or the recipient) as a data controller so they could use the old SCCs to make transfers to third countries. The new SCCs introduce processor to processor (and processor to controller) SCCs. Companies will want to be sure they are putting the right clauses in place when renewing agreements.
- Review transfers. Heightened compliance requirements coupled with increased regulatory and legal risk, may mean some companies choose to limit their cross-border transfers. Companies should review their current cross-border transfers and determine whether any transfers to third countries can be avoided entirely or the volume of data transferred reduced. To use the SCCs, companies will need to conduct DTIAs. Reducing the number of transfers and volume of data transferred will streamline that (ongoing) process. It will also help companies ensure that they meet their data minimization obligation.
- Conduct DTIAs. The new SCCs require companies to perform a DTIA to determine whether law and practice in the receiving jurisdiction would prevent the data importer from meeting its obligations under the SCCs (Clause 14). Following Clause 14’s plain wording and the EDPB guidance, there is greater scope for subjective considerations than originally envisaged. According to the EDPB guidance, the assessment should be made “in the context of your specific transfer” and therefore can take into account the fact that, in some cases, there may be “no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer”. DTIAs will need to be documented, and reviewed periodically and/or when laws and practices change in the receiving jurisdiction.
- Assess and implement supplementary measures as necessary. Where the DTIA reveals that local laws and practice might impinge on the protections given by the SCCs, companies will need to determine whether supplementary measures can be put in place to ensure personal data is adequately protected. These can be a combination of organizational, contractual and technical measures and companies may find it helpful to consider what may be appropriate against the EDPB guidance.
Again, this will be a dynamic process. The EDPB guidance stresses that what is currently sufficient to safeguard data might not be in the future. For example, encryption might prevent foreign governments accessing personal data now, might not in the future as quantum computing or other technical developments occur that could call into question the durability of the encryption.
In many cases though, supplementary technical measures may overlap with the controls many companies are increasingly trying to impose on vendors to help guard against the increasing threat of supply chain attacks. This is also reflected by the fact that the new SCCs’ security measures section requires controller-processor agreements to list the specific data security measures implemented by the processor and its sub-processors.
When deciding when to start this process, it is important to keep in mind that despite the new SCCs only having to be used from 27 September 2021 onwards, and agreements in place by that date able to contain the old SCCs until 27 December 2022, transfers under the old SCCs without any supplementary measures may draw regulatory scrutiny. Data protection authorities across the EU have already commenced enforcement action against companies using the old SCCs, including those using well-known vendors Cloudflare and MailChimp. That scrutiny looks only set to continue.
For the time being, the new SCCs cannot be used for transfers to third countries from the UK as they have not been approved as a valid cross-border transfer mechanism by the UK government, adding to the complexity of the issues outlined above where transfers are taking place from both the EU and the UK. Revised UK SCCs are expected later this year.