On Friday 4 June 2021, the European Commission published the final version of its long awaited standard contractual clauses for transferring personal data outside of the EEA (SCCs). It also published its template clauses for transfers between controllers and processors within the EU/EEA, which, confusingly, are also referred to as standard contractual clauses. However, this briefing focuses solely on the SCCs for international transfers.
1. Key changes
Following the publication last November of draft versions of the SCCs for consultation, the Commission received a large quantity of feedback (nearly 150 submissions). In response, it has made some relatively significant amendments, including:
- extending the timing of the grandfathering (see below);
- in relation to Schrems II transfer impact assessments (TIAs), giving a greater role to the parties’ practical, subjective experience in evaluating the impact of local laws/practices on the ability to comply with the SCCs. An additional footnote details the approach the parties should take to such assessment and outlines how subjective experience (such as an absence of public authority requests) could be documented and combined with objective evidence (e.g. through corroboration with publically available information); and
- adding detail in a number of other provisions; notably in relation to transparency obligations; audit; assistance with data subjects’ requests and in the Annexes.
The new SCCs have been produced to reflect both the GDPR and the impact of the Schrems II decision last summer and will be welcomed by organisations as the first finalised and concrete regulatory response to that judgement. The Commission is keen to emphasise the benefits of the clauses, including the fact that they are a ‘single entry point’ covering a broad range of scenarios (rather than the current separate sets) with different modules allowing organisations to ‘mix and match’ clauses depending on the nature of the transfer. The new SCCs also provide for transfers not covered by the current clauses (e.g. EEA processor to non-EEA sub-processor or EEA processor to non-EEA controller) and can be entered into by more than two parties. The Commission describes them as a ‘practical toolbox’ to comply with the Schrems II decision, with examples of ‘supplementary measures', such as encryption, that companies may take if necessary. However, further insight on the requirements for organisations in relation to these supplementary measures (and TIAs) will likely come from the finalised European Data Protection Board (EDPB) guidance (discussed below).
2. When to use the new SCCs
The new SCCs will come into force on the 27 June 2021, 20 days after the publication of the Commission’s implementing decision in the EU’s Official Journal. The current SCCs will only be repealed 3 months after this, on 27 September 2021, allowing organisations to continue using them during this period. They may also continue to be relied on for a further 15 months period, until 27 December 2022, but only for the performance of contracts entered into before the 27 September 2021 repeal date and provided that:
- the processing operations that are the subject matter of the contract remain unchanged; and
- reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of the EU GDPR.
Organisations will therefore have a maximum of 18 months from the new SCCs coming into force to replace their previously executed SCCs with the new versions, in what will be, for some, a substantial repapering exercise. If the underlying contract is amended sooner, or if any sub-contracting occurs, the new SCCs will need to be put in place at the same time.
3. What about the EDPB guidance?
The new SCCs should soon be followed by the final version of the EDPB guidance on the supplementary measures organisations need to carry out to bolster the protection for data transfers following Schrems II. At the draft stage there was some clear divergence between the EDPB’s and the Commission’s approach to these supplementary measures. However, recent reports suggest that the two bodies have been coordinating to reach a more aligned position which may give some comfort to those looking to give effect to the SCCs.
We understand that an updated draft of the EDPB guidance may be published later in June which should complete the EU’s post-Schrems II response.
4. Transfers out of the UK
Organisations subject to the UK GDPR have longer to wait for their updated standard contractual clauses: at its annual conference in May the ICO suggested that the UK’s version of the SCCs would be published for consultation this summer.