European Commission Implements Updated Standard Contractual Clauses for Cross-Border Transfers and New Standard Contractual Clauses for Controller and Processor Relationships - Part I of II: Cross-Border SCCs

PDF

On June 4, 2021 the European Commission (“Commission”) implemented two sets of standard contractual clauses (“SCCs”). One set governs cross-border transfers of personal data (“Cross-Border SCCs”) and seeks to align the SCCs with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”), the Court of Justice of the EU’s (“CJEU”) Schrems II decision, and today’s functional business realities. The second set of SCCs sets forth standard contracting provisions between controllers and processors to align with the requirements of Article 28 of the GDPR (“Controller-Processor SCCs”). In Part I of this client alert, we’ll answer some key questions about the Cross-Border SCCs. In Part II, we’ll cover the Controller-Processor SCCs.

Q: What are the Cross-Border SCCs?

A: The Cross-Border SCCs provide legal safeguards for transfers of data from the EU to third countries pursuant to the GDPR. They contain largely immutable model language that has been approved by the European Commission as sufficiently protecting the interests of individual European data subjects when their personal data is transferred internationally. The Cross-Border SCCs issued on June 4, 2021 replace older versions of cross-border SCCs (“Old SCCs”) that predated the GDPR. Companies that transfer personal data from the EU or import personal data from the EU will likely need to implement the Cross-Border SCCs into applicable customer and vendor agreements unless they are covered by an alternative safeguard, such as binding corporate rules.

Q: How do the updated Cross-Border SCCs differ from the previous ones?

A: Two of the most significant revisions to the Old SCCs seek to address modern processing realities, the requirements of the GDPR, and the impact of the CJEU’s Schrems II decision.

The Old SCCs addressed data importing and exporting relationships between two controllers or between an exporting controller and an importing processor. They failed to address scenarios where EU processors exported personal data to subprocessors in countries outside the EU, and they also did not address scenarios where a processor in the EU received personal data from a non-EU controller. The Cross-Border SCCs provide modules to encompass additional transfer arrangements: from one controller to another, from a controller to a processor, from a processor to a controller, and between processors.

The updated Cross-Border SCCs also incorporate additional safeguards in accordance with Article 46 of the GDPR and in response to the CJEU’s 2020 Schrems II decision, which invalidated the legality of the EU-US Privacy Shield as a legal mechanism to transfer data from the EU to the U.S. While Schrems II affirmed the continued viability of the Old SCCs, the decision required a case-by-case assessment of the adequacy of protections offered by the importing countries’ privacy laws. Correspondingly, the Cross-Border SCCs require the parties to ensure that the laws of the third country do not prevent the data importer from fulfilling its obligations under the Cross-Border SCCs and to notify the exporting party in the event of a government request to access EU personal data. They also require separate evaluation and documentation of “the length of the processing chain, the number of actors involved and the transmission channels used,” “the economic sector in which the transfer occurs,” and “the storage location of the data transferred,” among many other elements.

Q: Who is responsible for incorporating the Cross-Border SCCs into contracts?

A: The data exporter, which could be a controller or a processor, is ultimately responsible for replacing the Old SCCs in existing agreements and implementing the Cross-Border SCCs into new agreements. However, data importers must be prepared to provide key information in order to make the Cross-Border SCCs executable, including the technical and organizational measures implemented to protect personal data and the identity of sub-processors. Data importers must also work with data exporters to evaluate and document the items described in the prior answer. Both data exporters and data importers are liable to each other and to any impacted data subjects under the Cross-Border SCCs. As a result, both data exporters and importers should consult legal counsel in connection with their integration and adoption of the Cross-Border SCCs to fully understand their responsibilities and liabilities.

Q: How long do companies have to implement the new clauses into applicable agreements involving cross-border data transfers?

A: Companies can begin implementing the Cross-Border SCCs into agreements starting on June 27, 2021. The Old SCCs can be incorporated into new agreements until September 26, 2021. On September 27, 2021 the Old SCCs will be repealed. Companies still relying on the Old SCCs in existing agreements will then have until December 27, 2022 to replace the Old SCCs with the Cross-Border SCCs in all applicable agreements.

Q: What should companies do next?

A: Identify the data transfer module(s) appropriate to the company’s internal and external cross-border transfer activities, assess the company’s capacity to undertake the requirements of the Cross-Border SCCs, and remediate any identified deficiencies. Develop or refine documentation that will facilitate the incorporation of applicable Cross-Border SCC modules into new agreements within the next three months. Develop a plan to replace and re-execute existing data transfer agreements with both vendors and intra-group affiliates over the next year and a half.