European Commission adopts new sets of standard contractual clauses

On June 4, 2021, with Decision (EU) 2021/914,[1] the European Commission adopted new sets of Standard Contractual Clauses regulating the transfer of personal data to third countries under Regulation (EU) 2016/679 (General Data Protection Regulation, or “GDPR”) (“New SCCs”).[2]

  1. The background behind the New SCCs

The standard contractual clauses are standardized and pre-approved data protection clauses that can be incorporated into contractual arrangements on a voluntary basis. These easy-to-implement tools facilitate compliance with data protection requirements.

Under Article 46 GDPR, the Commission may adopt standard contractual clauses as safeguards for transfers to third countries. A similar mechanism was provided under Directive 95/46/CE and implemented by the EU Commission Decisions 2001/497/EC, 2004/915/EC, and 2010/87/EU.

The adoption of new sets of standard contractual clauses has been on the agenda of the European regulators since the approval of the GDPR and, until June, the Standard Contractual Clauses adopted under Directive 95/46/CE remained in force only provisionally under a mechanism provided under Article 46(5) GDPR.

The Schrems II judgment[3] issued by the Court of Justice of European Union (“CJEU”) laid bare the weaknesses of the Standard Contractual Clauses adopted under Directive 95/46/CE when it came to providing sufficient safeguards for data transfer in the revised framework resulting from the entry into force of the GDPR. After that decision, adopting new sets of standard contractual clauses became truly urgent.

  1. Key points

The New SCCs address the realities currently faced by modern European businesses and attempt to address some of the critical issues raised by operators under the previous regime. The key points to note are the following:

  • Modular approach. The Commission adopted a very flexible approach by providing a single entry-point covering a broad range of transfer scenarios rather than separate sets of clauses. The New SCCs are made of different subsets of clauses governing different situations (controller-to-processor, controller-to-controller, processor-to-processor, and processor-to-controller data transfers) that the parties may select in accordance with the specific situation they intend to govern.
  • Transfer impact assessment. The New SCCs incorporate the impact assessment mandated by the CJEU in the Schrems II judgment to assess whether the law of the country of destination may interfere with the functioning of the New SCCs. Additionally, they give an overview of the different steps companies must take and provide examples of possible “supplementary measures” that they may adopt to mitigate this eventuality (such as encryption).

In particular, the New SCCs prompt data exporters to consider the following criteria when assessing the impact of a data transfer: (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and transmission channels used, planned onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal data, the economic sector in which the transfer occurs, and the storage location of the data transferred; (ii) the laws and practices of the third country of destination relevant in light of the specific circumstances of the transfer and the applicable limitations and safeguards; (iii) any relevant contractual, technical, or organizational safeguards put in place to supplement GDPR requirements, including measures applied during transmission and to the processing of the personal data in the country of destination. These criteria are further detailed in the annexes, to be completed with specific information from the parties to the New SCCs.

Notably, the New SCCs impose a duty of cooperation on the data importer with regard to providing the information needed to carry out the transfer impact assessment.

  • Onward transfers. The New SCCs introduce the possibility for importers to disclose imported personal data to other entities located in non-EU countries, following the rules established in said New SCCs. By doing so, the Commission has addressed one of the main gaps that businesses pointed out under the previous regime—an issue that was particularly sensitive when complex processing chains were involved.

Specifically, onward transfers are allowed only if the third party agrees to be bound by the New SCCs or one of the exceptions listed by the New SCCs applies. For instance, in controller-to-controller relationships, onward transfers are allowed with the specific and informed consent of the data subject, provided that the data importer informs the data exporter about it and, at the request of the latter, transmits to it a copy of the information provided to the data subject.

  • Docking clause. The New SCCs provide that an entity that is not party to the clauses may access them with the agreement of all the other parties. This is particularly useful for intra-group transfers relying on the New SCCs, and especially when new group companies are being created or acquired.
  • Possibility to amend the New SCCs. The Commission allows business operators to include the New SCCs in wider contracts and/or supplement them with other clauses or additional safeguards, providing that they do not contradict, directly or indirectly, the New SCCs as approved by the Commission, nor prejudice the fundamental rights or freedoms of data subjects. However, in case of contradiction, the New SCCs shall prevail.
  1. Entry into force and transitional periods

The New SCCs entered into force on June 27, 2021, or 20 days after their publication. Nevertheless, to allow businesses time to change their data transfer schemes, the Commission provided two transitional periods:

  • The “old” SCCs will remain provisionally in force for three months, until September 27, 2021.
  • Data controllers and processors currently relying on the “old” SCCs in relation to contracts entered into before September 27, 2021, will have an additional period of 15 months (i.e., by December 27, 2021) before they must switch to the New SCCs.
  1. Final remarks

The Commission adopted these New SCCs to foster the development of European businesses while keeping an eye on the protection of citizens’ personal data. Nowadays economic development is closely linked to data, meaning that the more data flows the more businesses can improve their products. However, first the entry into force of the GDPR and then the whole Schrems saga left a legacy of uncertainty in terms of how to ensure an adequate level of data protection when data transfers are involved.

Certainly, some points still need clarification. It seems likely that market practice and supervisory authority case law will be needed to clarify them. Nevertheless, adoption of the New SCCs is a major milestone for companies seeking to exchange personal data with other businesses safely and in compliance with GDPR requirements.

[1] Please refer to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.

[2] On the same date, the Commission issued a new set of SCCs regulating contracts between controllers and processors (see Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0915&locale-en.)

[3] Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems case (Case C-311/18).

Indietro
Seguici su