For organisations needing to transfer data internationally, Standard Contractual Clauses (SCCs) are one option for staying compliant with the GDPR. But following the Schrems II ruling last summer, SCCs have been upgraded. In the third blog in our series on the CJEU ruling, Sarah Clarke looks at what’s changing for SCCs.
SCCs are one of the GDPR Article 46 legal tools used to protect transfers of EU personal data to countries without an existing EU data adequacy decision. (The others are binding corporate rules (BCRs); codes of conduct; certification mechanisms; and ad hoc contractual clauses.)
The clauses are intended to provide standardised clarity about benchmarks and requirements for data protection between data exporters and importers. The EU Commission has approved standard wording, and supervisory authorities in member states have created and approved versions reflecting the same level of protection.
These are the current EU versions:
EU controller to non-EU or EEA controller
EU controller to non-EU or EEA processor
The EU-approved wording was last updated in 2010 and as the links show, they cover a limited range of processing relationships.
Why are things changing?
When Safe Harbor was officially invalidated for transfers of EU data to the US back in October 2015, maybe yours was one of the businesses that moved to Standard Contractual Clauses and never moved on to Privacy Shield. Even back in July 2016, many rightly saw the writing on the wall, because it remained a self- assessed compromise for data protection adequacy against an increasingly politicised data processing backdrop.
Contrary to the impression given by some reporting, Standard Contractual Clauses were the real focus of the Schrems II case. Max Schrems argued that SCCs could never close the adequacy gaps. The court conceded that gaps existed, primarily around routes for redress if an EU resident found that a US firm had breached requirements in the GDPR. This specifically focused on Executive Order 12.333 and FISA 702.3 as basis for warrants to obtain personal data relating to EU citizens. We wrote more about that history in our blog at the time. Privacy Shield was not entirely unexpected collateral damage.
To partially address that, the SCCs have been upgraded. The revision was overdue. The existing SCCs still refer to the 1995 Data Protection Directive (Directive 95/46/EC), which was the predecessor to the GDPR.
Many felt that the rewrite was delayed by the new Schrems case, then by data protection uncertainty linked to the Brexit referendum, and finally by prevailing politics in the US. Timing of the consultation did nothing to refute that. The rewrite was issued on the 12th November and consultation ended on 10th December 2020. The finalised and approved documents are expected shortly.
If importing countries don’t have an EU adequacy decision, another suitable Article 46 basis for transfer, or an Article 49 derogation, organisations will need to use SCCs. (See step three of the European Data Protection Board’s roadmap on the infographic that shows its key recommendations.)
Whatever the required control, we need to ensure importer data protection is ‘essentially equivalent’ to protection afforded inside the EU. When it’s been established that SCCs are the best contractual control, with or without supplementary measures (EDPB roadmap, step 5), what has changed?
How have SCCs changed?
More processing relationships – The new Standard Contractual Clauses now provide contractual obligations for four different processing relationships:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller.
It makes room to pick a better version for your supply chain, including leave to add a new processor into an agreement if multiple third parties are subject to the same terms for a given processing purpose.
One ‘pick your own processing adventure’ – As so much of SCC text is duplicated, the new version highlights which version of content you should chose to suit your processing relationship. This will work well with a lot of contract management systems.
Shared liability – The question of liability and how to split that between parties is always at the forefront of legal minds. The new SCCs help. For instance, in most scenarios, especially where you have joint data controllers, it can be tricky to pin down accountability for subject rights request management, incident notification, privacy notices, and similar things. The exporter must be duly diligent in understanding importer control capability, but the importer is liable for continued capability and ongoing delivery of protections it contractually agrees to put in place.
National security and law enforcement access – Given the basis for invalidating Privacy Shield, it’s not surprising that the SCCs explicitly address government and law enforcement requests for access. All parties will need to be clear about the impact of a third country’s laws on the ability to honour contractual requirements.
Supplementary measures – We talked about extra controls needed if default SCC content is not enough. The new SCCs leave space to include those. Placeholders include certification, internal and external IT governance, pseudonymisation, encryption, data minimisation, testing requirements, and physical security.
EDPB recommendations and our 20th January webinar will provide you with more on those potential controls.
When should you switch?
EU-US – New SCCs will be valid for all new agreements as soon as they are issued. Pre-existing SCCs remain valid for one year from the date new SCCs are finalised. Use your Transfer Impact Assessment to prioritise a shift to the new contractual clauses, or to a new Article 46 or Article 49 basis for the specific transfer. Ensure you assess whether SCCs, BCRs, or other tools are enough to offer ‘essentially equivalent’ control. If they don’t, you will need supplementary measures, or to prioritise assessment of alternative for processing.
With the very specific focus on EO 12333 and FISA 702.33 and related routes for redress, there may be a geopolitical solution, or a new iteration of a Privacy Shield type compromise, but we should not rely on that.
EU-Other third Countries, including the UK – The same principles apply to all other third countries. Existing agreements should be changed to new SCCs, or to different transfer tools over the course of the year, adding supplementary measures where required. A big challenge for all firms is assessing ‘essential equivalence’ of each importing country to work out how much conractual, technical, or procedural control is enough. BH Consulting can support you to do that and to prioritise all changes.
The EU have allowed the UK for four more months of data transfers from the EU under pre-transition adequacy terms. This comes with an optional two-month extension. After that point, if there is no new adequacy decision, transfers to the UK will need to use new SCCs or another legal transfer tool. Planning for that should have already begun.
What else do you need to know?
If SCCs are the right way for you to go (either the old ones now, or the new ones later) you need to understand the nature of your processing. You can start with your Record of Processing Activity, or we can help you pull that together. It is an Article 30 GDPR requirement to keep a list of all your EU data processing. If you have that already, it will help enormously. Your next critical step is to do Transfer Impact Assessment to understand the kind of international transfer tools and supplementary measures you might need to keep the whole thing rolling.
Our free webinar on practical international data transfer management in a Post-Schrems II world will go into more detail on SCCs. There are limited places still available for the event, which will take place on January 20th. It will also cover some specifics about supplementary measures required if SCCs are not enough. Sign up to find out more, or if you want to discuss how we can help you, please email [email protected]